trickbot | 75ef968283165b8a4fc163a383e2b28a210544fc10c05c914141f36c747ed23e

Analysis

max time kernel
112s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
05-01-2021 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

868f654ed6c48d909205d122ce8cd06b.exe
Size

668KB
MD5

868f654ed6c48d909205d122ce8cd06b
SHA1

d56cb321d3da67570e46ac8eaa8ee4a002284390
SHA256

75ef968283165b8a4fc163a383e2b28a210544fc10c05c914141f36c747ed23e
SHA512

ecd6315982d791f1fe1ae9956121662256656fdd8d4418199a05f3db6f747e94a390403a7b17afd8908878fa8aa57763de1993f0698a980d9d4b97ffa234ae43

Score

10^/10

trickbot mor9 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100009

Botnet

mor9

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ipinfo.io
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 188 wermgr.exe

flow	ioc
16	ipinfo.io

description	pid	process
Token: SeDebugPrivilege	188	wermgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

868f654ed6c48d909205d122ce8cd06b.exe

pid	process
508	868f654ed6c48d909205d122ce8cd06b.exe
508	868f654ed6c48d909205d122ce8cd06b.exe
508	868f654ed6c48d909205d122ce8cd06b.exe
508	868f654ed6c48d909205d122ce8cd06b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

868f654ed6c48d909205d122ce8cd06b.exe

description	pid	process	target process
PID 508 wrote to memory of 188	508	868f654ed6c48d909205d122ce8cd06b.exe	wermgr.exe
PID 508 wrote to memory of 188	508	868f654ed6c48d909205d122ce8cd06b.exe	wermgr.exe
PID 508 wrote to memory of 188	508	868f654ed6c48d909205d122ce8cd06b.exe	wermgr.exe
PID 508 wrote to memory of 188	508	868f654ed6c48d909205d122ce8cd06b.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\868f654ed6c48d909205d122ce8cd06b.exe
"C:\Users\Admin\AppData\Local\Temp\868f654ed6c48d909205d122ce8cd06b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-4-0x0000000000000000-mapping.dmp

Download
memory/508-2-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/508-3-0x0000000002C70000-0x0000000002CAC000-memory.dmp

Filesize
240KB

Download