trickbot | 2eaa196b5f4f0d20b23dd82f001f369e05de803834a11cfe93dd7b795d9e6cd2

Analysis

Target

2eaa196b5f4f0d20b23dd82f001f369e05de803834a11cfe93dd7b795d9e6cd2.dll
Size

768KB
MD5

d97e4caabf31d478bc931a0a1a47e08c
SHA1

85cca6fc2fdfab66c47188efc007d0b651c1536d
SHA256

2eaa196b5f4f0d20b23dd82f001f369e05de803834a11cfe93dd7b795d9e6cd2
SHA512

3add165b47af5bdb65547b2913525049df9d23c62448eccc83824150cc42f72a593d88f533bf1b8268321f2c688453422b2d659af9b9234ab8c1188ff6b9842f

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

resource	yara_rule
behavioral1/memory/1832-4-0x0000000000220000-0x0000000000259000-memory.dmp	templ_dll
behavioral1/memory/1832-5-0x00000000003A0000-0x00000000003D7000-memory.dmp	templ_dll
behavioral1/memory/1832-6-0x00000000001B0000-0x00000000001E6000-memory.dmp	templ_dll

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1832	544	rundll32.exe	25
PID 544 wrote to memory of 1832	544	rundll32.exe	25
PID 544 wrote to memory of 1832	544	rundll32.exe	25
PID 544 wrote to memory of 1832	544	rundll32.exe	25
PID 544 wrote to memory of 1832	544	rundll32.exe	25
PID 544 wrote to memory of 1832	544	rundll32.exe	25
PID 544 wrote to memory of 1832	544	rundll32.exe	25

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eaa196b5f4f0d20b23dd82f001f369e05de803834a11cfe93dd7b795d9e6cd2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2eaa196b5f4f0d20b23dd82f001f369e05de803834a11cfe93dd7b795d9e6cd2.dll,#1
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    PID:1816

memory/1832-3-0x0000000076881000-0x0000000076883000-memory.dmp

Filesize
8KB

Download
memory/1832-4-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/1832-5-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/1832-6-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1832-7-0x0000000010000000-0x0000000010037000-memory.dmp

Filesize
220KB

Download
memory/1832-8-0x0000000001EF0000-0x0000000001F33000-memory.dmp

Filesize
268KB

Download