Overview

overview

10

Static

static

58443a60ec...14.exe

windows7-x64

10

58443a60ec...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58443a60ecb0555e3b92416f93edd4245e6735cffdd480ef00e4cb2169f0cf14.exe

  • Size

    428KB

  • MD5

    e054ba3861687187c1f110f3a6185f00

  • SHA1

    a50a9a86b98183bd15526e4fc7e878d25c2d5ae6

  • SHA256

    58443a60ecb0555e3b92416f93edd4245e6735cffdd480ef00e4cb2169f0cf14

  • SHA512

    36ad0542fbec2bb7d8e8d30202af35526854e782e8c75a9f972e6b14100025be3982e3fe7f1e35caab328630bc09c2cd7b612bf178e1e243347d52446c311e0a

Score
10/10
trickbottot349bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000296

Botnet

tot349

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

66.38.80.188:449

24.119.69.70:449

192.3.130.29:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 3 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58443a60ecb0555e3b92416f93edd4245e6735cffdd480ef00e4cb2169f0cf14.exe
    "C:\Users\Admin\AppData\Local\Temp\58443a60ecb0555e3b92416f93edd4245e6735cffdd480ef00e4cb2169f0cf14.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Users\Admin\AppData\Roaming\WINYS\69443a70ecb0666e3b92417f93edd4246e7836cffdd490ef00e4cb2179f0cf14.exe
      C:\Users\Admin\AppData\Roaming\WINYS\69443a70ecb0666e3b92417f93edd4246e7836cffdd490ef00e4cb2179f0cf14.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660308776-3705150086-26593515-1000\0f5007522459c86e95ffcc62f32308f1_b975079f-5511-47c1-a87a-f7cd913ae83c
    Filesize

    1KB

    MD5

    f15dc4cd67ce74b70f8cb4f5a0e0ee43

    SHA1

    2440c684ea0da4281248f699b9029910c1fd793b

    SHA256

    6c474b0403d7ce53cb79c49ee68366f30f6061236e6088a5e04c72a601c73230

    SHA512

    9432ec9e427f1becac49c87f6f6c69751bab13a95d2ec1b9e23d3e81d55833a46c353da45a29e040c09cc3dd81573b4cf75759b2b68a65114336dacfd8801333

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WINYS\69443a70ecb0666e3b92417f93edd4246e7836cffdd490ef00e4cb2179f0cf14.exe
    Filesize

    428KB

    MD5

    e054ba3861687187c1f110f3a6185f00

    SHA1

    a50a9a86b98183bd15526e4fc7e878d25c2d5ae6

    SHA256

    58443a60ecb0555e3b92416f93edd4245e6735cffdd480ef00e4cb2169f0cf14

    SHA512

    36ad0542fbec2bb7d8e8d30202af35526854e782e8c75a9f972e6b14100025be3982e3fe7f1e35caab328630bc09c2cd7b612bf178e1e243347d52446c311e0a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WINYS\69443a70ecb0666e3b92417f93edd4246e7836cffdd490ef00e4cb2179f0cf14.exe
    Filesize

    428KB

    MD5

    e054ba3861687187c1f110f3a6185f00

    SHA1

    a50a9a86b98183bd15526e4fc7e878d25c2d5ae6

    SHA256

    58443a60ecb0555e3b92416f93edd4245e6735cffdd480ef00e4cb2169f0cf14

    SHA512

    36ad0542fbec2bb7d8e8d30202af35526854e782e8c75a9f972e6b14100025be3982e3fe7f1e35caab328630bc09c2cd7b612bf178e1e243347d52446c311e0a

    Download Submit
  • memory/732-140-0x0000000000000000-mapping.dmp
    Download
  • memory/732-142-0x0000000140000000-0x0000000140039000-memory.dmp
    Filesize

    228KB

    Download
  • memory/3880-130-0x00000000006C0000-0x0000000000700000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3880-135-0x00000000006C0000-0x0000000000700000-memory.dmp
    Filesize

    256KB

    Download
  • memory/4464-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4464-137-0x0000000010000000-0x0000000010007000-memory.dmp
    Filesize

    28KB

    Download
  • memory/4464-148-0x0000000000180000-0x00000000001C0000-memory.dmp
    Filesize

    256KB

    Download