trickbot | fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe
Size

451KB
MD5

34f19a097d7799afab80ff9d723cc552
SHA1

285229d0b36440af66ebeef9f14bfa2f1be476b8
SHA256

fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898
SHA512

388d1fb5fe4070ffda4380fa61784c916266a655a759971776b82f49a50f6f81ad719526871cc5c67a9480a8f44e2ba975534d8e4c725928f7d810c52179ae15
SSDEEP

12288:2uAj1uOciEhM47oVoJCo4afenIMTG9+pPolzZ/2aI/:wJuOzsM2goJD4afen1T0jlzpm

Score

10^/10

trickbot rob132 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob132

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
744	4656	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 1324	4656	fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe	97
PID 4656 wrote to memory of 1324	4656	fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe	97
PID 4656 wrote to memory of 3760	4656	fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe	98
PID 4656 wrote to memory of 3760	4656	fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe	98
PID 4656 wrote to memory of 3760	4656	fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe	98
PID 4656 wrote to memory of 3760	4656	fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe	98

C:\Users\Admin\AppData\Local\Temp\fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe
"C:\Users\Admin\AppData\Local\Temp\fd083bc2dbc3426a332eaf861dea03c648ad04cb73ba8f09504c970af9134898.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:1324
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 460
  2⤵
  - Program crash
  PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4656 -ip 4656
1⤵
PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3760-38-0x000001A41BA70000-0x000001A41BA71000-memory.dmp

Filesize
4KB

Download
memory/3760-39-0x000001A41B9E0000-0x000001A41BA09000-memory.dmp

Filesize
164KB

Download
memory/3760-41-0x000001A41B9E0000-0x000001A41BA09000-memory.dmp

Filesize
164KB

Download
memory/4656-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4656-36-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4656-37-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4656-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download