1a5f3ca6597fcccd3295ead4d22ce70b
1a5f3ca6597fcccd3295ead4d22ce70b.exe
540KB
17-06-2021 16:05
1a5f3ca6597fcccd3295ead4d22ce70b
31a359bfee00337bc9c6d23c2cb88737ac9b61c8
7501da197ff9bcd49198dce9cf668442b3a04122d1034effb29d74e0a09529d7
Extracted
Family | trickbot |
Version | 2000030 |
Botnet | tot112 |
C2 |
196.43.106.38:443 186.97.172.178:443 37.228.70.134:443 144.48.139.206:443 190.110.179.139:443 172.105.15.152:443 177.67.137.111:443 27.72.107.215:443 186.66.15.10:443 189.206.78.155:443 202.131.227.229:443 185.9.187.10:443 196.41.57.46:443 212.200.25.118:443 197.254.14.238:443 45.229.71.211:443 181.167.217.53:443 181.129.116.58:443 185.189.55.207:443 172.104.241.29:443 14.241.244.60:443 144.48.138.213:443 202.138.242.7:443 202.166.196.111:443 36.94.100.202:443 187.19.167.233:443 181.129.242.202:443 36.94.27.124:443 43.245.216.116:443 186.225.63.18:443 41.77.134.250:443 |
Attributes |
autorun Name:pwgrabb Name:pwgrabc |
ecc_pubkey.base64 |
|
Filter: none
-
Trickbot
Description
Developed in 2016, TrickBot is one of the more recent banking Trojans.
Tags
-
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
Reported IOCs
flow ioc 15 api.ipify.org -
Suspicious use of AdjustPrivilegeTokenwermgr.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 568 wermgr.exe -
Suspicious use of WriteProcessMemory1a5f3ca6597fcccd3295ead4d22ce70b.exe
Reported IOCs
description pid process target process PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1712 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 1708 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe cmd.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe PID 1052 wrote to memory of 568 1052 1a5f3ca6597fcccd3295ead4d22ce70b.exe wermgr.exe
-
C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"C:\Users\Admin\AppData\Local\Temp\1a5f3ca6597fcccd3295ead4d22ce70b.exe"Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exeSuspicious use of AdjustPrivilegeToken
-
memory/568-66-0x00000000000A0000-0x00000000000A1000-memory.dmp
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/568-65-0x0000000000060000-0x0000000000089000-memory.dmp
-
memory/1052-61-0x0000000000260000-0x00000000002A9000-memory.dmp
-
memory/1052-62-0x00000000000F0000-0x0000000000101000-memory.dmp
-
memory/1052-63-0x0000000010001000-0x0000000010003000-memory.dmp
-
memory/1052-60-0x0000000074D91000-0x0000000074D93000-memory.dmp