trickbot | f145bb39698b92b70b4bd18fa84f24b4dfa7d29a80c497549e006a57b60c8db2

Analysis

max time kernel
116s
max time network
118s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

local.php.bin.exe
Size

888KB
MD5

12e603a04493a42a0de0465e382aff30
SHA1

0abc6682052b9bccbd037035864aabb2e960dd0f
SHA256

f145bb39698b92b70b4bd18fa84f24b4dfa7d29a80c497549e006a57b60c8db2
SHA512

33c56e6721bf5349a05c787b3d7dafd604a04749a33d432474204e8872836322bd2212a4561d966e77592f3d49df4e46589d4c5812d8d009b96b0d435b5723b5

Score

10^/10

trickbot rob35 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob35

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 3 IoCs

Processes:

cmd.exe

flow pid process

4 1304 cmd.exe
7 1304 cmd.exe
10 1304 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeDebugPrivilege 1304 cmd.exe

flow	pid	process
4	1304	cmd.exe
7	1304	cmd.exe
10	1304	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1304	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

local.php.bin.exe

description	pid	process	target process
PID 1756 wrote to memory of 1304	1756	local.php.bin.exe	cmd.exe
PID 1756 wrote to memory of 1304	1756	local.php.bin.exe	cmd.exe
PID 1756 wrote to memory of 1304	1756	local.php.bin.exe	cmd.exe
PID 1756 wrote to memory of 1304	1756	local.php.bin.exe	cmd.exe
PID 1756 wrote to memory of 1304	1756	local.php.bin.exe	cmd.exe
PID 1756 wrote to memory of 1304	1756	local.php.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\local.php.bin.exe
"C:\Users\Admin\AppData\Local\Temp\local.php.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of AdjustPrivilegeToken
  PID:1304

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads