Overview

overview

10

Static

static

10

e2_unseen_...in.dll

windows7_x64

10

e2_unseen_...in.dll

windows10_x64

10

Analysis

  • max time kernel
    25s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    20-01-2021 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll

  • Size

    217KB

  • MD5

    f8f47764f5b13c65987da4208c29a25e

  • SHA1

    5a5a1a5ddacd3808435cb2db896fd0c11e0388bd

  • SHA256

    489e7ef8892da96762561f945ab244100a9cc23eecb341c01f55d1e382f1a316

  • SHA512

    0056c963665f57b9cafe443a9b7596e2af50ff28353d55ef9293904675eefb3f328bf1470adabcc38766733cc9177f0e7125278771200f4f0b2e6c656f36638b

Score
10/10
trickbotmor1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

2000022

Botnet

mor1

C2

85.204.116.83:443

91.200.100.143:443

83.151.14.13:443

107.191.61.39:443

113.160.129.15:443

139.162.182.54:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

207.246.92.48:443

216.128.130.16:443

45.79.126.97:443

45.79.155.9:443

45.79.212.97:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\e2_unseen_id_2318_f8f47764f5b13c65987da4208c29a25e.dll2.bin.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/776-2-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1336-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1336-9-0x0000000000060000-0x0000000000089000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1336-10-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1504-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1504-4-0x0000000075C61000-0x0000000075C63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-6-0x00000000001C0000-0x0000000000202000-memory.dmp
    Filesize

    264KB

    Download
  • memory/1504-7-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1504-8-0x0000000000211000-0x0000000000213000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1504-11-0x0000000010000000-0x0000000010003000-memory.dmp
    Filesize

    12KB

    Download