trickbot | f61b83f5c8c63c2074e9445599ab9dacba8ff58ddb594f434157c6deda73d317

Analysis

max time kernel
97s
max time network
138s
platform
windows7_x64
resource
win7v20201028
submitted
31-12-2020 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

908c022dd787419782e3cf9eb8e05c9c.exe
Size

474KB
MD5

908c022dd787419782e3cf9eb8e05c9c
SHA1

5cc2a59cad4424f805c073b843cb1821905ff9de
SHA256

f61b83f5c8c63c2074e9445599ab9dacba8ff58ddb594f434157c6deda73d317
SHA512

db0283305c6a586f6554009653082a0aab5f410e436216518ea95fa7d31d1eba2c09e14b95a7f03335f80e9dd387516ee15b62309004ff9dd8204669ee31bb95

Score

10^/10

trickbot mor7 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100008

Botnet

mor7

103.231.115.106:449

117.222.63.100:449

117.254.58.83:449

149.54.11.54:449

170.82.4.64:449

177.11.12.93:449

182.16.187.251:449

187.108.86.48:449

190.152.88.57:449

203.88.149.33:449

36.89.191.119:449

41.159.31.227:449

85.202.128.243:449

92.204.160.82:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ident.me
7 ident.me
Drops file in Windows directory 1 IoCs

Processes:

908c022dd787419782e3cf9eb8e05c9c.exe

description ioc process

File opened for modification C:\Windows\explorer.exe 908c022dd787419782e3cf9eb8e05c9c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1144 wermgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

908c022dd787419782e3cf9eb8e05c9c.exe

pid process

868 908c022dd787419782e3cf9eb8e05c9c.exe

flow	ioc
6	ident.me
7	ident.me

description	ioc	process
File opened for modification	C:\Windows\explorer.exe	908c022dd787419782e3cf9eb8e05c9c.exe

description	pid	process
Token: SeDebugPrivilege	1144	wermgr.exe

pid	process
868	908c022dd787419782e3cf9eb8e05c9c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

908c022dd787419782e3cf9eb8e05c9c.exe

description	pid	process	target process
PID 868 wrote to memory of 1144	868	908c022dd787419782e3cf9eb8e05c9c.exe	wermgr.exe
PID 868 wrote to memory of 1144	868	908c022dd787419782e3cf9eb8e05c9c.exe	wermgr.exe
PID 868 wrote to memory of 1144	868	908c022dd787419782e3cf9eb8e05c9c.exe	wermgr.exe
PID 868 wrote to memory of 1144	868	908c022dd787419782e3cf9eb8e05c9c.exe	wermgr.exe
PID 868 wrote to memory of 1144	868	908c022dd787419782e3cf9eb8e05c9c.exe	wermgr.exe
PID 868 wrote to memory of 1144	868	908c022dd787419782e3cf9eb8e05c9c.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\908c022dd787419782e3cf9eb8e05c9c.exe
"C:\Users\Admin\AppData\Local\Temp\908c022dd787419782e3cf9eb8e05c9c.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-2-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/868-3-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/1144-4-0x0000000000000000-mapping.dmp

Download