trickbot | c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5

General

Target

7bb8f00948d80dc7a3936c4c1fa2b276.exe
Size

516KB
MD5

7bb8f00948d80dc7a3936c4c1fa2b276
SHA1

e60d2828c4a5716d1d96ba1a141e239a2df374f8
SHA256

c3b12369d950f2420697e8b05b80a29a0cea58fd7d858d7a622611291d3496f5
SHA512

ac507e6050da30a7b2a8867d6acf384925105fbb3d325d578de7997a1d1f3284071486d42caeea4274bbbef182fc966d0d2e130786c576d54be17ea3307ff298

Score

10^/10

trickbot tot153 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot153

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2036 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7bb8f00948d80dc7a3936c4c1fa2b276.exe

pid process

2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe
2020 7bb8f00948d80dc7a3936c4c1fa2b276.exe

description	pid	process
Token: SeDebugPrivilege	2036	wermgr.exe

pid	process
2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe
2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

7bb8f00948d80dc7a3936c4c1fa2b276.exe

description	pid	process	target process
PID 2020 wrote to memory of 2036	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	wermgr.exe
PID 2020 wrote to memory of 2036	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	wermgr.exe
PID 2020 wrote to memory of 2036	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	wermgr.exe
PID 2020 wrote to memory of 2036	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	wermgr.exe
PID 2020 wrote to memory of 1068	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	cmd.exe
PID 2020 wrote to memory of 1068	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	cmd.exe
PID 2020 wrote to memory of 1068	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	cmd.exe
PID 2020 wrote to memory of 1068	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	cmd.exe
PID 2020 wrote to memory of 2036	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	wermgr.exe
PID 2020 wrote to memory of 2036	2020	7bb8f00948d80dc7a3936c4c1fa2b276.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\7bb8f00948d80dc7a3936c4c1fa2b276.exe
"C:\Users\Admin\AppData\Local\Temp\7bb8f00948d80dc7a3936c4c1fa2b276.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-60-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x0000000001E10000-0x0000000001E4F000-memory.dmp

Filesize
252KB

Download
memory/2020-65-0x0000000001F70000-0x0000000001FAB000-memory.dmp

Filesize
236KB

Download
memory/2020-64-0x0000000000620000-0x000000000065C000-memory.dmp

Filesize
240KB

Download
memory/2020-66-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2020-67-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/2036-68-0x0000000000000000-mapping.dmp

Download
memory/2036-70-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2036-69-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing