Overview

overview

10

Static

static

10 mins

windows7_x64

10

10 mins Win10

windows10_x64

10

Resubmissions

25-02-2021 19:33

210225-ckt8nv3sn2 10

25-02-2021 19:29

210225-3e1s9c98dn 10

11-02-2021 15:28

210211-8grt4rpew2 10

11-02-2021 08:01

210211-4q732bhs9s 10

Analysis

  • max time kernel
    600s
  • max time network
    601s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    25-02-2021 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c765049f292cb94f47f91dbe243d4b2.exe

  • Size

    912KB

  • MD5

    4c765049f292cb94f47f91dbe243d4b2

  • SHA1

    610911bf779ba590ad382be6f8ed799171d12f50

  • SHA256

    91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

  • SHA512

    d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

Score
10/10
trickbottot39bankerspywaretrojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4c765049f292cb94f47f91dbe243d4b2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      "C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:1020
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Drops file in Program Files directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:752

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      MD5

      4c765049f292cb94f47f91dbe243d4b2

      SHA1

      610911bf779ba590ad382be6f8ed799171d12f50

      SHA256

      91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

      SHA512

      d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb
      MD5

      9aa5b4c8041e3ef26e163b1ad62f4389

      SHA1

      5b9819a852bf59edf6f19263e0ee91595da67dae

      SHA256

      73a5a3b5596dec85d2ceffec10b4ef603592fb1b390f1675923c285de072237e

      SHA512

      63c349b53a0575c345529899227b7913018b8d35b57912a33ab67eaccda46817a6bd51d8bd9b9652d974ca7397923d413c44ced0220f0aa93620d8c9f006895c

      Download Submit
    • \Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      MD5

      4c765049f292cb94f47f91dbe243d4b2

      SHA1

      610911bf779ba590ad382be6f8ed799171d12f50

      SHA256

      91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

      SHA512

      d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

      Download Submit
    • \Program Files (x86)\DinoComp\4c765049f292cb94f47f91dbe243d4b2.exe
      MD5

      4c765049f292cb94f47f91dbe243d4b2

      SHA1

      610911bf779ba590ad382be6f8ed799171d12f50

      SHA256

      91283de902fbd3f620ea4ed912b21410dba2880e1a81991db44a382bd58784be

      SHA512

      d603408f96dab97a5b50ed47e8d283cdc42b1ef1aa315b5ff479085fc5d0556302da8b018f69cf64dbdd4734ebcb21cb2190e3ed4c132ffae65c555623c42584

      Download Submit
    • memory/752-20-0x0000000000060000-0x0000000000061000-memory.dmp
      Filesize

      4KB

      Download
    • memory/752-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1016-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1016-11-0x0000000001FF0000-0x0000000002028000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1016-14-0x0000000010001000-0x0000000010003000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1016-13-0x00000000003F0000-0x00000000003F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-2-0x00000000761E1000-0x00000000761E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-4-0x0000000000800000-0x0000000000836000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1636-3-0x00000000020E0000-0x0000000002118000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1788-15-0x0000000000000000-mapping.dmp
      Download
    • memory/1788-17-0x0000000000190000-0x0000000000191000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1788-16-0x00000000000E0000-0x0000000000107000-memory.dmp
      Filesize

      156KB

      Download