trickbot | 034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4

Resubmissions

27-03-2023 17:53

max time kernel
30s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 17:53

Target

034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe
Size

348KB
MD5

5f456b07d915f5a8018f14a7d6bcb7a1
SHA1

3429f2c9ae02c2b6aa1f0bd482ba13b5add799dd
SHA256

034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4
SHA512

d9577c399e7ad46de058deeac4dd1034b47bf5ecf22654cec269549ded60d482be0ebe8edb93c58836fc58a48e26474641ce3c6677a78a4d5dd6db51f1737afc
SSDEEP

6144:87a7br69lgMMMMMgMoJMMMMMMdMMMMMMMMMYI1mVVrXnVhbxGEhj63XjeUqO4BQy:87a29SJMMMMMMdMMMMMMMMMYI1mVVzVx

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe

description	pid	process	target process
PID 1984 wrote to memory of 1056	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	wermgr.exe
PID 1984 wrote to memory of 1056	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	wermgr.exe
PID 1984 wrote to memory of 1056	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	wermgr.exe
PID 1984 wrote to memory of 1056	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	wermgr.exe
PID 1984 wrote to memory of 660	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	cmd.exe
PID 1984 wrote to memory of 660	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	cmd.exe
PID 1984 wrote to memory of 660	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	cmd.exe
PID 1984 wrote to memory of 660	1984	034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe
"C:\Users\Admin\AppData\Local\Temp\034d0b5802f2d8fb8c3ee2cb6fe79d0073882012c4fbc5d0facc2545d4ad16d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

memory/1984-54-0x0000000000150000-0x0000000000195000-memory.dmp

Filesize
276KB

Download
memory/1984-55-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1984-56-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1984-57-0x0000000000150000-0x0000000000195000-memory.dmp

Filesize
276KB

Download
memory/1984-58-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download