Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 19:53
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll
Resource
win7
General
-
Target
SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll
-
Size
678KB
-
MD5
69ac96674984f78b3bbb74cc4ceff70f
-
SHA1
e977bea50d924afaff7606c2cf54730b11c1fd4e
-
SHA256
082a9fe0d0d8dbde7944b9ce08b89e7dd1f0bd0d48d4bb11c92b5dbbc50a12b8
-
SHA512
92f0c4154a60e3fe779d20a9c38e66ab7d49c0b7891782542b2e3eef813fd9a6470cb526164ec41d9d6208d0d5b79f92ed13b8217c43da140db1fe1b2f3b0ccc
Malware Config
Extracted
trickbot
1000512
chil65
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1600 wrote to memory of 4028 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 4028 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 4028 1600 rundll32.exe rundll32.exe PID 4028 wrote to memory of 3396 4028 rundll32.exe wermgr.exe PID 4028 wrote to memory of 3396 4028 rundll32.exe wermgr.exe PID 4028 wrote to memory of 3396 4028 rundll32.exe wermgr.exe PID 4028 wrote to memory of 3396 4028 rundll32.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3396 wermgr.exe Token: SeDebugPrivilege 3396 wermgr.exe Token: SeDebugPrivilege 3396 wermgr.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/4028-1-0x00000000028C0000-0x00000000028EE000-memory.dmp templ_dll behavioral2/memory/4028-2-0x0000000002920000-0x000000000294D000-memory.dmp templ_dll
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.TR.AD.TrickBot.bldcu.22632.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396