trickbot | 5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
30-12-2020 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4916b182234073286e830c2dc2f210.exe
Size

612KB
MD5

bc4916b182234073286e830c2dc2f210
SHA1

b6d54467ad522b46d5d6a58ed4fd31d2c7e68d29
SHA256

5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
SHA512

b3f69478d5b30758e74fddebcc96d5354404cddbff0634fcbdc6e5bef826d23d23f8ab6b09ed55264399e35fc331077e71e2475ee9322e83735403e06e3b2c68

Score

10^/10

trickbot mor7 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100008

Botnet

mor7

103.231.115.106:449

117.222.63.100:449

117.254.58.83:449

149.54.11.54:449

170.82.4.64:449

177.11.12.93:449

182.16.187.251:449

187.108.86.48:449

190.152.88.57:449

203.88.149.33:449

36.89.191.119:449

41.159.31.227:449

85.202.128.243:449

92.204.160.82:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1616 wermgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bc4916b182234073286e830c2dc2f210.exe

pid process

1824 bc4916b182234073286e830c2dc2f210.exe

description	pid	process
Token: SeDebugPrivilege	1616	wermgr.exe

pid	process
1824	bc4916b182234073286e830c2dc2f210.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bc4916b182234073286e830c2dc2f210.exe

description	pid	process	target process
PID 1824 wrote to memory of 1616	1824	bc4916b182234073286e830c2dc2f210.exe	wermgr.exe
PID 1824 wrote to memory of 1616	1824	bc4916b182234073286e830c2dc2f210.exe	wermgr.exe
PID 1824 wrote to memory of 1616	1824	bc4916b182234073286e830c2dc2f210.exe	wermgr.exe
PID 1824 wrote to memory of 1616	1824	bc4916b182234073286e830c2dc2f210.exe	wermgr.exe
PID 1824 wrote to memory of 1616	1824	bc4916b182234073286e830c2dc2f210.exe	wermgr.exe
PID 1824 wrote to memory of 1616	1824	bc4916b182234073286e830c2dc2f210.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\bc4916b182234073286e830c2dc2f210.exe
"C:\Users\Admin\AppData\Local\Temp\bc4916b182234073286e830c2dc2f210.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-5-0x0000000000000000-mapping.dmp

Download
memory/1824-4-0x0000000001E50000-0x0000000001E8C000-memory.dmp

Filesize
240KB

Download
memory/1824-6-0x0000000000240000-0x0000000000244000-memory.dmp

Filesize
16KB

Download
memory/1824-7-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download