trickbot | 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb

General

Target

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Size

424KB
MD5

a0c729c01ea861b5a20294303a612b9f
SHA1

ae122915a28c02908e1088670914962b827c42e0
SHA256

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb
SHA512

976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a

Score

10^/10

trickbot lib5 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100009

Botnet

lib5

C2

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

pid process

1708 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Loads dropped DLL 1 IoCs

Processes:

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

pid process

1732 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2044 wermgr.exe

pid	process
1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

pid	process
1732	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

description	pid	process
Token: SeDebugPrivilege	2044	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

description	pid	process	target process
PID 1732 wrote to memory of 1708	1732	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 1732 wrote to memory of 1708	1732	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 1732 wrote to memory of 1708	1732	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 1732 wrote to memory of 1708	1732	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 1708 wrote to memory of 2044	1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 1708 wrote to memory of 2044	1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 1708 wrote to memory of 2044	1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 1708 wrote to memory of 2044	1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 1708 wrote to memory of 2044	1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 1708 wrote to memory of 2044	1708	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
"C:\Users\Admin\AppData\Local\Temp\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Filesize
424KB

MD5
a0c729c01ea861b5a20294303a612b9f

SHA1
ae122915a28c02908e1088670914962b827c42e0

SHA256
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb

SHA512
976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a

Download Submit
\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Filesize
424KB

MD5
a0c729c01ea861b5a20294303a612b9f

SHA1
ae122915a28c02908e1088670914962b827c42e0

SHA256
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb

SHA512
976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a

Download Submit
memory/1708-58-0x0000000000000000-mapping.dmp

Download
memory/1708-61-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1708-62-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1732-54-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1732-55-0x00000000003D0000-0x00000000003D5000-memory.dmp

Filesize
20KB

Download
memory/1732-56-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2044-63-0x0000000000000000-mapping.dmp

Download
memory/2044-64-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/2044-65-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing