Overview

overview

10

Static

static

4c765049f2...b2.exe

windows7_x64

10

4c765049f2...b2.exe

windows10_x64

10

Resubmissions

25-02-2021 19:33

210225-ckt8nv3sn2 10

25-02-2021 19:29

210225-3e1s9c98dn 10

11-02-2021 15:28

210211-8grt4rpew2 10

11-02-2021 08:01

210211-4q732bhs9s 10

Analysis

  • max time kernel
    44s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-02-2021 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c765049f292cb94f47f91dbe243d4b2.exe

  • Size

    912KB

  • MD5

    4c765049f292cb94f47f91dbe243d4b2

  • SHA1

    610911bf779ba590ad382be6f8ed799171d12f50

  • SHA256

    91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

  • SHA512

    d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Score
10/10
trickbottot39bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      "C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:748
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1404

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      MD5

      4c765049f292cb94f47f91dbe243d4b2

      SHA1

      610911bf779ba590ad382be6f8ed799171d12f50

      SHA256

      91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

      SHA512

      d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

      Download Submit
    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      MD5

      4c765049f292cb94f47f91dbe243d4b2

      SHA1

      610911bf779ba590ad382be6f8ed799171d12f50

      SHA256

      91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

      SHA512

      d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1985363256-3005190890-1182679451-1000\0f5007522459c86e95ffcc62f32308f1_72727c5d-8d0e-47bb-8579-8067735277ff
      MD5

      15907d9d2a3108ca7c5a863de29462e2

      SHA1

      b3a5e8a7291089ef600dcd9ef6ece33118021b8b

      SHA256

      1112f9a201596d4c8045da5e10001d27bb1cd50366b97f23edef2d7d2145af40

      SHA512

      4c3915472d19526bfdfa0b56fc34d8c15f9d246c23cb4ccd664f7c9e93ea54aee4f9e31511c203e1e574f266d38e2b8d2c0ffbd5d6f0cc7a246ded54984d90f7

      Download Submit
    • memory/1400-2-0x0000000003DB0000-0x0000000003DE8000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1400-3-0x0000000003D70000-0x0000000003DA6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1404-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1404-14-0x0000023671D30000-0x0000023671D31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1404-13-0x0000023671C20000-0x0000023671C47000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3140-4-0x0000000000000000-mapping.dmp
      Download
    • memory/3140-8-0x0000000003FC0000-0x0000000003FF8000-memory.dmp
      Filesize

      224KB

      Download
    • memory/3140-11-0x0000000010001000-0x0000000010003000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3140-10-0x0000000004160000-0x0000000004161000-memory.dmp
      Filesize

      4KB

      Download