trickbot | ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4

Analysis

max time kernel
135s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
25-06-2022 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4.exe
Size

196KB
MD5

685f692b3ba186d3470fe70ad6d3f007
SHA1

53d350351cdc3add444e4ef6d31381066b9f6ad0
SHA256

ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4
SHA512

d4f4bcc293ec05a71e829df257d1a5c74f1e6498a6188d479c0d0d983949f2b089de9efee3be877e5789d4bde804c57887b3f09b571f9c1f43f4a7c8486d21d4

Score

10^/10

trickbot tot677 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000499

Botnet

tot677

5.182.210.226:443

82.146.62.52:443

193.26.217.243:443

5.2.78.77:443

107.172.165.149:443

185.14.29.84:443

178.156.202.130:443

185.62.188.10:443

5.255.96.115:443

212.80.216.209:443

195.133.145.31:443

5.34.177.97:443

85.143.216.206:443

185.99.2.193:443

5.182.210.4:443

178.156.202.120:443

146.185.253.197:443

194.99.21.139:443

185.200.241.248:443

185.183.96.43:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3256-130-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2692 3256 WerFault.exe ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4.exe

pid	pid_target	process	target process
2692	3256	WerFault.exe	ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4.exe

C:\Users\Admin\AppData\Local\Temp\ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4.exe
"C:\Users\Admin\AppData\Local\Temp\ba87c3d8adc50c452e7766405298ef08d0919bed8f41abd8c10a10289a348cb4.exe"
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 224
2⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3256 -ip 3256
1⤵
PID:3108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3256-130-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download