Overview

overview

10

Static

static

3

2024100207...ia.exe

windows7-x64

10

2024100207...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    202410020707c8152434894033f9c7bd510ea263mafia.exe

  • Size

    489KB

  • MD5

    0707c8152434894033f9c7bd510ea263

  • SHA1

    724a1116754c9621c90e2b2fad5e3b9a1abfa654

  • SHA256

    65e911bc06a1f324cafb964e2a29cbfd37226a0d502c4ddcc846f22221fba0bf

  • SHA512

    6ea7a6a2658112cc096f9039e07e26eb07aabac28ad1b64773cea542652058be015ca3381e297e9d928f296387aa5c067a05f06d7fd6fe1138a9de0c33a3c72d

  • SSDEEP

    6144:V6ZlxMlN8qVY0rmGdW5boVMd3AqEiAqqhYOtRF5498DF06YjnU9ZEFv:k94vY0rPd4boQAqPGRRFK9e06BHEFv

Score
10/10
trickbottot154bankerdiscoverytrojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot154

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\202410020707c8152434894033f9c7bd510ea263mafia.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:2096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/876-0-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/876-1-0x00000000002D0000-0x0000000000358000-memory.dmp

      Filesize

      544KB

      Download

    • memory/876-3-0x0000000010000000-0x0000000010003000-memory.dmp

      Filesize

      12KB

      Download

    • memory/876-2-0x0000000000380000-0x0000000000381000-memory.dmp

      Filesize

      4KB

      Download

    • memory/876-6-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/876-7-0x00000000002D0000-0x0000000000358000-memory.dmp

      Filesize

      544KB

      Download

    • memory/876-8-0x0000000000400000-0x0000000000480000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2332-4-0x0000000000060000-0x0000000000089000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2332-5-0x00000000000B0000-0x00000000000B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2332-9-0x0000000000060000-0x0000000000089000-memory.dmp

      Filesize

      164KB

      Download