Overview

overview

10

Static

static

3

37414e9054...b6.exe

windows7-x64

10

37414e9054...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 13:42

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    37414e9054e872f98444f8c5f5ab02b6.exe

  • Size

    577KB

  • MD5

    37414e9054e872f98444f8c5f5ab02b6

  • SHA1

    bb0eff99d9c2329221a9a3709a944da9f19e56b3

  • SHA256

    d194827abd2921b2cd29775c574de483a68d8d6669c96d1e55f291a3a9824a3c

  • SHA512

    a5e8a95b9f72524f185d2efeec867d05df6cf5cb6855e681c0646bb136195f06fd2be0311d5496ca516ce7e85ec56de25dd2d5ad4c3ebb5193f09bd7ded37f58

  • SSDEEP

    12288:Y7Uf8oOcZoqp4VKC/b1GqvDTUZ4YAGbThGb:Y7UflLs/b1GqvDTUaYAGbTwb

Score
10/10
trickbotlib156bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

lib156

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Modifies registry class 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37414e9054e872f98444f8c5f5ab02b6.exe
    "C:\Users\Admin\AppData\Local\Temp\37414e9054e872f98444f8c5f5ab02b6.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:324
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:2592

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/324-10-0x000002A3B1F20000-0x000002A3B1F21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/324-11-0x000002A3B1DC0000-0x000002A3B1DE9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/324-14-0x000002A3B1DC0000-0x000002A3B1DE9000-memory.dmp

            Filesize

            164KB

            Download

          • memory/3532-0-0x00000000024E0000-0x000000000251F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/3532-1-0x00000000024A0000-0x00000000024DC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/3532-5-0x0000000002520000-0x000000000255B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/3532-6-0x0000000002520000-0x000000000255B000-memory.dmp

            Filesize

            236KB

            Download

          • memory/3532-7-0x00000000022F0000-0x00000000022F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3532-8-0x0000000010000000-0x0000000010003000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3532-9-0x00000000022D0000-0x00000000022E1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3532-13-0x0000000002520000-0x000000000255B000-memory.dmp

            Filesize

            236KB

            Download