trickbot | 56d1abc258db983700137af8875018ad28c1be912126c54353534341a0083894

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

picture.exe
Size

615KB
MD5

ae11dfe64032e62f5da834e19ee8280c
SHA1

9d5139e65e36716e9932848d68ce1bb0ed92c86c
SHA256

93b3b0800018230f58cad9b4ec1d13e9336f0f46062dd49bc43a9394c1bdd1b4
SHA512

f2372f089dcf5c039d99a228f948a573cb15dd78d1ef22cafd0ba33a4869c3f297ac62c4e5401834f1acd461298c5f220791bb54c85c4c2bfc6c2bcf54f143fe
SSDEEP

12288:R7dt29E0xWlz1OGuzrRIcBEEPTmWL7SJFHwRA9AmV5tKoO:fWE0xWlAGeVAam8

Score

10^/10

trickbot mor6 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100008

Botnet

mor6

103.231.115.106:449

117.222.63.100:449

117.254.58.83:449

149.54.11.54:449

170.82.4.64:449

177.11.12.93:449

182.16.187.251:449

187.108.86.48:449

190.152.88.57:449

203.88.149.33:449

36.89.191.119:449

41.159.31.227:449

85.202.128.243:449

92.204.160.82:449

103.150.68.124:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3184	3300	WerFault.exe	84
3124	3300	WerFault.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	wermgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3300	picture.exe
3300	picture.exe
3300	picture.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 3868	3300	picture.exe	85
PID 3300 wrote to memory of 3868	3300	picture.exe	85
PID 3300 wrote to memory of 3868	3300	picture.exe	85
PID 3300 wrote to memory of 3868	3300	picture.exe	85

C:\Users\Admin\AppData\Local\Temp\picture.exe
"C:\Users\Admin\AppData\Local\Temp\picture.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 636
  2⤵
  - Program crash
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 636
  2⤵
  - Program crash
  PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3300 -ip 3300
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3300 -ip 3300
1⤵
PID:2276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3300-0-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/3300-3-0x0000000002230000-0x000000000226E000-memory.dmp

Filesize
248KB

Download
memory/3300-5-0x00000000022C0000-0x00000000022FC000-memory.dmp

Filesize
240KB

Download
memory/3300-6-0x00000000022C0000-0x00000000022FC000-memory.dmp

Filesize
240KB

Download
memory/3300-52-0x0000000003D30000-0x0000000003E13000-memory.dmp

Filesize
908KB

Download
memory/3300-54-0x0000000003E40000-0x0000000003E41000-memory.dmp

Filesize
4KB

Download
memory/3300-55-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3300-59-0x00000000022C0000-0x00000000022FC000-memory.dmp

Filesize
240KB

Download
memory/3868-56-0x00000179FFA60000-0x00000179FFA61000-memory.dmp

Filesize
4KB

Download
memory/3868-57-0x00000179FF7C0000-0x00000179FF7E8000-memory.dmp

Filesize
160KB

Download
memory/3868-60-0x00000179FF7C0000-0x00000179FF7E8000-memory.dmp

Filesize
160KB

Download