trickbot | 4f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7

Analysis

max time kernel
38s
max time network
134s
platform
windows10_x64
resource
win10v20210408
submitted
16-07-2021 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

triage_dropped_file.dll
Size

594KB
MD5

346446b4a209814f7542e706a561ad89
SHA1

3e77832af77b84ded9c08212fc2bd9d7022f6c9c
SHA256

4f62613ea4bd6d30bc3a4ba8dd3e3b386419d1895253f880a7861fe43d90ebe7
SHA512

b2823b7d0a226e71339c51715dd57a42690310e58e7e1f1f8f66d0b443e776739c7bf65dfdfa686d6322eec57b33c7cd1eaaf3c960712432d5162a8427253eef

Score

10^/10

trickbot zev1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev1

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip.anysrc.net
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1784 wermgr.exe

flow	ioc
18	ip.anysrc.net

description	pid	process
Token: SeDebugPrivilege	1784	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 568 wrote to memory of 2264	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 2264	568	regsvr32.exe	regsvr32.exe
PID 568 wrote to memory of 2264	568	regsvr32.exe	regsvr32.exe
PID 2264 wrote to memory of 1784	2264	regsvr32.exe	wermgr.exe
PID 2264 wrote to memory of 1784	2264	regsvr32.exe	wermgr.exe
PID 2264 wrote to memory of 1784	2264	regsvr32.exe	wermgr.exe
PID 2264 wrote to memory of 1784	2264	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-122-0x0000000000000000-mapping.dmp

Download
memory/1784-123-0x000001CD3E570000-0x000001CD3E598000-memory.dmp

Filesize
160KB

Download
memory/1784-124-0x000001CD3E680000-0x000001CD3E681000-memory.dmp

Filesize
4KB

Download
memory/2264-114-0x0000000000000000-mapping.dmp

Download
memory/2264-115-0x0000000004E00000-0x0000000004E37000-memory.dmp

Filesize
220KB

Download
memory/2264-119-0x0000000004E40000-0x0000000004E83000-memory.dmp

Filesize
268KB

Download
memory/2264-118-0x0000000004BE0000-0x0000000004DEE000-memory.dmp

Filesize
2.1MB

Download
memory/2264-120-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2264-121-0x0000000004EA1000-0x0000000004EA3000-memory.dmp

Filesize
8KB

Download