trickbot | 25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1

Resubmissions

19-10-2021 21:50

211019-1qatvshcgr 10

19-10-2021 15:20

211019-sq1raahack 10

Analysis

max time kernel
1166s
max time network
1178s
platform
windows7_x64
resource
win7-en-20210920
submitted
19-10-2021 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clb.dll
Size

588KB
MD5

4f142d0fca158d333b98bd20ec2c70c8
SHA1

716cab4911102cd47ebc577d5712ade3f55e1729
SHA256

25e33433712124d16fdd126ee77c34309bd01680e50c1269a4d1ea2d59f3b8a1
SHA512

50a73179c814ebf6bf78142d9de61565f4cdf0886bbb6525cf37b4acae729b7b913a3f085d63bc482f63ee2099a638e3e519a41aba5e63a3078d577e56bc7826

Score

10^/10

trickbot rob136 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE TrickBot Related Activity (GET)
suricata: ET MALWARE TrickBot Related Activity (GET)
suricata
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1164 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1164	wermgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 1696 wrote to memory of 868	1696	rundll32.exe	rundll32.exe
PID 868 wrote to memory of 1728	868	rundll32.exe	cmd.exe
PID 868 wrote to memory of 1728	868	rundll32.exe	cmd.exe
PID 868 wrote to memory of 1728	868	rundll32.exe	cmd.exe
PID 868 wrote to memory of 1728	868	rundll32.exe	cmd.exe
PID 868 wrote to memory of 1164	868	rundll32.exe	wermgr.exe
PID 868 wrote to memory of 1164	868	rundll32.exe	wermgr.exe
PID 868 wrote to memory of 1164	868	rundll32.exe	wermgr.exe
PID 868 wrote to memory of 1164	868	rundll32.exe	wermgr.exe
PID 868 wrote to memory of 1164	868	rundll32.exe	wermgr.exe
PID 868 wrote to memory of 1164	868	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\clb.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:1728

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-53-0x0000000000000000-mapping.dmp

Download
memory/868-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/868-55-0x0000000000790000-0x00000000007C9000-memory.dmp

Filesize
228KB

Download
memory/868-56-0x0000000000830000-0x000000000086B000-memory.dmp

Filesize
236KB

Download
memory/868-60-0x0000000000873000-0x0000000000874000-memory.dmp

Filesize
4KB

Download
memory/868-59-0x0000000000871000-0x0000000000873000-memory.dmp

Filesize
8KB

Download
memory/868-61-0x00000000008B1000-0x00000000008E5000-memory.dmp

Filesize
208KB

Download
memory/868-62-0x00000000008E5000-0x00000000008E6000-memory.dmp

Filesize
4KB

Download
memory/868-64-0x0000000000910000-0x0000000000955000-memory.dmp

Filesize
276KB

Download
memory/868-63-0x0000000000790000-0x00000000007C9000-memory.dmp

Filesize
228KB

Download
memory/868-65-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/868-66-0x00000000001F1000-0x00000000001F3000-memory.dmp

Filesize
8KB

Download
memory/1164-67-0x0000000000000000-mapping.dmp

Download
memory/1164-68-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/1164-69-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download