Overview

overview

10

Static

static

8

CHIL65GHFR.dll

windows7_x64

10

CHIL65GHFR.dll

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    12-07-2020 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CHIL65GHFR.dll

  • Size

    360KB

  • MD5

    2339e18e251bd2a064cf357761f3dd20

  • SHA1

    8696b328a0b7c630848ffadd8d5bffa8ad476c84

  • SHA256

    3611be7ee60f1adb4a14f2d5d307d7375fb8a9013d0ae24af5e639bcc524a595

  • SHA512

    1b598343dad1094772c6cb3aa843b11da117fbd2ccbd9d2bb51a81a19f5bd3144ea06404ab8e7f7839e6a4838d9a86e0e701f0f9795f00e5f21390268d28994a

Score
10/10
spywaretrojanbankertrickbot

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

chil65

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Suspicious use of WriteProcessMemory 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Templ.dll packer 2 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\CHIL65GHFR.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2804
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\CHIL65GHFR.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/812-0-0x0000000000000000-mapping.dmp
    Download
  • memory/812-1-0x00000000045A0000-0x00000000045CE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/812-2-0x00000000045D0000-0x00000000045FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/1420-3-0x0000000000000000-mapping.dmp
    Download