trickbot | 074b3d896e53fc8335cdea4b0f565e01b99ee9041c01d9c17a23f67409b138c1

Analysis

max time kernel
75s
max time network
136s
platform
windows10_x64
resource
win10-en
submitted
13-09-2021 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caDeEx.jpg.dll
Size

564KB
MD5

d342499ba2e3adab152c4c7ed9ead426
SHA1

0b4d212ac06d26e3fbb7365322d4cb7c5487444b
SHA256

074b3d896e53fc8335cdea4b0f565e01b99ee9041c01d9c17a23f67409b138c1
SHA512

0ef2cde0d828559d8134a136a1e85797d99c95343dd9f3ec329defeba86a5adb99445448fc9c5346f5c2ec6a251d676618ac96e0cdf76317e2e6f1746dbda6b5

Score

10^/10

trickbot zev4 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

zev4

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4012 wermgr.exe

flow	ioc
9	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	4012	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4044 wrote to memory of 3120	4044	regsvr32.exe	regsvr32.exe
PID 4044 wrote to memory of 3120	4044	regsvr32.exe	regsvr32.exe
PID 4044 wrote to memory of 3120	4044	regsvr32.exe	regsvr32.exe
PID 3120 wrote to memory of 4012	3120	regsvr32.exe	wermgr.exe
PID 3120 wrote to memory of 4012	3120	regsvr32.exe	wermgr.exe
PID 3120 wrote to memory of 4012	3120	regsvr32.exe	wermgr.exe
PID 3120 wrote to memory of 4012	3120	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\caDeEx.jpg.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\caDeEx.jpg.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3120-115-0x0000000000000000-mapping.dmp

Download
memory/3120-116-0x0000000004BF0000-0x0000000004C2B000-memory.dmp

Filesize
236KB

Download
memory/3120-119-0x0000000004C30000-0x0000000004C69000-memory.dmp

Filesize
228KB

Download
memory/3120-121-0x0000000004C70000-0x0000000004CA8000-memory.dmp

Filesize
224KB

Download
memory/3120-123-0x0000000004A40000-0x0000000004C4E000-memory.dmp

Filesize
2.1MB

Download
memory/3120-125-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3120-124-0x0000000004CB0000-0x0000000004CF5000-memory.dmp

Filesize
276KB

Download
memory/3120-126-0x0000000004A40000-0x0000000004C4E000-memory.dmp

Filesize
2.1MB

Download
memory/4012-127-0x0000000000000000-mapping.dmp

Download
memory/4012-128-0x0000025F051B0000-0x0000025F051D9000-memory.dmp

Filesize
164KB

Download
memory/4012-129-0x0000025F052D0000-0x0000025F052D1000-memory.dmp

Filesize
4KB

Download