Overview

overview

10

Static

static

a3276a6edd...a9.exe

windows7_x64

10

a3276a6edd...a9.exe

windows10_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    25-09-2021 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a3276a6edd8cdf35e28c69e98fac25a9.exe

  • Size

    356KB

  • MD5

    a3276a6edd8cdf35e28c69e98fac25a9

  • SHA1

    81c733ca47319a818bb1b9ef138c58bf4f715147

  • SHA256

    d825da453d80559eabf1d90dc46af91ce1a05448b4583d963e6fd3d05f87f208

  • SHA512

    71f290b4b3fbece1816a58d63208cefb87bf02a47150db1a9e8715a1d8aec6195ea9a76a3d27be4cfea55974d98ab737f1f155d3d35c219aebe2d25a993ba7df

Score
10/10
trickbotlip124bankersuricatatrojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

lip124

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2

    suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2

    suricata
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a3276a6edd8cdf35e28c69e98fac25a9.exe
    "C:\Users\Admin\AppData\Local\Temp\a3276a6edd8cdf35e28c69e98fac25a9.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:332
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:432
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:860

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/332-60-0x0000000001F10000-0x0000000001F4E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/332-63-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/332-64-0x0000000000270000-0x00000000002AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/332-65-0x0000000001F50000-0x0000000001F8A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/332-66-0x00000000003E0000-0x00000000003F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/332-67-0x0000000010001000-0x0000000010003000-memory.dmp
      Filesize

      8KB

      Download
    • memory/432-68-0x0000000000000000-mapping.dmp
      Download
    • memory/432-69-0x0000000000060000-0x0000000000089000-memory.dmp
      Filesize

      164KB

      Download
    • memory/432-70-0x0000000000110000-0x0000000000111000-memory.dmp
      Filesize

      4KB

      Download