trickbot | cea855439b925ac4f02f989a63c7e77022655d1874c721d29622dca6930ee6ad

Analysis

max time kernel
140s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

247e61850d8993b144d81bf375465663.exe
Size

432KB
MD5

247e61850d8993b144d81bf375465663
SHA1

bea76324c03f077d987478c29bef1fa8fbc0d3b8
SHA256

cea855439b925ac4f02f989a63c7e77022655d1874c721d29622dca6930ee6ad
SHA512

905b6a537f1934954cbf8c7856e17229edbc46235cc6e8b6fde31d5981198818d7c8156776d1d8201e14e648288462fa417f826d6463affd3fccfe172bd64766
SSDEEP

6144:wkdJN4c+ePGc7r1tJ3VQl/XE3dAPr3x7835OPeFPQimA6Vk58qVEb9pEy:wkdJLbP1tlCl/XIIx/lbVMlG1

Score

10^/10

trickbot top128 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

top128

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	247e61850d8993b144d81bf375465663.exe
2224	247e61850d8993b144d81bf375465663.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2196	2224	247e61850d8993b144d81bf375465663.exe	28
PID 2224 wrote to memory of 2196	2224	247e61850d8993b144d81bf375465663.exe	28
PID 2224 wrote to memory of 2196	2224	247e61850d8993b144d81bf375465663.exe	28
PID 2224 wrote to memory of 2196	2224	247e61850d8993b144d81bf375465663.exe	28
PID 2224 wrote to memory of 2900	2224	247e61850d8993b144d81bf375465663.exe	29
PID 2224 wrote to memory of 2900	2224	247e61850d8993b144d81bf375465663.exe	29
PID 2224 wrote to memory of 2900	2224	247e61850d8993b144d81bf375465663.exe	29
PID 2224 wrote to memory of 2900	2224	247e61850d8993b144d81bf375465663.exe	29
PID 2224 wrote to memory of 2196	2224	247e61850d8993b144d81bf375465663.exe	28
PID 2224 wrote to memory of 2196	2224	247e61850d8993b144d81bf375465663.exe	28

C:\Users\Admin\AppData\Local\Temp\247e61850d8993b144d81bf375465663.exe
"C:\Users\Admin\AppData\Local\Temp\247e61850d8993b144d81bf375465663.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-11-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2196-12-0x00000000000E0000-0x0000000000109000-memory.dmp

Filesize
164KB

Download
memory/2196-14-0x00000000000E0000-0x0000000000109000-memory.dmp

Filesize
164KB

Download
memory/2224-0-0x0000000000320000-0x000000000035C000-memory.dmp

Filesize
240KB

Download
memory/2224-2-0x00000000004C0000-0x00000000004FF000-memory.dmp

Filesize
252KB

Download
memory/2224-4-0x0000000000320000-0x000000000035C000-memory.dmp

Filesize
240KB

Download
memory/2224-7-0x0000000000700000-0x000000000073A000-memory.dmp

Filesize
232KB

Download
memory/2224-8-0x0000000000700000-0x000000000073A000-memory.dmp

Filesize
232KB

Download
memory/2224-9-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2224-10-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2224-13-0x0000000000700000-0x000000000073A000-memory.dmp

Filesize
232KB

Download