trickbot | 0304fe2f5cbac1cc2e79bdbc8daa3824d6a8eb139f4d5bec7b57358cd4de8252

General

Target

584aa8473d873ecccb7601672550f4dc.dll
Size

419KB
MD5

584aa8473d873ecccb7601672550f4dc
SHA1

e65c7052e235e776cb9fbb8accef8d27e42f3b2c
SHA256

0304fe2f5cbac1cc2e79bdbc8daa3824d6a8eb139f4d5bec7b57358cd4de8252
SHA512

eaa6d817f5788d363b09728766175b656c80fedbec7c9f1632a878f7ae05d93679292e2ed6f676d0d2549ceaa0283e1f1d818f369a19ff39e32e671579f93f5c

Score

10^/10

trickbot sat4 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

sat4

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ident.me
8 ident.me
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 664 wermgr.exe

flow	ioc
7	ident.me
8	ident.me

description	pid	process
Token: SeDebugPrivilege	664	wermgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 2024 wrote to memory of 1192	2024	regsvr32.exe	regsvr32.exe
PID 1192 wrote to memory of 584	1192	regsvr32.exe	cmd.exe
PID 1192 wrote to memory of 584	1192	regsvr32.exe	cmd.exe
PID 1192 wrote to memory of 584	1192	regsvr32.exe	cmd.exe
PID 1192 wrote to memory of 584	1192	regsvr32.exe	cmd.exe
PID 1192 wrote to memory of 664	1192	regsvr32.exe	wermgr.exe
PID 1192 wrote to memory of 664	1192	regsvr32.exe	wermgr.exe
PID 1192 wrote to memory of 664	1192	regsvr32.exe	wermgr.exe
PID 1192 wrote to memory of 664	1192	regsvr32.exe	wermgr.exe
PID 1192 wrote to memory of 664	1192	regsvr32.exe	wermgr.exe
PID 1192 wrote to memory of 664	1192	regsvr32.exe	wermgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\584aa8473d873ecccb7601672550f4dc.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\584aa8473d873ecccb7601672550f4dc.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:584

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-71-0x0000000000000000-mapping.dmp

Download
memory/664-77-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/664-76-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/1192-70-0x0000000001E05000-0x0000000001E06000-memory.dmp

Filesize
4KB

Download
memory/1192-64-0x0000000000450000-0x000000000048B000-memory.dmp

Filesize
236KB

Download
memory/1192-68-0x0000000010003000-0x0000000010004000-memory.dmp

Filesize
4KB

Download
memory/1192-67-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1192-69-0x0000000001DD1000-0x0000000001E05000-memory.dmp

Filesize
208KB

Download
memory/1192-63-0x0000000000410000-0x0000000000449000-memory.dmp

Filesize
228KB

Download
memory/1192-73-0x0000000001E50000-0x0000000001E94000-memory.dmp

Filesize
272KB

Download
memory/1192-72-0x0000000000410000-0x0000000000449000-memory.dmp

Filesize
228KB

Download
memory/1192-75-0x00000000004A1000-0x00000000004A3000-memory.dmp

Filesize
8KB

Download
memory/1192-74-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

Filesize
68KB

Download
memory/1192-62-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1192-61-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing