trickbot | e040cad9eb0815e34d1133d52e15d5a254fabbff250972329303d0cc1da15c35

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
12-01-2021 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kwcqgsatnmwpys.exe
Size

488KB
MD5

d732b127b45d0775fe9040bc4ef83813
SHA1

977df879a204997daf4e6f35a587f09c6b7d9863
SHA256

e040cad9eb0815e34d1133d52e15d5a254fabbff250972329303d0cc1da15c35
SHA512

2e88e05b9d87643b2aad7eb28975ce012210c73763d6b412c948ad98733acd99e2ca3bddfc88930a5b575f736e3d5006ded251a9a8e3b3f213c99a6c09477cc0

Score

10^/10

trickbot mor12 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

mor12

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

4 1532 cmd.exe
5 1532 cmd.exe
6 1532 cmd.exe
7 1532 cmd.exe
10 1532 cmd.exe
11 1532 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeDebugPrivilege 1532 cmd.exe

flow	pid	process
4	1532	cmd.exe
5	1532	cmd.exe
6	1532	cmd.exe
7	1532	cmd.exe
10	1532	cmd.exe
11	1532	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1532	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

kwcqgsatnmwpys.exe

description	pid	process	target process
PID 1668 wrote to memory of 1532	1668	kwcqgsatnmwpys.exe	cmd.exe
PID 1668 wrote to memory of 1532	1668	kwcqgsatnmwpys.exe	cmd.exe
PID 1668 wrote to memory of 1532	1668	kwcqgsatnmwpys.exe	cmd.exe
PID 1668 wrote to memory of 1532	1668	kwcqgsatnmwpys.exe	cmd.exe
PID 1668 wrote to memory of 1532	1668	kwcqgsatnmwpys.exe	cmd.exe
PID 1668 wrote to memory of 1532	1668	kwcqgsatnmwpys.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\kwcqgsatnmwpys.exe
"C:\Users\Admin\AppData\Local\Temp\kwcqgsatnmwpys.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1532

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads