trickbot | cdc1749131ae1052d43c047b8f3bb5a7785fc4ddd231de0d5e3ee8627c6d342f

Analysis

max time kernel
137s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
24-09-2021 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d5df1fa0e78c988a0e9aac669ddc78e.exe
Size

360KB
MD5

6d5df1fa0e78c988a0e9aac669ddc78e
SHA1

8e451f3f1244f403e2868f55a8ceee67a95713eb
SHA256

cdc1749131ae1052d43c047b8f3bb5a7785fc4ddd231de0d5e3ee8627c6d342f
SHA512

5f95559fa48beb05eac713434c0727ac38685044636008b3b1831471797c2700203bd90257c93c667c0722bb54734b54d3741ed8c8f8ea31f0f0d15f8b962469

Score

10^/10

trickbot tot152 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot152

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 668 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6d5df1fa0e78c988a0e9aac669ddc78e.exe

pid process

3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe
3260 6d5df1fa0e78c988a0e9aac669ddc78e.exe

description	pid	process
Token: SeDebugPrivilege	668	wermgr.exe

pid	process
3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe
3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6d5df1fa0e78c988a0e9aac669ddc78e.exe

description	pid	process	target process
PID 3260 wrote to memory of 668	3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe	wermgr.exe
PID 3260 wrote to memory of 668	3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe	wermgr.exe
PID 3260 wrote to memory of 3976	3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe	cmd.exe
PID 3260 wrote to memory of 3976	3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe	cmd.exe
PID 3260 wrote to memory of 668	3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe	wermgr.exe
PID 3260 wrote to memory of 668	3260	6d5df1fa0e78c988a0e9aac669ddc78e.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\6d5df1fa0e78c988a0e9aac669ddc78e.exe
"C:\Users\Admin\AppData\Local\Temp\6d5df1fa0e78c988a0e9aac669ddc78e.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-121-0x0000000000000000-mapping.dmp

Download
memory/668-123-0x0000024DD1130000-0x0000024DD1131000-memory.dmp

Filesize
4KB

Download
memory/668-122-0x0000024DD1020000-0x0000024DD1049000-memory.dmp

Filesize
164KB

Download
memory/3260-114-0x0000000002BF0000-0x0000000002C2F000-memory.dmp

Filesize
252KB

Download
memory/3260-118-0x0000000002C30000-0x0000000002C6B000-memory.dmp

Filesize
236KB

Download
memory/3260-117-0x0000000002BB0000-0x0000000002BED000-memory.dmp

Filesize
244KB

Download
memory/3260-119-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/3260-120-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download