trickbot | 401ea10bc72be6dbf1463f5fe77e28c1f23bf55477752a19a574e210ec425e6e

Analysis

max time kernel
135s
max time network
138s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Size

424KB
MD5

40163c8a35e475ecf5d6cb0a81f6662c
SHA1

5f5ee80e01da7e5f649da6b9389778bd9c588a69
SHA256

60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce
SHA512

ab1c6f5f595e9e320094dd9c091a2f7f6d7750c45b86a8db73b97b76c60d0fc496149a73cde75d71360ad6a621697f4938d74d1f58fae106f7640128d3e673bb

Score

10^/10

trickbot lib5 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100009

Botnet

lib5

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe

pid process

1688 60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Loads dropped DLL 1 IoCs

Processes:

60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe

pid process

1068 60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1020 wermgr.exe

pid	process
1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe

pid	process
1068	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe

description	pid	process
Token: SeDebugPrivilege	1020	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe

description	pid	process	target process
PID 1068 wrote to memory of 1688	1068	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
PID 1068 wrote to memory of 1688	1068	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
PID 1068 wrote to memory of 1688	1068	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
PID 1068 wrote to memory of 1688	1068	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
PID 1688 wrote to memory of 1020	1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	wermgr.exe
PID 1688 wrote to memory of 1020	1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	wermgr.exe
PID 1688 wrote to memory of 1020	1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	wermgr.exe
PID 1688 wrote to memory of 1020	1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	wermgr.exe
PID 1688 wrote to memory of 1020	1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	wermgr.exe
PID 1688 wrote to memory of 1020	1688	60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
"C:\Users\Admin\AppData\Local\Temp\60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Roaming\DesktopColor\60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
C:\Users\Admin\AppData\Roaming\DesktopColor\60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DesktopColor\60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
MD5
40163c8a35e475ecf5d6cb0a81f6662c

SHA1
5f5ee80e01da7e5f649da6b9389778bd9c588a69

SHA256
60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce

SHA512
ab1c6f5f595e9e320094dd9c091a2f7f6d7750c45b86a8db73b97b76c60d0fc496149a73cde75d71360ad6a621697f4938d74d1f58fae106f7640128d3e673bb

Download Submit
\Users\Admin\AppData\Roaming\DesktopColor\60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce.exe
MD5
40163c8a35e475ecf5d6cb0a81f6662c

SHA1
5f5ee80e01da7e5f649da6b9389778bd9c588a69

SHA256
60dd8ddc33f6f3aadbf3f4d3cfe1dbc3058240086e5a547ede5671aa7dd172ce

SHA512
ab1c6f5f595e9e320094dd9c091a2f7f6d7750c45b86a8db73b97b76c60d0fc496149a73cde75d71360ad6a621697f4938d74d1f58fae106f7640128d3e673bb

Download Submit
memory/1020-5-0x0000000000000000-mapping.dmp

Download
memory/1688-3-0x0000000000000000-mapping.dmp

Download