trickbot | 05d97ce83edca3a9d07d308c496daf45e2e435958dfd286fcbf91af7802e2366

Analysis

max time kernel
133s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bd8fa72bfa2dd8be864100cc9ab1401.dll
Size

490KB
MD5

6bd8fa72bfa2dd8be864100cc9ab1401
SHA1

104471a4c25183da435276d596a2d1783c0cbec7
SHA256

05d97ce83edca3a9d07d308c496daf45e2e435958dfd286fcbf91af7802e2366
SHA512

018028ac8d011ded15e973af54a2df5f57772d95a75e7d12bddea3832c690edb702dec8c6b91488a2370b9d42e8843de8684fe317947818e8eb5317b027f25e0
SSDEEP

12288:HU873ntBL/siV2pVRJ0hVWI97UCAX5axhsxw4zd/XSkt8Y2EB3rYdHeo28m:HU87XtBrz8zIVWOQCY6sxw4RDH3rYd+l

Score

10^/10

trickbot zev4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000031

Botnet

zev4

14.232.161.45:443

118.173.233.64:443

41.57.156.203:443

45.239.234.2:443

45.201.136.3:443

177.10.90.29:443

185.17.105.236:443

91.237.161.87:443

185.189.55.207:443

186.225.119.170:443

143.0.208.20:443

222.124.16.74:443

220.82.64.198:443

200.236.218.62:443

178.216.28.59:443

45.239.233.131:443

196.216.59.174:443

119.202.8.249:443

82.159.149.37:443

49.248.217.170:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1884 468 WerFault.exe regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 3296 wermgr.exe

pid	pid_target	process	target process
1884	468	WerFault.exe	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	3296	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 3796 wrote to memory of 468	3796	regsvr32.exe	regsvr32.exe
PID 3796 wrote to memory of 468	3796	regsvr32.exe	regsvr32.exe
PID 3796 wrote to memory of 468	3796	regsvr32.exe	regsvr32.exe
PID 468 wrote to memory of 3296	468	regsvr32.exe	wermgr.exe
PID 468 wrote to memory of 3296	468	regsvr32.exe	wermgr.exe
PID 468 wrote to memory of 3296	468	regsvr32.exe	wermgr.exe
PID 468 wrote to memory of 3296	468	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6bd8fa72bfa2dd8be864100cc9ab1401.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\6bd8fa72bfa2dd8be864100cc9ab1401.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 640
3⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 468 -ip 468
1⤵
PID:4300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-0-0x0000000002D10000-0x0000000002F6D000-memory.dmp

Filesize
2.4MB

Download
memory/468-1-0x00000000015F0000-0x0000000001630000-memory.dmp

Filesize
256KB

Download
memory/468-2-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/468-3-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/468-6-0x00000000015F0000-0x0000000001630000-memory.dmp

Filesize
256KB

Download
memory/3296-4-0x000001ECB0920000-0x000001ECB0921000-memory.dmp

Filesize
4KB

Download
memory/3296-5-0x000001ECB0680000-0x000001ECB06A8000-memory.dmp

Filesize
160KB

Download
memory/3296-7-0x000001ECB0680000-0x000001ECB06A8000-memory.dmp

Filesize
160KB

Download