Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    11-07-2020 07:10

General

  • Target

    2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll

  • Size

    678KB

  • MD5

    e322b2f7ccc5766cdbecc9966eed8259

  • SHA1

    15c8d99d0c68a33e36e9e0ec3d6b1eb7912173ef

  • SHA256

    67a402b5426a99f38e38a45bb44edebcf44032ff39ca38178b7d42b6934fefa4

  • SHA512

    23b280a0fe918c029b3edf4fb72c52ad7d87cad2f5ca17c30bff430fadaf83375705419777fd0ff1a8ff1e39138002c78ea77ef6c6d22ba9aa67e38d0635b8f1

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil65

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Suspicious use of WriteProcessMemory 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Templ.dll packer 2 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2020-07-10-Trickbot-gtag-chil65-DLL-file.bin.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3932

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3180-0-0x0000000000000000-mapping.dmp

  • memory/3180-1-0x0000000002E80000-0x0000000002EAE000-memory.dmp

    Filesize

    184KB

  • memory/3180-2-0x0000000004760000-0x000000000478D000-memory.dmp

    Filesize

    180KB

  • memory/3932-3-0x0000000000000000-mapping.dmp