trickbot | d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79

Analysis

max time kernel
81s
max time network
148s
platform
windows10_x64
resource
win10v20201028
submitted
18-02-2021 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll
Size

603KB
MD5

0da0dabe99b1df919b6fd27d803db851
SHA1

9b4c420185069f81ba887cd38feee498d2c3f1d6
SHA256

4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c
SHA512

6bcbcaed03b99438a25efec6492153db82b5bbcef91a892abacbe5dc2ac9d78e89e2a3104ca411dffe242f6a3ead752d824cf054a7086a30039755b747400b03

Score

10^/10

trickbot mon44 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon44

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 1 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral4/memory/1180-4-0x0000000002F10000-0x0000000002F46000-memory.dmp	templ_dll

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 204 wermgr.exe

flow	ioc
22	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	204	wermgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 1180	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1180	1056	rundll32.exe	rundll32.exe
PID 1056 wrote to memory of 1180	1056	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 1840	1180	rundll32.exe	wermgr.exe
PID 1180 wrote to memory of 1840	1180	rundll32.exe	wermgr.exe
PID 1180 wrote to memory of 204	1180	rundll32.exe	wermgr.exe
PID 1180 wrote to memory of 204	1180	rundll32.exe	wermgr.exe
PID 1180 wrote to memory of 204	1180	rundll32.exe	wermgr.exe
PID 1180 wrote to memory of 204	1180	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.bin.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
PID:1840

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-3-0x0000000000000000-mapping.dmp

Download
memory/204-8-0x000001C395390000-0x000001C3953B7000-memory.dmp

Filesize
156KB

Download
memory/204-9-0x000001C3954A0000-0x000001C3954A1000-memory.dmp

Filesize
4KB

Download
memory/1180-2-0x0000000000000000-mapping.dmp

Download
memory/1180-4-0x0000000002F10000-0x0000000002F46000-memory.dmp

Filesize
216KB

Download
memory/1180-6-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1180-5-0x00000000048E0000-0x0000000004921000-memory.dmp

Filesize
260KB

Download
memory/1180-7-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download