Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 07:10
Static task
static1
Behavioral task
behavioral1
Sample
2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll
Resource
win7
General
-
Target
2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll
-
Size
678KB
-
MD5
e322b2f7ccc5766cdbecc9966eed8259
-
SHA1
15c8d99d0c68a33e36e9e0ec3d6b1eb7912173ef
-
SHA256
67a402b5426a99f38e38a45bb44edebcf44032ff39ca38178b7d42b6934fefa4
-
SHA512
23b280a0fe918c029b3edf4fb72c52ad7d87cad2f5ca17c30bff430fadaf83375705419777fd0ff1a8ff1e39138002c78ea77ef6c6d22ba9aa67e38d0635b8f1
Malware Config
Extracted
trickbot
1000512
chil65
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3912 wrote to memory of 3180 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 3180 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 3180 3912 rundll32.exe rundll32.exe PID 3180 wrote to memory of 3932 3180 rundll32.exe wermgr.exe PID 3180 wrote to memory of 3932 3180 rundll32.exe wermgr.exe PID 3180 wrote to memory of 3932 3180 rundll32.exe wermgr.exe PID 3180 wrote to memory of 3932 3180 rundll32.exe wermgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3932 wermgr.exe Token: SeDebugPrivilege 3932 wermgr.exe Token: SeDebugPrivilege 3932 wermgr.exe -
Templ.dll packer 2 IoCs
Detects Templ.dll packer which usually loads Trickbot.
Processes:
resource yara_rule behavioral2/memory/3180-1-0x0000000002E80000-0x0000000002EAE000-memory.dmp templ_dll behavioral2/memory/3180-2-0x0000000004760000-0x000000000478D000-memory.dmp templ_dll -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932