trickbot | 101c5a5784112e7fa5c2f766476dff8663021e2101c8d4569cb5698390cb4636

Analysis

max time kernel
140s
max time network
187s
platform
windows7_x64
resource
win7v20210410
submitted
21-07-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

564KB
MD5

06285860cd0beb177a7fb794bf8c1eb6
SHA1

c5f84431a2270f0840b29c90302ed8ae4ffcd7b3
SHA256

101c5a5784112e7fa5c2f766476dff8663021e2101c8d4569cb5698390cb4636
SHA512

618234e3764f0c79461b5d504522e58959d696417d399bc9f3e311a6ca510e3042b55dd9231b6144757d1dc82809c1784c0b955862730385a27129bc9db9f921

Score

10^/10

trickbot rob110 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob110

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1656 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sample.exe

pid process

1668 sample.exe
1668 sample.exe

description	pid	process
Token: SeDebugPrivilege	1656	wermgr.exe

pid	process
1668	sample.exe
1668	sample.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 1668 wrote to memory of 1524	1668	sample.exe	cmd.exe
PID 1668 wrote to memory of 1524	1668	sample.exe	cmd.exe
PID 1668 wrote to memory of 1524	1668	sample.exe	cmd.exe
PID 1668 wrote to memory of 1524	1668	sample.exe	cmd.exe
PID 1668 wrote to memory of 1656	1668	sample.exe	wermgr.exe
PID 1668 wrote to memory of 1656	1668	sample.exe	wermgr.exe
PID 1668 wrote to memory of 1656	1668	sample.exe	wermgr.exe
PID 1668 wrote to memory of 1656	1668	sample.exe	wermgr.exe
PID 1668 wrote to memory of 1656	1668	sample.exe	wermgr.exe
PID 1668 wrote to memory of 1656	1668	sample.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1524

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-67-0x0000000000000000-mapping.dmp

Download
memory/1656-68-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/1656-69-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1668-60-0x00000000005F0000-0x0000000000631000-memory.dmp

Filesize
260KB

Download
memory/1668-63-0x00000000005B0000-0x00000000005EF000-memory.dmp

Filesize
252KB

Download
memory/1668-64-0x0000000001E90000-0x0000000001ECD000-memory.dmp

Filesize
244KB

Download
memory/1668-65-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/1668-66-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download