trickbot | 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb

General

Target

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Size

424KB
MD5

a0c729c01ea861b5a20294303a612b9f
SHA1

ae122915a28c02908e1088670914962b827c42e0
SHA256

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb
SHA512

976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a

Score

10^/10

trickbot lib5 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100009

Botnet

lib5

C2

149.54.11.54:449

36.89.191.119:449

41.159.31.227:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.44:449

194.5.249.143:443

142.202.191.175:443

195.123.241.31:443

45.89.125.214:443

45.83.151.103:443

91.200.103.41:443

66.70.246.0:443

64.74.160.218:443

198.46.198.115:443

5.34.180.173:443

23.227.196.5:443

195.123.241.115:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Executes dropped EXE 1 IoCs

Processes:

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

pid process

4820 5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4520 wermgr.exe

pid	process
4820	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

description	pid	process
Token: SeDebugPrivilege	4520	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe

description	pid	process	target process
PID 2676 wrote to memory of 4820	2676	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 2676 wrote to memory of 4820	2676	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 2676 wrote to memory of 4820	2676	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
PID 4820 wrote to memory of 4520	4820	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 4820 wrote to memory of 4520	4820	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 4820 wrote to memory of 4520	4820	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe
PID 4820 wrote to memory of 4520	4820	5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
"C:\Users\Admin\AppData\Local\Temp\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Filesize
424KB

MD5
a0c729c01ea861b5a20294303a612b9f

SHA1
ae122915a28c02908e1088670914962b827c42e0

SHA256
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb

SHA512
976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a

Download Submit
C:\Users\Admin\AppData\Roaming\DesktopColor\5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb.exe
Filesize
424KB

MD5
a0c729c01ea861b5a20294303a612b9f

SHA1
ae122915a28c02908e1088670914962b827c42e0

SHA256
5b99daa58d2f59f7066c1d0ce82884217e3ad693d6f5f26ed351f96754a790cb

SHA512
976ec722e3c459b5a7158a9b5fc5414b7d40b5ad636e3b1cac8b3911f5b2cf2ccb8fa0c87d5c384f4d8bca5f564d44e178a0e6e491055d470ae95d333a568a6a

Download Submit
memory/2676-130-0x0000000000630000-0x0000000000635000-memory.dmp

Filesize
20KB

Download
memory/2676-131-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2676-136-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4520-137-0x0000000000000000-mapping.dmp

Download
memory/4520-138-0x00000286388B0000-0x00000286388D7000-memory.dmp

Filesize
156KB

Download
memory/4820-132-0x0000000000000000-mapping.dmp

Download
memory/4820-135-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4820-139-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing