trickbot | f3e8b74205d3dfa40b7c618fe5f7d2031adb6722fad14c6a58517d0bf87c7a01

Analysis

max time kernel
143s
max time network
144s
platform
windows10_x64
resource
win10v20201028
submitted
28-12-2020 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trick.dll
Size

336KB
MD5

b7e359f7786b76b7657659e7a6f12a5f
SHA1

097cc2d70de1779e76b76e32e4fd043cf31498b2
SHA256

f3e8b74205d3dfa40b7c618fe5f7d2031adb6722fad14c6a58517d0bf87c7a01
SHA512

e5190c774ea8c1122c46ae307651ed2310ddc7e3570deeb35aca5919883cf0f88e5912acf641aaf072e7027ccd5eeed77ca625f41d774c6d072abcedc075a3db

Score

10^/10

trickbot rob32 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100007

Botnet

rob32

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 2 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral2/memory/3960-3-0x0000000004060000-0x000000000409A000-memory.dmp	templ_dll
behavioral2/memory/3960-4-0x00000000040A0000-0x00000000040D8000-memory.dmp	templ_dll

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1084 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1084	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1404 wrote to memory of 3960	1404	regsvr32.exe	regsvr32.exe
PID 1404 wrote to memory of 3960	1404	regsvr32.exe	regsvr32.exe
PID 1404 wrote to memory of 3960	1404	regsvr32.exe	regsvr32.exe
PID 3960 wrote to memory of 1084	3960	regsvr32.exe	wermgr.exe
PID 3960 wrote to memory of 1084	3960	regsvr32.exe	wermgr.exe
PID 3960 wrote to memory of 1084	3960	regsvr32.exe	wermgr.exe
PID 3960 wrote to memory of 1084	3960	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\trick.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\trick.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-5-0x0000000000000000-mapping.dmp

Download
memory/3960-2-0x0000000000000000-mapping.dmp

Download
memory/3960-3-0x0000000004060000-0x000000000409A000-memory.dmp

Filesize
232KB

Download
memory/3960-4-0x00000000040A0000-0x00000000040D8000-memory.dmp

Filesize
224KB

Download