trickbot | d3653992cbeaecd58a6fd47e178c6f8b7e60b54b3ec686d01841dedd4b744409

Analysis

max time kernel
284s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-06-2022 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe
Size

1.3MB
MD5

ad2d8367ebad467d07fc7ac3834db801
SHA1

16f9f4831eee1faa40ab4bd027f3303c606c4de4
SHA256

0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344
SHA512

86de35b8f5016f377b9bd641586970f9257b541f41e346a066f31fbe392c20322ffe5a80e9d996dc4fcfac2ce50be434620e8ad1ab4f24d4b8ce273b2ea2b06b

Score

10^/10

trickbot lib108 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000030

Botnet

lib108

196.43.106.38:443

186.97.172.178:443

37.228.70.134:443

144.48.139.206:443

190.110.179.139:443

172.105.15.152:443

177.67.137.111:443

27.72.107.215:443

186.66.15.10:443

189.206.78.155:443

202.131.227.229:443

185.9.187.10:443

196.41.57.46:443

212.200.25.118:443

197.254.14.238:443

45.229.71.211:443

181.167.217.53:443

181.129.116.58:443

185.189.55.207:443

172.104.241.29:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4252 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	4252	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe

pid	process
1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe
1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe

description	pid	process	target process
PID 1456 wrote to memory of 2224	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	cmd.exe
PID 1456 wrote to memory of 2224	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	cmd.exe
PID 1456 wrote to memory of 1080	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	cmd.exe
PID 1456 wrote to memory of 1080	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	cmd.exe
PID 1456 wrote to memory of 4252	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	wermgr.exe
PID 1456 wrote to memory of 4252	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	wermgr.exe
PID 1456 wrote to memory of 4252	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	wermgr.exe
PID 1456 wrote to memory of 4252	1456	0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe
"C:\Users\Admin\AppData\Local\Temp\0ee7590362df39d54f390e2f5ae309d36f75961c992667ec34b1113fe405f344.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1080

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-130-0x00000000024D0000-0x000000000250F000-memory.dmp

Filesize
252KB

Download
memory/1456-134-0x0000000002610000-0x000000000264B000-memory.dmp

Filesize
236KB

Download
memory/1456-135-0x0000000002490000-0x00000000024CD000-memory.dmp

Filesize
244KB

Download
memory/1456-136-0x0000000002610000-0x000000000264B000-memory.dmp

Filesize
236KB

Download
memory/1456-139-0x0000000002610000-0x000000000264B000-memory.dmp

Filesize
236KB

Download
memory/4252-137-0x0000000000000000-mapping.dmp

Download
memory/4252-138-0x0000020A998E0000-0x0000020A99909000-memory.dmp

Filesize
164KB

Download