trickbot | fac96a62fc74193e1b2d5af32673077eaed3028a5477ab676aeac2943f81c6c0

Resubmissions

24-09-2021 08:56

210924-kvz2jsgdfl 10

24-09-2021 08:48

210924-kqgz6sgdek 10

Analysis

max time kernel
142s
max time network
151s
platform
windows10_x64
resource
win10-en-20210920
submitted
24-09-2021 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00bf75d02bb1e16a1a09d4ff964b1a36.exe
Size

356KB
MD5

00bf75d02bb1e16a1a09d4ff964b1a36
SHA1

a152d09a6a90d41fc29dc64b9c5c3360ab4ebf9a
SHA256

fac96a62fc74193e1b2d5af32673077eaed3028a5477ab676aeac2943f81c6c0
SHA512

072fcd69e08b6db309dc06e0a0dcc95d72d80e851ecf0f5aafa8dd28fe4d4d5af5dedd32f3f88533a55a8b4cc27e237d47dc65642040991f56ecfa187de69572

Score

10^/10

trickbot top124 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

top124

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4124 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

00bf75d02bb1e16a1a09d4ff964b1a36.exe

pid process

3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe
3084 00bf75d02bb1e16a1a09d4ff964b1a36.exe

description	pid	process
Token: SeDebugPrivilege	4124	wermgr.exe

pid	process
3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe
3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

00bf75d02bb1e16a1a09d4ff964b1a36.exe

description	pid	process	target process
PID 3084 wrote to memory of 4124	3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe	wermgr.exe
PID 3084 wrote to memory of 4124	3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe	wermgr.exe
PID 3084 wrote to memory of 3292	3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe	cmd.exe
PID 3084 wrote to memory of 3292	3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe	cmd.exe
PID 3084 wrote to memory of 4124	3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe	wermgr.exe
PID 3084 wrote to memory of 4124	3084	00bf75d02bb1e16a1a09d4ff964b1a36.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\00bf75d02bb1e16a1a09d4ff964b1a36.exe
"C:\Users\Admin\AppData\Local\Temp\00bf75d02bb1e16a1a09d4ff964b1a36.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:3292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3084-115-0x0000000002590000-0x00000000025CE000-memory.dmp

Filesize
248KB

Download
memory/3084-118-0x0000000002550000-0x000000000258C000-memory.dmp

Filesize
240KB

Download
memory/3084-119-0x0000000002D50000-0x0000000002D8A000-memory.dmp

Filesize
232KB

Download
memory/3084-121-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/3084-120-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/4124-122-0x0000000000000000-mapping.dmp

Download
memory/4124-123-0x000001A7647F0000-0x000001A764819000-memory.dmp

Filesize
164KB

Download
memory/4124-124-0x000001A764830000-0x000001A764831000-memory.dmp

Filesize
4KB

Download