trickbot | 91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3

Analysis

max time kernel
113s
max time network
120s
platform
windows7_x64
resource
win7
submitted
22-07-2020 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe
Size

528KB
MD5

5930091b65aed9627dd1a4e86458b72f
SHA1

1e6ee2e805e21c007aa70217856bf31141ccc552
SHA256

91beb7c43da3dd723c9d44629ab656b4f913c5ec111d1d362279938645f7edd3
SHA512

f35dbf5ab53eb9f94e72e75cc068e83b8a819b215f47245431887f124fd9903e45134771252cd19beedfb0d3697781d4aeebf7f98cfb8e24eede6e399527a146

Score

10^/10

trojan banker trickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

tot773

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe

pid process

1460 SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe
1460 SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe

pid	process
1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe
1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe

description	pid	process	target process
PID 1460 wrote to memory of 1608	1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe	wermgr.exe
PID 1460 wrote to memory of 1608	1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe	wermgr.exe
PID 1460 wrote to memory of 1608	1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe	wermgr.exe
PID 1460 wrote to memory of 1608	1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe	wermgr.exe
PID 1460 wrote to memory of 1608	1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe	wermgr.exe
PID 1460 wrote to memory of 1608	1460	SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe	wermgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1608 wermgr.exe
Token: SeDebugPrivilege 1608 wermgr.exe
Token: SeDebugPrivilege 1608 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1608	wermgr.exe
Token: SeDebugPrivilege	1608	wermgr.exe
Token: SeDebugPrivilege	1608	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.5930091b65aed962.29544.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-3-0x0000000000490000-0x00000000004BE000-memory.dmp

Filesize
184KB

Download
memory/1460-5-0x0000000000510000-0x0000000000514000-memory.dmp

Filesize
16KB

Download
memory/1460-6-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1608-4-0x0000000000000000-mapping.dmp

Download