trickbot | e59e7db0c75cef4bb6e057d725bae7ed5e13fd011b54fe39c3fe7cdb123b684f

Analysis

max time kernel
313s
max time network
323s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-06-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe
Size

454KB
MD5

92bdf585c0213c658e84afa9bee31e83
SHA1

2605300c6957335e73d527d83405e657ff3348f0
SHA256

75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a
SHA512

94fe04fb55a6046226222d55967a05acfa9f26e7ed5a7ce91f6e57565502399f1daad99084e9ed9d940319a124b0fd9557fb28d2082c0c2cdbba5255ca986726

Score

10^/10

trickbot rob110 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob110

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1692 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1692	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe

description	pid	process	target process
PID 2272 wrote to memory of 1112	2272	75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe	cmd.exe
PID 2272 wrote to memory of 1112	2272	75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe	cmd.exe
PID 2272 wrote to memory of 1692	2272	75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe	wermgr.exe
PID 2272 wrote to memory of 1692	2272	75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe	wermgr.exe
PID 2272 wrote to memory of 1692	2272	75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe	wermgr.exe
PID 2272 wrote to memory of 1692	2272	75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe
"C:\Users\Admin\AppData\Local\Temp\75a5b0e0e96691e1aacf99aba23f9b2a53ef8c349a8822494b7b82c400b5a61a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1112

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-131-0x0000000000000000-mapping.dmp

Download
memory/1692-132-0x00000204961C0000-0x00000204961E9000-memory.dmp

Filesize
164KB

Download
memory/2272-130-0x0000000000A60000-0x0000000000AAF000-memory.dmp

Filesize
316KB

Download
memory/2272-133-0x0000000000A60000-0x0000000000AAF000-memory.dmp

Filesize
316KB

Download