trickbot | 21382e955d23c9c2ff9aa617070f33f898745d568b82338c9a4c1a1652ae5a12

General

Target

redbutton.png.exe
Size

684KB
MD5

21eb9b5b1d887bb389530811600fa9a3
SHA1

da5f52ca735f10b98b1d6aca7dd86a1cde04fbbd
SHA256

21382e955d23c9c2ff9aa617070f33f898745d568b82338c9a4c1a1652ae5a12
SHA512

9e142a3a095b7e79a9ae5b05c32eb4ce96430d45b4a010239f3e0afb0e02cd79e7ccef4e3ae0a91e7ecd3a19653e7ecf7e843c754780114bc0deaae9510b5778

Score

10^/10

trickbot tot95 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000029

Botnet

tot95

C2

103.66.72.217:443

117.252.68.211:443

103.124.173.35:443

115.73.211.230:443

117.54.250.246:443

131.0.112.122:443

102.176.221.78:443

181.176.161.143:443

154.79.251.172:443

103.111.199.76:443

103.54.41.193:443

154.79.244.182:443

154.79.245.158:443

139.255.116.42:443

178.254.161.250:443

178.134.47.166:443

158.181.179.229:443

103.90.197.33:443

109.207.165.40:443

178.72.192.20:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1728 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

redbutton.png.exe

pid process

1104 redbutton.png.exe
1104 redbutton.png.exe

description	pid	process
Token: SeDebugPrivilege	1728	wermgr.exe

pid	process
1104	redbutton.png.exe
1104	redbutton.png.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

redbutton.png.exe

description	pid	process	target process
PID 1104 wrote to memory of 1200	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 1200	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 1200	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 1200	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 844	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 844	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 844	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 844	1104	redbutton.png.exe	cmd.exe
PID 1104 wrote to memory of 1728	1104	redbutton.png.exe	wermgr.exe
PID 1104 wrote to memory of 1728	1104	redbutton.png.exe	wermgr.exe
PID 1104 wrote to memory of 1728	1104	redbutton.png.exe	wermgr.exe
PID 1104 wrote to memory of 1728	1104	redbutton.png.exe	wermgr.exe
PID 1104 wrote to memory of 1728	1104	redbutton.png.exe	wermgr.exe
PID 1104 wrote to memory of 1728	1104	redbutton.png.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe
"C:\Users\Admin\AppData\Local\Temp\redbutton.png.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:844

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1104-61-0x00000000003B0000-0x00000000003EF000-memory.dmp

Filesize
252KB

Download
memory/1104-64-0x0000000000370000-0x00000000003AC000-memory.dmp

Filesize
240KB

Download
memory/1104-65-0x00000000004B1000-0x00000000004EA000-memory.dmp

Filesize
228KB

Download
memory/1104-67-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1104-66-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/1728-68-0x0000000000000000-mapping.dmp

Download
memory/1728-69-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/1728-70-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing