trickbot | 074b3d896e53fc8335cdea4b0f565e01b99ee9041c01d9c17a23f67409b138c1

General

Target

caDeEx.jpg.dll
Size

564KB
MD5

d342499ba2e3adab152c4c7ed9ead426
SHA1

0b4d212ac06d26e3fbb7365322d4cb7c5487444b
SHA256

074b3d896e53fc8335cdea4b0f565e01b99ee9041c01d9c17a23f67409b138c1
SHA512

0ef2cde0d828559d8134a136a1e85797d99c95343dd9f3ec329defeba86a5adb99445448fc9c5346f5c2ec6a251d676618ac96e0cdf76317e2e6f1746dbda6b5

Score

10^/10

trickbot zev4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

zev4

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1592 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1592	wermgr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1188 wrote to memory of 1152	1188	regsvr32.exe	regsvr32.exe
PID 1152 wrote to memory of 1592	1152	regsvr32.exe	wermgr.exe
PID 1152 wrote to memory of 1592	1152	regsvr32.exe	wermgr.exe
PID 1152 wrote to memory of 1592	1152	regsvr32.exe	wermgr.exe
PID 1152 wrote to memory of 1592	1152	regsvr32.exe	wermgr.exe
PID 1152 wrote to memory of 1592	1152	regsvr32.exe	wermgr.exe
PID 1152 wrote to memory of 1592	1152	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\caDeEx.jpg.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\caDeEx.jpg.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-63-0x00000000001E0000-0x0000000000219000-memory.dmp

Filesize
228KB

Download
memory/1152-54-0x0000000000000000-mapping.dmp

Download
memory/1152-55-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download
memory/1152-56-0x00000000009B0000-0x00000000009EB000-memory.dmp

Filesize
236KB

Download
memory/1152-59-0x0000000001E30000-0x0000000001E69000-memory.dmp

Filesize
228KB

Download
memory/1152-61-0x0000000001E70000-0x0000000001EA8000-memory.dmp

Filesize
224KB

Download
memory/1152-65-0x0000000000340000-0x0000000000351000-memory.dmp

Filesize
68KB

Download
memory/1152-64-0x0000000001EE0000-0x0000000001F25000-memory.dmp

Filesize
276KB

Download
memory/1152-66-0x0000000000231000-0x0000000000233000-memory.dmp

Filesize
8KB

Download
memory/1188-53-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/1592-67-0x0000000000000000-mapping.dmp

Download
memory/1592-68-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/1592-69-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing