trickbot | 80afc885cde130c0fcc5e8b7e0a03130ca7922790ba82853c8ec1de8cb951f83

Analysis

max time kernel
135s
max time network
142s
platform
windows7_x64
resource
win7v20210408
submitted
22-04-2021 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rundll32_03300000.dll
Size

208KB
MD5

4098b34beea650657077c34cccc64d23
SHA1

9d530cc1702acef7bfc366c81746b77fa0d47f71
SHA256

80afc885cde130c0fcc5e8b7e0a03130ca7922790ba82853c8ec1de8cb951f83
SHA512

0be883596c4cecc29304daffce9538f3c59b235bf4501aecb53a239c4251da210d0f05a3f537131af6993302903d9b48d741b4af773f80d4bfeeca9cc4580fd9

Score

10^/10

trickbot rob52 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000028

Botnet

rob52

89.250.208.42:449

182.253.184.130:449

31.211.85.110:443

85.112.74.178:449

102.68.17.97:443

103.76.150.14:443

96.9.77.142:443

91.185.236.170:449

87.76.1.81:449

91.225.231.120:443

62.213.14.166:443

81.95.45.234:449

148.216.32.55:443

109.185.139.90:449

202.166.211.197:443

196.41.57.46:449

84.21.206.164:449

190.122.168.219:443

77.95.93.132:449

41.77.134.250:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 checkip.amazonaws.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1904 wermgr.exe

flow	ioc
15	checkip.amazonaws.com

description	pid	process
Token: SeDebugPrivilege	1904	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 484 wrote to memory of 1932	484	regsvr32.exe	regsvr32.exe
PID 1932 wrote to memory of 1904	1932	regsvr32.exe	wermgr.exe
PID 1932 wrote to memory of 1904	1932	regsvr32.exe	wermgr.exe
PID 1932 wrote to memory of 1904	1932	regsvr32.exe	wermgr.exe
PID 1932 wrote to memory of 1904	1932	regsvr32.exe	wermgr.exe
PID 1932 wrote to memory of 1904	1932	regsvr32.exe	wermgr.exe
PID 1932 wrote to memory of 1904	1932	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\rundll32_03300000.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\rundll32_03300000.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1904-63-0x0000000000000000-mapping.dmp

Download
memory/1904-68-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1904-67-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/1932-61-0x0000000000000000-mapping.dmp

Download
memory/1932-62-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1932-65-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/1932-64-0x00000000001C0000-0x0000000000203000-memory.dmp

Filesize
268KB

Download
memory/1932-66-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download