trickbot | 7aca6df0697411042832dbb88e1b2f650f646a35509830e9bf9dccb02e7529cb

Analysis

max time kernel
147s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe
Size

479KB
MD5

1e1fc25b7f286ee9bf1abf6a0b69b64f
SHA1

d1c47ef1377042baa604f5746102ade7fa4f87ce
SHA256

7aca6df0697411042832dbb88e1b2f650f646a35509830e9bf9dccb02e7529cb
SHA512

9e3f0832b56dd5d83d3f8279631447efb9f95a3859bdfa091e07f2a224dc18bbb2f8fe6de58f7dd29f27ab7561b8f00272acb8e00a59f413899c6ab92dcf0788

Score

10^/10

trickbot mor13 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

mor13

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 196 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	196	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe

description	pid	process	target process
PID 1156 wrote to memory of 216	1156	e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe	wermgr.exe
PID 1156 wrote to memory of 216	1156	e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe	wermgr.exe
PID 1156 wrote to memory of 196	1156	e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe	wermgr.exe
PID 1156 wrote to memory of 196	1156	e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe	wermgr.exe
PID 1156 wrote to memory of 196	1156	e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe	wermgr.exe
PID 1156 wrote to memory of 196	1156	e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e1_unseen_id_2952_1e1fc25b7f286ee9bf1abf6a0b69b64f.exe.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
PID:216

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:196

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads