trickbot | 94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe
Size

193KB
MD5

03e207d529998465a72ee7376bc5b180
SHA1

47a3edb81733b70e9c656ee1ba5d4c1944e8a111
SHA256

94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c
SHA512

6c0c01cc8bd312f207c8158c375b8cbb96fa1da9317d11c6a39cafdb329bb02f15b6ebc2606d17af108b46b753e2ee8e0d0ff59fc0ff0463efafeda81b5ec913

Score

10^/10

trickbot chil6 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000501

Botnet

chil6

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2664 svchost.exe
Token: SeDebugPrivilege 2664 svchost.exe

description	pid	process
Token: SeDebugPrivilege	2664	svchost.exe
Token: SeDebugPrivilege	2664	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe

description	pid	process	target process
PID 3512 wrote to memory of 2664	3512	94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe	svchost.exe
PID 3512 wrote to memory of 2664	3512	94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe	svchost.exe
PID 3512 wrote to memory of 2664	3512	94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe	svchost.exe
PID 3512 wrote to memory of 2664	3512	94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe
"C:\Users\Admin\AppData\Local\Temp\94ffc5fde8cddb3e28ea1a17914b9120b5158f058eecc993d9b8e5a378d98a3c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2664-131-0x0000000000000000-mapping.dmp

Download
memory/2664-133-0x000001FF5E080000-0x000001FF5E0A4000-memory.dmp

Filesize
144KB

Download
memory/2664-134-0x000001FF5E080000-0x000001FF5E0A4000-memory.dmp

Filesize
144KB

Download
memory/3512-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3512-132-0x0000000010001000-0x0000000010006000-memory.dmp

Filesize
20KB

Download