trickbot | 80afc885cde130c0fcc5e8b7e0a03130ca7922790ba82853c8ec1de8cb951f83

Analysis

max time kernel
120s
max time network
120s
platform
windows10_x64
resource
win10v20210410
submitted
22-04-2021 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rundll32_03300000.dll
Size

208KB
MD5

4098b34beea650657077c34cccc64d23
SHA1

9d530cc1702acef7bfc366c81746b77fa0d47f71
SHA256

80afc885cde130c0fcc5e8b7e0a03130ca7922790ba82853c8ec1de8cb951f83
SHA512

0be883596c4cecc29304daffce9538f3c59b235bf4501aecb53a239c4251da210d0f05a3f537131af6993302903d9b48d741b4af773f80d4bfeeca9cc4580fd9

Score

10^/10

trickbot rob52 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000028

Botnet

rob52

89.250.208.42:449

182.253.184.130:449

31.211.85.110:443

85.112.74.178:449

102.68.17.97:443

103.76.150.14:443

96.9.77.142:443

91.185.236.170:449

87.76.1.81:449

91.225.231.120:443

62.213.14.166:443

81.95.45.234:449

148.216.32.55:443

109.185.139.90:449

202.166.211.197:443

196.41.57.46:449

84.21.206.164:449

190.122.168.219:443

77.95.93.132:449

41.77.134.250:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4060 904 WerFault.exe regsvr32.exe

pid	pid_target	process	target process
4060	904	WerFault.exe	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4060 WerFault.exe
Token: SeBackupPrivilege 4060 WerFault.exe
Token: SeDebugPrivilege 4060 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	4060	WerFault.exe
Token: SeBackupPrivilege	4060	WerFault.exe
Token: SeDebugPrivilege	4060	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3680 wrote to memory of 904	3680	regsvr32.exe	regsvr32.exe
PID 3680 wrote to memory of 904	3680	regsvr32.exe	regsvr32.exe
PID 3680 wrote to memory of 904	3680	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\rundll32_03300000.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\rundll32_03300000.dll
2⤵
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 616
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-114-0x0000000000000000-mapping.dmp

Download
memory/904-115-0x00000000027F0000-0x0000000002833000-memory.dmp

Filesize
268KB

Download