trickbot | 57bfa3136909e0e3faf34863503810f55a035e8a8c9f2258a516a757e68235f5

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1619e0d7df07cfa8933a89aabb8b6b5b.exe
Size

432KB
MD5

1619e0d7df07cfa8933a89aabb8b6b5b
SHA1

08159ea8fc5c43ee272089a18aa5619d8bd7b3db
SHA256

57bfa3136909e0e3faf34863503810f55a035e8a8c9f2258a516a757e68235f5
SHA512

bc747c7ba551495639e26d4de0bbadaa07d715540e32440eab781871f829fab90d01f6cdbfc3a7742d8f1fafbf329cba4508114e0a58decb89624fdf6a968caf
SSDEEP

6144:h0lJVu5xP+oYEm8NG/wBHRSIAR9687dX9szOHMVT+R6NWPFgQAXaneCrvDl:h0lJ4jPOzwn+96sdX9szOHMVFCgaJjx

Score

10^/10

trickbot lip128 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

lip128

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe
2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 824	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	28
PID 2332 wrote to memory of 824	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	28
PID 2332 wrote to memory of 824	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	28
PID 2332 wrote to memory of 824	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	28
PID 2332 wrote to memory of 3000	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	29
PID 2332 wrote to memory of 3000	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	29
PID 2332 wrote to memory of 3000	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	29
PID 2332 wrote to memory of 3000	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	29
PID 2332 wrote to memory of 824	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	28
PID 2332 wrote to memory of 824	2332	1619e0d7df07cfa8933a89aabb8b6b5b.exe	28

C:\Users\Admin\AppData\Local\Temp\1619e0d7df07cfa8933a89aabb8b6b5b.exe
"C:\Users\Admin\AppData\Local\Temp\1619e0d7df07cfa8933a89aabb8b6b5b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:3000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-12-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/824-11-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/824-14-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/2332-0-0x0000000000560000-0x000000000059C000-memory.dmp

Filesize
240KB

Download
memory/2332-2-0x0000000000850000-0x000000000088F000-memory.dmp

Filesize
252KB

Download
memory/2332-6-0x0000000001F40000-0x0000000001F7A000-memory.dmp

Filesize
232KB

Download
memory/2332-7-0x0000000000560000-0x000000000059C000-memory.dmp

Filesize
240KB

Download
memory/2332-8-0x0000000001F40000-0x0000000001F7A000-memory.dmp

Filesize
232KB

Download
memory/2332-9-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2332-10-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2332-13-0x0000000001F40000-0x0000000001F7A000-memory.dmp

Filesize
232KB

Download