Overview

overview

10

Static

static

1a5f3ca659...0b.exe

windows7_x64

10

1a5f3ca659...0b.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    17-06-2021 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a5f3ca6597fcccd3295ead4d22ce70b.exe

  • Size

    540KB

  • MD5

    1a5f3ca6597fcccd3295ead4d22ce70b

  • SHA1

    31a359bfee00337bc9c6d23c2cb88737ac9b61c8

  • SHA256

    7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7

  • SHA512

    91e4f72900f10e39901cb4c3ca5f1d39d4f61501dc9b709ce03c55010606e341be5359252cc1d9a253a3f746af40321ca3a23a91d63dc69cd9b730110773b315

Score
10/10
trickbottot112bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000030

Botnet

tot112

C2

196.43.106.38:443

186.97.172.178:443

37.228.70.134:443

144.48.139.206:443

190.110.179.139:443

172.105.15.152:443

177.67.137.111:443

27.72.107.215:443

186.66.15.10:443

189.206.78.155:443

202.131.227.229:443

185.9.187.10:443

196.41.57.46:443

212.200.25.118:443

197.254.14.238:443

45.229.71.211:443

181.167.217.53:443

181.129.116.58:443

185.189.55.207:443

172.104.241.29:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe
    "C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:1712
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe
        2⤵
          PID:1708
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:568

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/568-64-0x0000000000000000-mapping.dmp

        Download

      • memory/568-65-0x0000000000060000-0x0000000000089000-memory.dmp

        Filesize

        164KB

        Download

      • memory/568-66-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1052-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1052-61-0x0000000000260000-0x00000000002A9000-memory.dmp

        Filesize

        292KB

        Download

      • memory/1052-62-0x00000000000F0000-0x0000000000101000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1052-63-0x0000000010001000-0x0000000010003000-memory.dmp

        Filesize

        8KB

        Download