trickbot | dde87eaee93e96c14a683e7ac0ae4cbcc30265fc17067fe3fd0f159aa3c2aeeb

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

284KB
MD5

99b81672c6ec04e7e6e6063b40d9127c
SHA1

2f29fb6c87fd77f2ff5df3312e0c0667b76af3cf
SHA256

447e9c417b7c9cf6e03086ca1da31a718e5159f454bf91efad09f240572db967
SHA512

b0e877ed117457a8a4458816309c8e68a911e0b6d17d449730e09beec84174abd3b97493dcea6b3dc55617471797371d4d6cf84c58f117b8bf826da0349d3e8f
SSDEEP

6144:2fdpBROKDYVbCFm03OHmuyVSgea6ayo2znPNobpL9YFDdyC:2FpDTsVL03OGugRB6ayo2zPwpRqJyC

Score

10^/10

trickbot banker dave discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

Dave packer 2 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral1/memory/1900-0-0x0000000000260000-0x0000000000292000-memory.dmp	dave
behavioral1/memory/1900-5-0x0000000000230000-0x0000000000260000-memory.dmp	dave

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1900	sample.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	wermgr.exe
Token: SeDebugPrivilege	2296	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2296	1900	sample.exe	32
PID 1900 wrote to memory of 2296	1900	sample.exe	32
PID 1900 wrote to memory of 2296	1900	sample.exe	32
PID 1900 wrote to memory of 2296	1900	sample.exe	32
PID 1900 wrote to memory of 2296	1900	sample.exe	32
PID 1900 wrote to memory of 2296	1900	sample.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-4-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1900-0-0x0000000000260000-0x0000000000292000-memory.dmp

Filesize
200KB

Download
memory/1900-7-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1900-6-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/1900-5-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1900-45-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1900-184-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1900-183-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1900-186-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1900-188-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2296-185-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download
memory/2296-187-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download