Overview

overview

10

Static

static

5df26114f7...d3.exe

windows7-x64

10

5df26114f7...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2022 21:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe

  • Size

    383KB

  • MD5

    366c27888902481f1e12ebbfa9ce946a

  • SHA1

    7801599ce1123bfe5990534d0c649ec913aae5cd

  • SHA256

    5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3

  • SHA512

    6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5

Score
10/10
trickbotser1025usbankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000287

Botnet

ser1025us

C2

193.111.63.208:443

68.3.14.71:443

174.105.235.178:449

5.196.131.249:443

181.113.17.230:449

205.157.150.98:443

185.251.38.187:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

82.202.236.66:443

74.140.160.33:449

76.181.182.166:449

140.190.54.187:449

82.222.40.119:449

24.119.69.70:449

188.68.208.242:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 3 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
    "C:\Users\Admin\AppData\Local\Temp\5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
      C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:508
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3463845317-933582289-45817732-1000\0f5007522459c86e95ffcc62f32308f1_bfe458be-6a47-4012-a9d0-2c4333e0df83
    Filesize

    1KB

    MD5

    bf048f6e3275048397bbc0b8109c53c9

    SHA1

    185bb7dca51819cc82080289e41b51d30ecb1e5c

    SHA256

    1052e642f519337bf98ee4dfa894bb19a8ffa82e159d54d731e708aae86f253e

    SHA512

    507940776b20ffa32a73bed1a7c119ee1d0a0fd678f3a035a0efd6cc96bc33127f91c7dde69df57da7cad6e9a3a09323010d9153a17fc222ff95547ebe1040d2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
    Filesize

    383KB

    MD5

    366c27888902481f1e12ebbfa9ce946a

    SHA1

    7801599ce1123bfe5990534d0c649ec913aae5cd

    SHA256

    5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3

    SHA512

    6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WSOG\6df27114f87ec97dcd6309e3b60389fd68f0e0f97b22d3246d18c7e18fdd97d3.exe
    Filesize

    383KB

    MD5

    366c27888902481f1e12ebbfa9ce946a

    SHA1

    7801599ce1123bfe5990534d0c649ec913aae5cd

    SHA256

    5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3

    SHA512

    6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5

    Download Submit
  • memory/508-133-0x0000000000000000-mapping.dmp
    Download
  • memory/508-138-0x0000000010000000-0x0000000010007000-memory.dmp
    Filesize

    28KB

    Download
  • memory/508-150-0x00000000013D0000-0x0000000001410000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3516-132-0x00000000005D0000-0x0000000000610000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3516-149-0x00000000005D0000-0x0000000000610000-memory.dmp
    Filesize

    256KB

    Download
  • memory/4608-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4608-143-0x0000000140000000-0x0000000140039000-memory.dmp
    Filesize

    228KB

    Download