Overview

overview

10

Static

static

1e1cd8e032...34.exe

windows7-x64

10

1e1cd8e032...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    218s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534.exe

  • Size

    299KB

  • MD5

    fa04235f2c1acd6e551ec5ffecdcf71b

  • SHA1

    3b7d78b3cf06f6b0caa20b7b8ae9dc395548a723

  • SHA256

    1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534

  • SHA512

    6d1ee393551222413f3f07252ef7201b51047ef4b76dd8cdc74e2477e3be784dd2866d17da2481c79945b9bb9574bf2a4a6a923c43d9cb4432dd6a814cf73c67

  • SSDEEP

    6144:HAemIDCLNJHnjIxTjJHfn0lkQGCXtZnALh7pBuc:g6KExT98lRXw7pB

Score
10/10
trickbotlib314bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000263

Botnet

lib314

C2

118.97.119.218:449

94.181.47.198:449

144.121.143.129:449

185.200.60.138:449

185.42.52.126:449

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

82.222.40.119:449

97.78.222.18:449

67.79.15.106:449

168.167.87.79:443

103.111.53.126:449

182.253.20.66:449

192.188.120.164:443

81.17.86.112:443

95.154.80.154:449

46.149.182.112:449

69.9.232.167:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 3 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534.exe
    "C:\Users\Admin\AppData\Local\Temp\1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Roaming\mssert\1e1cd9e03241b216e26e403ad23c6db784188c677ebd99ff776a1ec214f8e634.exe
      C:\Users\Admin\AppData\Roaming\mssert\1e1cd9e03241b216e26e403ad23c6db784188c677ebd99ff776a1ec214f8e634.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:2964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2386679933-1492765628-3466841596-1000\0f5007522459c86e95ffcc62f32308f1_8329e3af-909b-464f-88cb-23d8b2c5eadf
    Filesize

    1KB

    MD5

    9c58924c62eb8cf19c386857da727cc7

    SHA1

    4557babab244d99aa5a8a11dece50f963c6db21b

    SHA256

    5d5d5acc75f73519a33151588cf0be03883a195390ac1e8e07e0646186bdb4d1

    SHA512

    dfa408bcf5cea7f1cebd8163094bc98948ea089c890f9774cbdcb610f2619fa0c9c38b03a28d3ed1e3fe7fb5d6408c12bcedb6354f583e55dacfa4c63fa42dcd

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mssert\1e1cd9e03241b216e26e403ad23c6db784188c677ebd99ff776a1ec214f8e634.exe
    Filesize

    299KB

    MD5

    fa04235f2c1acd6e551ec5ffecdcf71b

    SHA1

    3b7d78b3cf06f6b0caa20b7b8ae9dc395548a723

    SHA256

    1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534

    SHA512

    6d1ee393551222413f3f07252ef7201b51047ef4b76dd8cdc74e2477e3be784dd2866d17da2481c79945b9bb9574bf2a4a6a923c43d9cb4432dd6a814cf73c67

    Download Submit
  • C:\Users\Admin\AppData\Roaming\mssert\1e1cd9e03241b216e26e403ad23c6db784188c677ebd99ff776a1ec214f8e634.exe
    Filesize

    299KB

    MD5

    fa04235f2c1acd6e551ec5ffecdcf71b

    SHA1

    3b7d78b3cf06f6b0caa20b7b8ae9dc395548a723

    SHA256

    1e1cd8e03241b215e25e403ad23c5db674177c566ebd88ff665a1ec214f7e534

    SHA512

    6d1ee393551222413f3f07252ef7201b51047ef4b76dd8cdc74e2477e3be784dd2866d17da2481c79945b9bb9574bf2a4a6a923c43d9cb4432dd6a814cf73c67

    Download Submit
  • memory/780-132-0x00000000006E0000-0x000000000071D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/780-150-0x00000000006E0000-0x000000000071D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1776-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-138-0x0000000010000000-0x0000000010007000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1776-149-0x0000000000720000-0x000000000075D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/2964-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2964-143-0x0000000140000000-0x0000000140035000-memory.dmp
    Filesize

    212KB

    Download