trickbot | b9879d2af3dbcd380c1895d78f26e41782fd2c08c324d459a86476bfdb762f4d

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll
Size

381KB
MD5

a025bf940882b77993185b7b9abe73ab
SHA1

973f4f28d656949862e0fc0e0e0f371858aa1da7
SHA256

b9879d2af3dbcd380c1895d78f26e41782fd2c08c324d459a86476bfdb762f4d
SHA512

1cf70df6a3c6a78e7f76b8f84b1b0751a10a85042d6b3011e4debdfedbce200c19dd5c5171fe43bebe34a1978b1a0e51813a06345b698fa4298ec46d9fca0684
SSDEEP

6144:d6w6ZtlHId99S/FEPVb91cpIp0jTLg6+grUesV3LPmCUbLNpjz:d6r5IdutEPFf6VjHgaq3TgXz

Score

10^/10

trickbot zev4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000035

Botnet

zev4

36.91.117.231:443

36.89.228.201:443

103.75.32.173:443

45.115.172.105:443

36.95.23.89:443

103.123.86.104:443

202.65.119.162:443

202.9.121.143:443

139.255.65.170:443

110.172.137.20:443

103.146.232.154:443

36.91.88.164:443

103.47.170.131:443

122.117.90.133:443

103.9.188.78:443

210.2.149.202:443

118.91.190.42:443

117.222.61.115:443

117.222.57.92:443

136.228.128.21:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2388 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	2388	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 232 wrote to memory of 4908	232	regsvr32.exe	regsvr32.exe
PID 232 wrote to memory of 4908	232	regsvr32.exe	regsvr32.exe
PID 232 wrote to memory of 4908	232	regsvr32.exe	regsvr32.exe
PID 4908 wrote to memory of 2388	4908	regsvr32.exe	wermgr.exe
PID 4908 wrote to memory of 2388	4908	regsvr32.exe	wermgr.exe
PID 4908 wrote to memory of 2388	4908	regsvr32.exe	wermgr.exe
PID 4908 wrote to memory of 2388	4908	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-4-0x0000023636860000-0x0000023636861000-memory.dmp

Filesize
4KB

Download
memory/2388-5-0x00000236365B0000-0x00000236365D9000-memory.dmp

Filesize
164KB

Download
memory/2388-7-0x00000236365B0000-0x00000236365D9000-memory.dmp

Filesize
164KB

Download
memory/4908-0-0x0000000000850000-0x0000000000891000-memory.dmp

Filesize
260KB

Download
memory/4908-1-0x0000000000850000-0x0000000000891000-memory.dmp

Filesize
260KB

Download
memory/4908-2-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4908-3-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4908-6-0x0000000000850000-0x0000000000891000-memory.dmp

Filesize
260KB

Download