trickbot | c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a

Target

trick.dll
Size

272KB
MD5

5f7b5a98f75f4aa550e4368eb6dc9733
SHA1

d835a309e249f5d526529b9a28ed138b1bcfd40b
SHA256

c2c3bb003eb76cc5f1a9e2bc938c4254f4c4c3b2cc017e9a39d00a88f7ab181a
SHA512

167e5e1af1c82b9379d4a275f77b373969c0655d0b4f6ea32942d70f18b1147e65ef525e8f8f2d3d27c0ebf914785ce7b15e7808c3ca1700983bbc9eb318ebac

Score

10^/10

Malware Config

Family

trickbot

Version

100003

Botnet

rob7

102.164.206.129:449

103.131.156.21:449

103.131.157.102:449

103.131.157.161:449

103.146.232.5:449

103.150.68.124:449

103.156.126.232:449

103.30.85.157:449

103.52.47.20:449

Attributes

ecc_pubkey.base64

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.amazonaws.com
Drops file in Windows directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\notepad.exe regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1688 wermgr.exe

flow	ioc
11	checkip.amazonaws.com

description	ioc	process
File opened for modification	C:\Windows\notepad.exe	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	1688	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1900 wrote to memory of 1344	1900	regsvr32.exe	regsvr32.exe
PID 1344 wrote to memory of 1688	1344	regsvr32.exe	wermgr.exe
PID 1344 wrote to memory of 1688	1344	regsvr32.exe	wermgr.exe
PID 1344 wrote to memory of 1688	1344	regsvr32.exe	wermgr.exe
PID 1344 wrote to memory of 1688	1344	regsvr32.exe	wermgr.exe
PID 1344 wrote to memory of 1688	1344	regsvr32.exe	wermgr.exe
PID 1344 wrote to memory of 1688	1344	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\trick.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

memory/1344-0-0x0000000000000000-mapping.dmp

Download
memory/1344-1-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1344-2-0x0000000001CD0000-0x0000000001D08000-memory.dmp

Filesize
224KB

Download
memory/1344-3-0x0000000001E40000-0x0000000001E76000-memory.dmp

Filesize
216KB

Download
memory/1688-4-0x0000000000000000-mapping.dmp

Download