trickbot | 318c7bea51010471a38b873949c903208919cbafb0d20cb966baf58e099a368a

Analysis

max time kernel
166s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2023, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
Size

396KB
MD5

8503ea92f4c9941ee3295978729d98ba
SHA1

d04dfbc5b1335c8408ffb5c58bd966791f748ad3
SHA256

1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53
SHA512

a5dade77d81f3fc49b46d828ea653d55b921e8b65b455dd0a1fa7eba7880b3a86deff0aafd21276a86eb95be948ab61da9771343ccbc24164b31c3a5b18edaa5
SSDEEP

6144:omPt4BMS4GhUjjF0CBTTFCIRroPHQJ/s5xi8uwytwnhJCAfYrewWvoKMyDftxQib:ZPt4BMsOvpAHQJ0G8CAfWWvo1im

Score

10^/10

trickbot xml1 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

xml1

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4976	wermgr.exe
Token: SeDebugPrivilege	4976	wermgr.exe
Token: SeDebugPrivilege	4976	wermgr.exe
Token: SeManageVolumePrivilege	1392	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3080	1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
3080	1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4976	3080	1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe	110
PID 3080 wrote to memory of 4976	3080	1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe	110
PID 3080 wrote to memory of 4976	3080	1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe	110
PID 3080 wrote to memory of 4976	3080	1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe	110

C:\Users\Admin\AppData\Local\Temp\1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe
"C:\Users\Admin\AppData\Local\Temp\1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4976

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
f16549e793c4fb0dbf67057fb5fe436f

SHA1
582d4eaf7d881705971b2f64172396b5245419e8

SHA256
4cbe52797856dbd605fcb728294baf15383212918264b5d4f220a0f5b85a5362

SHA512
7d66ac89a5ad760308535c1381aecd781eb964fc545beefcfff8e7e1a3e6e354d2141be3c57db1b47dcef9b98f1964354214544ed75ce6409e2b37416439ed11

Download Submit
memory/1392-221-0x0000026D99E40000-0x0000026D99E50000-memory.dmp

Filesize
64KB

Download
memory/1392-256-0x0000026DA2520000-0x0000026DA2521000-memory.dmp

Filesize
4KB

Download
memory/1392-255-0x0000026DA2520000-0x0000026DA2521000-memory.dmp

Filesize
4KB

Download
memory/1392-254-0x0000026DA2520000-0x0000026DA2521000-memory.dmp

Filesize
4KB

Download
memory/1392-253-0x0000026DA2510000-0x0000026DA2511000-memory.dmp

Filesize
4KB

Download
memory/1392-237-0x0000026D99F40000-0x0000026D99F50000-memory.dmp

Filesize
64KB

Download
memory/3080-9-0x0000000002590000-0x0000000002681000-memory.dmp

Filesize
964KB

Download
memory/3080-203-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3080-211-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3080-220-0x0000000002420000-0x0000000002453000-memory.dmp

Filesize
204KB

Download
memory/3080-204-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3080-84-0x0000000002420000-0x0000000002453000-memory.dmp

Filesize
204KB

Download
memory/3080-0-0x0000000002420000-0x0000000002453000-memory.dmp

Filesize
204KB

Download
memory/3080-8-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/3080-2-0x0000000002420000-0x0000000002453000-memory.dmp

Filesize
204KB

Download
memory/3080-1-0x00000000023E0000-0x0000000002413000-memory.dmp

Filesize
204KB

Download
memory/4976-210-0x000001C30F990000-0x000001C30F9B4000-memory.dmp

Filesize
144KB

Download
memory/4976-205-0x000001C30F990000-0x000001C30F9B4000-memory.dmp

Filesize
144KB

Download