trickbot | 088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22

Resubmissions

08-04-2021 06:38

210408-gx3w79j19a 10

08-04-2021 06:33

210408-dyfh7tgh82 10

Analysis

max time kernel
138s
max time network
139s
platform
windows7_x64
resource
win7v20201028
submitted
08-04-2021 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe
Size

532KB
MD5

2939f396d5b175b2e1f28b05c09e812b
SHA1

d040e2a1d29f0b37a5e888d2402432d78440cb54
SHA256

088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22
SHA512

ac18886ead5c6e9476e36c0af5bf0a7a9837d8cb9f8fa12fa40c77492c2bdce6cfa33d074d45ca46658a9895fb4dce19824af578431915a696449cd5f3b0eb94

Score

10^/10

trickbot yas58 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100015

Botnet

yas58

67.48.36.18:449

46.254.128.174:449

41.216.166.142:449

181.143.251.154:449

77.232.163.203:449

87.97.178.92:449

185.94.172.15:449

185.230.5.43:443

91.243.125.5:443

185.242.168.118:443

201.23.76.18:443

180.178.109.222:443

202.131.227.229:443

163.53.83.117:443

45.235.5.162:443

185.189.55.207:449

103.36.48.159:449

168.253.208.234:449

41.60.233.170:449

170.79.181.188:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1356 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1356	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe

description	pid	process	target process
PID 776 wrote to memory of 608	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	cmd.exe
PID 776 wrote to memory of 608	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	cmd.exe
PID 776 wrote to memory of 608	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	cmd.exe
PID 776 wrote to memory of 608	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	cmd.exe
PID 776 wrote to memory of 1356	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	wermgr.exe
PID 776 wrote to memory of 1356	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	wermgr.exe
PID 776 wrote to memory of 1356	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	wermgr.exe
PID 776 wrote to memory of 1356	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	wermgr.exe
PID 776 wrote to memory of 1356	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	wermgr.exe
PID 776 wrote to memory of 1356	776	088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe
"C:\Users\Admin\AppData\Local\Temp\088d508c5f4509185682108b422dcce6d1ca6ce82258f1340ab4e330da067b22.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:608

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/776-2-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/776-3-0x0000000000230000-0x000000000026C000-memory.dmp

Filesize
240KB

Download
memory/776-4-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1356-6-0x0000000000000000-mapping.dmp

Download
memory/1356-7-0x00000000000E0000-0x0000000000109000-memory.dmp

Filesize
164KB

Download
memory/1356-8-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download