trickbot | 5ee35bd407af70ebadd34ca4ee64eb7b9fea5355f805e813cac1f20917f0f951

Analysis

max time kernel
161s
max time network
166s
platform
windows10_x64
resource
win10v20210408
submitted
24-09-2021 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f053a76df955f3f5ef9b20b027d1fa2.exe
Size

360KB
MD5

4f053a76df955f3f5ef9b20b027d1fa2
SHA1

ddbf7761ad0409f0228799b231be600ca2d24f12
SHA256

5ee35bd407af70ebadd34ca4ee64eb7b9fea5355f805e813cac1f20917f0f951
SHA512

8dd0ccb14d6f7f93e880bfd6c74a3c34538a67800f0fc56aa1d74dd1337909648f100024ffefd1cb5f0108ad3d84e2cc2e567ad2ce8463989305d48c794f091b

Score

10^/10

trickbot tot152 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot152

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ipecho.net
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1092 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4f053a76df955f3f5ef9b20b027d1fa2.exe

pid process

996 4f053a76df955f3f5ef9b20b027d1fa2.exe
996 4f053a76df955f3f5ef9b20b027d1fa2.exe

flow	ioc
14	ipecho.net

description	pid	process
Token: SeDebugPrivilege	1092	wermgr.exe

pid	process
996	4f053a76df955f3f5ef9b20b027d1fa2.exe
996	4f053a76df955f3f5ef9b20b027d1fa2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4f053a76df955f3f5ef9b20b027d1fa2.exe

description	pid	process	target process
PID 996 wrote to memory of 1092	996	4f053a76df955f3f5ef9b20b027d1fa2.exe	wermgr.exe
PID 996 wrote to memory of 1092	996	4f053a76df955f3f5ef9b20b027d1fa2.exe	wermgr.exe
PID 996 wrote to memory of 1216	996	4f053a76df955f3f5ef9b20b027d1fa2.exe	cmd.exe
PID 996 wrote to memory of 1216	996	4f053a76df955f3f5ef9b20b027d1fa2.exe	cmd.exe
PID 996 wrote to memory of 1092	996	4f053a76df955f3f5ef9b20b027d1fa2.exe	wermgr.exe
PID 996 wrote to memory of 1092	996	4f053a76df955f3f5ef9b20b027d1fa2.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\4f053a76df955f3f5ef9b20b027d1fa2.exe
"C:\Users\Admin\AppData\Local\Temp\4f053a76df955f3f5ef9b20b027d1fa2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-114-0x0000000002BE0000-0x0000000002C1F000-memory.dmp

Filesize
252KB

Download
memory/996-117-0x0000000002650000-0x000000000268D000-memory.dmp

Filesize
244KB

Download
memory/996-118-0x0000000002C20000-0x0000000002C5B000-memory.dmp

Filesize
236KB

Download
memory/996-120-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/996-119-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/1092-121-0x0000000000000000-mapping.dmp

Download
memory/1092-123-0x00000223B77B0000-0x00000223B77B1000-memory.dmp

Filesize
4KB

Download
memory/1092-122-0x00000223B76A0000-0x00000223B76C9000-memory.dmp

Filesize
164KB

Download