trickbot | 7f0f65f78d6fe0a0e7eb8771be51e8b3cf86a5bef749eafe8d56d99b13cdc51a

General

Target

b604247ade575ac39bc1597c9bdc3164.exe
Size

898KB
MD5

b604247ade575ac39bc1597c9bdc3164
SHA1

bb678d0aabb6200092bfb60234c15d46b7b9ab55
SHA256

7f0f65f78d6fe0a0e7eb8771be51e8b3cf86a5bef749eafe8d56d99b13cdc51a
SHA512

e2ead1d0d6c7a86b9cb41a524bfb656264336adf4244fdbe6b54e340958b4aec48afae26f6b429beaa6ba0855f8d246f4f869b9a113cd5a2f536e18ed58904fe

Score

10^/10

trickbot rob35 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob35

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3868 created 3168 3868 WerFault.exe cmd.exe
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

19 3168 cmd.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3868 3168 WerFault.exe cmd.exe

description	pid	process	target process
PID 3868 created 3168	3868	WerFault.exe	cmd.exe

flow	pid	process
19	3168	cmd.exe

pid	pid_target	process	target process
3868	3168	WerFault.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe
3868	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 3168 cmd.exe
Token: SeDebugPrivilege 3868 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	3168	cmd.exe
Token: SeDebugPrivilege	3868	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b604247ade575ac39bc1597c9bdc3164.exe

description	pid	process	target process
PID 4700 wrote to memory of 3168	4700	b604247ade575ac39bc1597c9bdc3164.exe	cmd.exe
PID 4700 wrote to memory of 3168	4700	b604247ade575ac39bc1597c9bdc3164.exe	cmd.exe
PID 4700 wrote to memory of 3168	4700	b604247ade575ac39bc1597c9bdc3164.exe	cmd.exe
PID 4700 wrote to memory of 3168	4700	b604247ade575ac39bc1597c9bdc3164.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b604247ade575ac39bc1597c9bdc3164.exe
"C:\Users\Admin\AppData\Local\Temp\b604247ade575ac39bc1597c9bdc3164.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3168 -s 932
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3168-2-0x0000000000000000-mapping.dmp

Download
memory/3868-3-0x0000028C678F0000-0x0000028C678F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing