trickbot | 703b0b0e263ba5c02e94598941cdbef5e44fe6e0c544a4943a2ead352c95ef9a

Resubmissions

26-01-2021 19:01

210126-3dwztyyhn2 10

25-01-2021 19:24

210125-2cf9qs497e 10

Analysis

max time kernel
132s
max time network
140s
platform
windows7_x64
resource
win7v20201028
submitted
25-01-2021 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

superts.dll
Size

415KB
MD5

71d7040364ab0d4a514506b6d06b3b9c
SHA1

96901f457beba35e820983730150f2ad0dd603f5
SHA256

703b0b0e263ba5c02e94598941cdbef5e44fe6e0c544a4943a2ead352c95ef9a
SHA512

60045768f7cf9db3f0ec4c452ec4576b813c50c81f1820f30d37781de81bf01b288cbd4e44c340340624285df7fea2bdd0c86ed7842f9ee2fb55b71bb305c75f

Score

10^/10

trickbot rob2 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000023

Botnet

rob2

107.191.61.39:443

139.162.44.152:443

144.202.106.23:443

158.247.219.186:443

172.105.107.25:443

172.105.190.51:443

172.105.196.53:443

172.105.25.190:443

178.79.138.253:443

192.46.229.48:443

216.128.130.16:443

45.79.126.97:443

45.79.212.97:443

45.79.90.143:443

66.42.113.16:443

85.159.214.61:443

94.140.114.188:443

172.83.155.154:443

149.56.80.31:443

46.105.84.141:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 1 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral1/memory/2036-5-0x0000000000350000-0x0000000000387000-memory.dmp	templ_dll

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1376 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1376	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 2036	1152	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1376	2036	regsvr32.exe	wermgr.exe
PID 2036 wrote to memory of 1376	2036	regsvr32.exe	wermgr.exe
PID 2036 wrote to memory of 1376	2036	regsvr32.exe	wermgr.exe
PID 2036 wrote to memory of 1376	2036	regsvr32.exe	wermgr.exe
PID 2036 wrote to memory of 1376	2036	regsvr32.exe	wermgr.exe
PID 2036 wrote to memory of 1376	2036	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\superts.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\superts.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-2-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1376-6-0x0000000000000000-mapping.dmp

Download
memory/1376-10-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/1376-11-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2036-3-0x0000000000000000-mapping.dmp

Download
memory/2036-4-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/2036-5-0x0000000000350000-0x0000000000387000-memory.dmp

Filesize
220KB

Download
memory/2036-8-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2036-9-0x0000000000321000-0x0000000000323000-memory.dmp

Filesize
8KB

Download
memory/2036-7-0x0000000000510000-0x0000000000551000-memory.dmp

Filesize
260KB

Download
memory/2036-12-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download