2e6fcdc4bb4622a80f70db990a217718.dll

General
Target

2e6fcdc4bb4622a80f70db990a217718.dll

Filesize

544KB

Completed

22-07-2021 09:08

Score
10 /10
MD5

2e6fcdc4bb4622a80f70db990a217718

SHA1

905a13957f196b48bbd3d2c6876d3e76d8ac1119

SHA256

cd7f39f9f95a1161878980631e4069057e715e84bf3ecf940bfca97ce5a96e20

Malware Config

Extracted

Family trickbot
Version 100018
Botnet rob109
C2

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

38.110.103.113:443

38.110.100.142:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

38.110.100.33:443

38.110.100.242:443

185.13.79.3:443

Attributes
autorun
Name: pwgrabb
Name: pwgrabc
ecc_pubkey.base64
Signatures 4

Filter: none

  • Trickbot

    Description

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    17ipinfo.io
  • Suspicious use of AdjustPrivilegeToken
    wermgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3652wermgr.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 904 wrote to memory of 1132904rundll32.exerundll32.exe
    PID 904 wrote to memory of 1132904rundll32.exerundll32.exe
    PID 904 wrote to memory of 1132904rundll32.exerundll32.exe
    PID 1132 wrote to memory of 36001132rundll32.execmd.exe
    PID 1132 wrote to memory of 36001132rundll32.execmd.exe
    PID 1132 wrote to memory of 36001132rundll32.execmd.exe
    PID 1132 wrote to memory of 36521132rundll32.exewermgr.exe
    PID 1132 wrote to memory of 36521132rundll32.exewermgr.exe
    PID 1132 wrote to memory of 36521132rundll32.exewermgr.exe
    PID 1132 wrote to memory of 36521132rundll32.exewermgr.exe
Processes 4
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e6fcdc4bb4622a80f70db990a217718.dll,#1
    Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e6fcdc4bb4622a80f70db990a217718.dll,#1
      Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        PID:3600
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        Suspicious use of AdjustPrivilegeToken
        PID:3652
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/1132-114-0x0000000000000000-mapping.dmp

                          • memory/1132-115-0x0000000004B70000-0x0000000004BAB000-memory.dmp

                          • memory/1132-118-0x0000000004BB0000-0x0000000004BE9000-memory.dmp

                          • memory/1132-120-0x0000000004BF0000-0x0000000004C27000-memory.dmp

                          • memory/1132-123-0x0000000004C60000-0x0000000004CA4000-memory.dmp

                          • memory/1132-122-0x00000000049B0000-0x00000000049E8000-memory.dmp

                          • memory/1132-124-0x0000000004B40000-0x0000000004B41000-memory.dmp

                          • memory/1132-125-0x0000000003271000-0x0000000003273000-memory.dmp

                          • memory/3652-126-0x0000000000000000-mapping.dmp

                          • memory/3652-128-0x0000021665080000-0x0000021665081000-memory.dmp

                          • memory/3652-127-0x0000021664E70000-0x0000021664E98000-memory.dmp