trickbot | 489e7ef8892da96762561f945ab244100a9cc23eecb341c01f55d1e382f1a316

Analysis

max time kernel
120s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
20-01-2021 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
Size

217KB
MD5

f8f47764f5b13c65987da4208c29a25e
SHA1

5a5a1a5ddacd3808435cb2db896fd0c11e0388bd
SHA256

489e7ef8892da96762561f945ab244100a9cc23eecb341c01f55d1e382f1a316
SHA512

0056c963665f57b9cafe443a9b7596e2af50ff28353d55ef9293904675eefb3f328bf1470adabcc38766733cc9177f0e7125278771200f4f0b2e6c656f36638b

Score

10^/10

trickbot mor1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

mor1

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3180 1496 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
3180	1496	WerFault.exe	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe
3180	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3180 WerFault.exe
Token: SeBackupPrivilege 3180 WerFault.exe
Token: SeDebugPrivilege 3180 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	3180	WerFault.exe
Token: SeBackupPrivilege	3180	WerFault.exe
Token: SeDebugPrivilege	3180	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 496 wrote to memory of 1496	496	regsvr32.exe	regsvr32.exe
PID 496 wrote to memory of 1496	496	regsvr32.exe	regsvr32.exe
PID 496 wrote to memory of 1496	496	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
2⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-2-0x0000000000000000-mapping.dmp

Download
memory/1496-3-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/3180-4-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download