trickbot | e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1

General

Target

e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe
Size

835KB
MD5

b77dbb9639819e23e228d0ecb25f6a60
SHA1

34e380337abcc97b1b848f1d2de5aea599af5c7e
SHA256

e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1
SHA512

a49a8bf8fda1c1812c14f720c42495300090750a720b1057cb0fe6ae6b83744663f128b1f570b57d62044d4a226fb0808cb5e64ec5e145e114f4249829fb5194

Score

10^/10

trickbot rob38 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob38

C2

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Drops file in System32 directory 1 IoCs

Processes:

wermgr.exe

description ioc process

File created C:\Windows\system32\cn\kofmap.txt wermgr.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

928 svchost.exe
928 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wermgr.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1308 wermgr.exe
Token: SeDebugPrivilege 928 svchost.exe

description	ioc	process
File created	C:\Windows\system32\cn\kofmap.txt	wermgr.exe

pid	process
928	svchost.exe
928	svchost.exe

description	pid	process
Token: SeDebugPrivilege	1308	wermgr.exe
Token: SeDebugPrivilege	928	svchost.exe

Suspicious use of WriteProcessMemory 510 IoCs

Processes:

e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exewermgr.exe

description	pid	process	target process
PID 1724 wrote to memory of 1064	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1064	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1064	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1064	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1308	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1308	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1308	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1308	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1308	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1724 wrote to memory of 1308	1724	e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe	wermgr.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe
PID 1308 wrote to memory of 928	1308	wermgr.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe
"C:\Users\Admin\AppData\Local\Temp\e8749f7d1df1cc445776cf359857b664b5cde213bce655a65dd3109427e4fcc1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
PID:1064

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-10-0x0000000000000000-mapping.dmp

Download
memory/928-12-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1308-7-0x0000000000000000-mapping.dmp

Download
memory/1308-8-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1308-9-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1724-3-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1724-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-5-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1724-6-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing