trickbot | 101c5a5784112e7fa5c2f766476dff8663021e2101c8d4569cb5698390cb4636

Analysis

max time kernel
43s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
21-07-2021 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

564KB
MD5

06285860cd0beb177a7fb794bf8c1eb6
SHA1

c5f84431a2270f0840b29c90302ed8ae4ffcd7b3
SHA256

101c5a5784112e7fa5c2f766476dff8663021e2101c8d4569cb5698390cb4636
SHA512

618234e3764f0c79461b5d504522e58959d696417d399bc9f3e311a6ca510e3042b55dd9231b6144757d1dc82809c1784c0b955862730385a27129bc9db9f921

Score

10^/10

trickbot rob110 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob110

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipecho.net
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1480 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sample.exe

pid process

3628 sample.exe
3628 sample.exe

flow	ioc
17	ipecho.net

description	pid	process
Token: SeDebugPrivilege	1480	wermgr.exe

pid	process
3628	sample.exe
3628	sample.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 3628 wrote to memory of 3196	3628	sample.exe	cmd.exe
PID 3628 wrote to memory of 3196	3628	sample.exe	cmd.exe
PID 3628 wrote to memory of 1480	3628	sample.exe	wermgr.exe
PID 3628 wrote to memory of 1480	3628	sample.exe	wermgr.exe
PID 3628 wrote to memory of 1480	3628	sample.exe	wermgr.exe
PID 3628 wrote to memory of 1480	3628	sample.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:3196

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-121-0x0000000000000000-mapping.dmp

Download
memory/1480-122-0x000001EFB6D30000-0x000001EFB6D59000-memory.dmp

Filesize
164KB

Download
memory/1480-123-0x000001EFB6E40000-0x000001EFB6E41000-memory.dmp

Filesize
4KB

Download
memory/3628-114-0x0000000002B80000-0x0000000002BC1000-memory.dmp

Filesize
260KB

Download
memory/3628-118-0x0000000002BD0000-0x0000000002C0D000-memory.dmp

Filesize
244KB

Download
memory/3628-117-0x0000000002B40000-0x0000000002B7F000-memory.dmp

Filesize
252KB

Download
memory/3628-119-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/3628-120-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download