Malware Analysis Report

2025-06-16 04:51

Sample ID 240201-14kwzshdhm
Target 87936f0b8f079c7f722ab91029cc3f8a
SHA256 a1dd74d7301bf8d504449071142c81113bcd4d0c88fee46e7bacf550495a72bc
Tags
trickbot zev4 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1dd74d7301bf8d504449071142c81113bcd4d0c88fee46e7bacf550495a72bc

Threat Level: Known bad

The file 87936f0b8f079c7f722ab91029cc3f8a was found to be: Known bad.

Malicious Activity Summary

trickbot zev4 banker trojan

Trickbot

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-01 22:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 22:12

Reported

2024-02-01 22:44

Platform

win11-20231215-en

Max time kernel

1798s

Max time network

1806s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll

Signatures

Trickbot

trojan banker trickbot

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1964 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1964 wrote to memory of 2640 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2640 wrote to memory of 728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2640 wrote to memory of 728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2640 wrote to memory of 728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2640 wrote to memory of 728 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\87936f0b8f079c7f722ab91029cc3f8a.dll

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
PL 91.237.161.87:443 tcp
TH 118.173.233.64:443 tcp
IT 185.17.105.236:443 tcp
BR 45.239.233.131:443 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
KH 45.201.136.3:443 tcp
BR 177.10.90.29:443 tcp
BR 186.225.119.170:443 tcp
ZA 41.57.156.203:443 tcp
PL 178.216.28.59:443 tcp
TR 185.189.55.207:443 tcp
IN 49.248.217.170:443 tcp
KR 119.202.8.249:443 tcp
AR 181.114.215.239:443 tcp
NA 196.216.59.174:443 tcp
VN 14.232.161.45:443 tcp
BR 45.239.234.2:443 tcp
BR 200.236.218.62:443 tcp
VN 113.160.132.237:443 113.160.132.237 tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
VN 113.160.132.237:443 113.160.132.237 tcp
VN 113.160.132.237:443 113.160.132.237 tcp
ES 82.159.149.37:443 tcp
ZA 105.30.26.50:443 tcp
IN 103.122.228.44:443 tcp
KR 220.82.64.198:443 tcp
ID 202.165.47.106:443 tcp
BR 143.0.208.20:443 tcp
ID 222.124.16.74:443 tcp
FR 62.75.198.178:443 bdns.link tcp
DE 3.64.163.50:443 b-dns.se tcp
SE 88.80.20.20:443 bdns.pro tcp
UA 194.54.82.12:443 bdns.pro tcp
RU 190.115.26.106:443 bdns.pro tcp
DE 3.64.163.50:443 b-dns.se tcp
FR 62.75.198.178:443 bdns.link tcp
DE 3.64.163.50:443 b-dns.se tcp
SE 88.80.20.20:443 bdns.pro tcp
UA 194.54.82.12:443 bdns.pro tcp
RU 190.115.26.106:443 bdns.pro tcp
DE 3.64.163.50:443 b-dns.se tcp
PL 91.237.161.87:443 tcp
TH 118.173.233.64:443 tcp
IT 185.17.105.236:443 tcp
BR 45.239.233.131:443 tcp
KH 45.201.136.3:443 tcp
BR 177.10.90.29:443 tcp
BR 186.225.119.170:443 tcp
ZA 41.57.156.203:443 tcp
PL 178.216.28.59:443 tcp
TR 185.189.55.207:443 tcp
IN 49.248.217.170:443 tcp
KR 119.202.8.249:443 tcp
AR 181.114.215.239:443 tcp
NA 196.216.59.174:443 tcp
VN 14.232.161.45:443 tcp
BR 45.239.234.2:443 tcp
BR 200.236.218.62:443 tcp
VN 113.160.132.237:443 113.160.132.237 tcp
VN 113.160.132.237:443 113.160.132.237 tcp
VN 113.160.132.237:443 113.160.132.237 tcp
ES 82.159.149.37:443 tcp
ZA 105.30.26.50:443 tcp
IN 103.122.228.44:443 tcp
KR 220.82.64.198:443 tcp
ID 202.165.47.106:443 tcp
BR 143.0.208.20:443 tcp
ID 222.124.16.74:443 tcp
FR 62.75.198.178:443 bdns.link tcp
DE 3.64.163.50:443 b-dns.se tcp
UA 194.54.82.12:443 bdns.pro tcp
SE 88.80.20.20:443 bdns.pro tcp
RU 190.115.26.106:443 bdns.pro tcp
DE 3.64.163.50:443 b-dns.se tcp
US 8.8.8.8:53 bdns.at udp
US 8.8.8.8:53 bdns.co udp

Files

memory/2640-0-0x00000000029C0000-0x0000000002C1D000-memory.dmp

memory/2640-1-0x0000000000EE0000-0x0000000000F20000-memory.dmp

memory/2640-2-0x0000000000F30000-0x0000000000F31000-memory.dmp

memory/2640-3-0x0000000010000000-0x0000000010003000-memory.dmp

memory/728-4-0x000001D086D30000-0x000001D086D31000-memory.dmp

memory/728-5-0x000001D086B60000-0x000001D086B88000-memory.dmp

memory/2640-6-0x0000000000EE0000-0x0000000000F20000-memory.dmp

memory/728-7-0x000001D086B60000-0x000001D086B88000-memory.dmp