trickbot | ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590

Analysis

max time kernel
56s
max time network
55s
platform
windows7_x64
resource
win7v20201028
submitted
24-03-2021 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe
Size

798KB
MD5

5dbcbbe197be8385ba34485bf3be0326
SHA1

d6eb690bb899b5cd5b0933fac5e24bf6686850a3
SHA256

ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590
SHA512

9bfb4917cce802379ad73c08623dbee743b072f0d0996d11f7cb02ea66c7d4645230268b244b8e21f8eb7702f98bfa16472d1e3ae8534ef6abeb5ccc0ddaa565

Score

10^/10

trickbot rob35 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

rob35

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

3 284 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cmd.exe

description pid process

Token: SeDebugPrivilege 284 cmd.exe

flow	pid	process
3	284	cmd.exe

description	pid	process
Token: SeDebugPrivilege	284	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe

description	pid	process	target process
PID 1888 wrote to memory of 284	1888	ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe	cmd.exe
PID 1888 wrote to memory of 284	1888	ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe	cmd.exe
PID 1888 wrote to memory of 284	1888	ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe	cmd.exe
PID 1888 wrote to memory of 284	1888	ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe	cmd.exe
PID 1888 wrote to memory of 284	1888	ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe	cmd.exe
PID 1888 wrote to memory of 284	1888	ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe
"C:\Users\Admin\AppData\Local\Temp\ab4ecc19b5adb42768f4cecab5c3afdd8de5b50ed81dd7e3af020e61475f1590.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/284-7-0x0000000000000000-mapping.dmp

Download
memory/284-8-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/284-9-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1888-2-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/1888-3-0x0000000000240000-0x0000000000245000-memory.dmp

Filesize
20KB

Download
memory/1888-4-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1888-5-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1888-6-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download