trickbot | 4e76d73f3b303e481036ada80c2eeba8db2f306cbc9323748560843c80b2fed1

Resubmissions

23-01-2023 07:09

12-11-2022 11:10

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-11-2022 11:10

Target

cursor.exe
Size

492KB
MD5

bd54d40e9eb98623a5436cad1a39d22e
SHA1

d92403c32398a5eefb087da3dc81820fc65fae4b
SHA256

4e76d73f3b303e481036ada80c2eeba8db2f306cbc9323748560843c80b2fed1
SHA512

20db406038601acd3903e8bbad25ce2d943631d8e30ca052effd1943a6b1bca808c57f5f0c39e39141f6a2d54ae491a72d5598b420527e320117b97dc7069f13
SSDEEP

12288:IsE7cgZpZw2de9t8jy3NoGgLGl+EeSg9IBao:FE7cgZXBde9sQwGmg1

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1084 wermgr.exe
Token: SeDebugPrivilege 1084 wermgr.exe
Token: SeDebugPrivilege 1084 wermgr.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cursor.exe

pid process

1832 cursor.exe

pid	process
1832	cursor.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cursor.exe

description	pid	process	target process
PID 1832 wrote to memory of 1084	1832	cursor.exe	wermgr.exe
PID 1832 wrote to memory of 1084	1832	cursor.exe	wermgr.exe
PID 1832 wrote to memory of 1084	1832	cursor.exe	wermgr.exe
PID 1832 wrote to memory of 1084	1832	cursor.exe	wermgr.exe
PID 1832 wrote to memory of 1084	1832	cursor.exe	wermgr.exe
PID 1832 wrote to memory of 1084	1832	cursor.exe	wermgr.exe

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

memory/1084-58-0x0000000000000000-mapping.dmp

Download
memory/1084-59-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1084-61-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1084-62-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1832-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1832-55-0x00000000003A0000-0x00000000003CE000-memory.dmp

Filesize
184KB

Download
memory/1832-56-0x00000000002B0000-0x00000000002DD000-memory.dmp

Filesize
180KB

Download
memory/1832-57-0x00000000003A1000-0x00000000003CE000-memory.dmp

Filesize
180KB

Download
memory/1832-60-0x00000000003A1000-0x00000000003CE000-memory.dmp

Filesize
180KB

Download