Overview

overview

10

Static

static

SecuriteIn...32.dll

windows7_x64

10

SecuriteIn...32.dll

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-07-2020 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll

  • Size

    678KB

  • MD5

    69ac96674984f78b3bbb74cc4ceff70f

  • SHA1

    e977bea50d924afaff7606c2cf54730b11c1fd4e

  • SHA256

    082a9fe0d0d8dbde7944b9ce08b89e7dd1f0bd0d48d4bb11c92b5dbbc50a12b8

  • SHA512

    92f0c4154a60e3fe779d20a9c38e66ab7d49c0b7891782542b2e3eef813fd9a6470cb526164ec41d9d6208d0d5b79f92ed13b8217c43da140db1fe1b2f3b0ccc

Score
10/10
spywaretrojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil65

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Templ.dll packer 2 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3396-3-0x0000000000000000-mapping.dmp

    Download

  • memory/4028-0-0x0000000000000000-mapping.dmp

    Download

  • memory/4028-1-0x00000000028C0000-0x00000000028EE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4028-2-0x0000000002920000-0x000000000294D000-memory.dmp

    Filesize

    180KB

    Download