trickbot | bf911f77ca0c4b0e2809423e29971342fc6439a9b6dc6baf0ab0f51ad96adc8b

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770eccc95954d53a48c809b53776e6be.exe
Size

430KB
MD5

770eccc95954d53a48c809b53776e6be
SHA1

4e8a23f0ed1018de17abb4ad84e20805d5008585
SHA256

bf911f77ca0c4b0e2809423e29971342fc6439a9b6dc6baf0ab0f51ad96adc8b
SHA512

e2314013a7da1d9273387d1c1980a89e0645f8e4b610a35d664c869a4ec2e7ecf77da20feb2704639f8de691ff2d094fd5f314c5d9ab5074e2b1a0aebb5b470e
SSDEEP

6144:iTU9Hu7KpwymYXDGdkUDrFhXBlsGeli7ifP/MR8neyKSsBdk8ME0AU9D0sK/:94KKyRXDSpsG8uifP88nZ4O8gAU90sK

Score

10^/10

trickbot tot131 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000032

Botnet

tot131

103.122.228.44:443

196.216.220.211:443

181.114.215.239:443

41.57.156.203:443

43.252.159.63:443

197.156.129.250:443

113.160.37.196:443

38.110.100.64:443

113.160.132.237:443

24.28.12.23:443

38.110.100.219:443

45.239.233.109:443

119.202.8.249:443

200.236.218.62:443

220.82.64.198:443

190.93.208.53:443

196.216.59.174:443

222.124.16.74:443

202.165.47.106:443

96.9.77.56:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4928	1992	770eccc95954d53a48c809b53776e6be.exe	93
PID 1992 wrote to memory of 4928	1992	770eccc95954d53a48c809b53776e6be.exe	93
PID 1992 wrote to memory of 2620	1992	770eccc95954d53a48c809b53776e6be.exe	96
PID 1992 wrote to memory of 2620	1992	770eccc95954d53a48c809b53776e6be.exe	96
PID 1992 wrote to memory of 4928	1992	770eccc95954d53a48c809b53776e6be.exe	93
PID 1992 wrote to memory of 4928	1992	770eccc95954d53a48c809b53776e6be.exe	93

C:\Users\Admin\AppData\Local\Temp\770eccc95954d53a48c809b53776e6be.exe
"C:\Users\Admin\AppData\Local\Temp\770eccc95954d53a48c809b53776e6be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-0-0x0000000000DB0000-0x0000000000DF2000-memory.dmp

Filesize
264KB

Download
memory/1992-1-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1992-2-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1992-5-0x0000000000DB0000-0x0000000000DF2000-memory.dmp

Filesize
264KB

Download
memory/4928-3-0x00000243683B0000-0x00000243683B1000-memory.dmp

Filesize
4KB

Download
memory/4928-4-0x00000243682E0000-0x0000024368309000-memory.dmp

Filesize
164KB

Download
memory/4928-7-0x00000243682E0000-0x0000024368309000-memory.dmp

Filesize
164KB

Download