trickbot | b39ad8fa3dededfd9cf6beb9c2466f56168a4ddcc64b8eacd1731083cba2056c

Analysis

max time kernel
120s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e8ab95d02b9b884660fb0a47090d54d.exe
Size

496KB
MD5

2e8ab95d02b9b884660fb0a47090d54d
SHA1

424e538452d4df516200dcd4384c4bd62fee65d3
SHA256

b39ad8fa3dededfd9cf6beb9c2466f56168a4ddcc64b8eacd1731083cba2056c
SHA512

d215dae5eb1d53a0f31f489cb47ecf45c0d59b59ea67f28fa2468b3e794311e86d769428d987bdfa86c74d3e481fe06a26370afe35db5a0ca2c382dbd77668ff
SSDEEP

12288:S1RdEJFGqNkbHfVwK7pzoutmIp57vDGrX:S1RdEJFGqabH9Ni8F5sX

Score

10^/10

trickbot tot158 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot158

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2216	2e8ab95d02b9b884660fb0a47090d54d.exe
2216	2e8ab95d02b9b884660fb0a47090d54d.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2312	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	18
PID 2216 wrote to memory of 2312	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	18
PID 2216 wrote to memory of 2312	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	18
PID 2216 wrote to memory of 2312	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	18
PID 2216 wrote to memory of 2588	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	29
PID 2216 wrote to memory of 2588	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	29
PID 2216 wrote to memory of 2588	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	29
PID 2216 wrote to memory of 2588	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	29
PID 2216 wrote to memory of 2312	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	18
PID 2216 wrote to memory of 2312	2216	2e8ab95d02b9b884660fb0a47090d54d.exe	18

C:\Users\Admin\AppData\Local\Temp\2e8ab95d02b9b884660fb0a47090d54d.exe
"C:\Users\Admin\AppData\Local\Temp\2e8ab95d02b9b884660fb0a47090d54d.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-0-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/2216-7-0x0000000000520000-0x000000000055B000-memory.dmp

Filesize
236KB

Download
memory/2216-8-0x0000000000520000-0x000000000055B000-memory.dmp

Filesize
236KB

Download
memory/2216-6-0x0000000000390000-0x00000000003CC000-memory.dmp

Filesize
240KB

Download
memory/2216-2-0x0000000000480000-0x00000000004BF000-memory.dmp

Filesize
252KB

Download
memory/2216-10-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2216-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2216-13-0x0000000000520000-0x000000000055B000-memory.dmp

Filesize
236KB

Download
memory/2312-12-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2312-11-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/2312-14-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download