trickbot | 5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603

General

Target

5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603.dll
Size

706KB
MD5

6130d265357ce71154ba46051203c96a
SHA1

4446b675dad569c38126bc170a6dcac18d740500
SHA256

5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603
SHA512

d00657e8cc18c0ed528d461842037067d410c34c61422fb8d1a3c15842dcd8f8edc233c738f5df797a9e590d30bab0b543bea26b8e3ab8cf83df3f1c961869f8

Score

10^/10

trickbot rob136 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 920 wermgr.exe

flow	ioc
45	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	920	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2336 wrote to memory of 3060	2336	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 3060	2336	rundll32.exe	rundll32.exe
PID 2336 wrote to memory of 3060	2336	rundll32.exe	rundll32.exe
PID 3060 wrote to memory of 916	3060	rundll32.exe	cmd.exe
PID 3060 wrote to memory of 916	3060	rundll32.exe	cmd.exe
PID 3060 wrote to memory of 916	3060	rundll32.exe	cmd.exe
PID 3060 wrote to memory of 920	3060	rundll32.exe	wermgr.exe
PID 3060 wrote to memory of 920	3060	rundll32.exe	wermgr.exe
PID 3060 wrote to memory of 920	3060	rundll32.exe	wermgr.exe
PID 3060 wrote to memory of 920	3060	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5cc895d9c7951c8f20a19a5538270c3bca4c17e650be6209c6aafce3f780c603.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:916

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-120-0x0000000000000000-mapping.dmp

Download
memory/920-121-0x00000270690C0000-0x00000270690E9000-memory.dmp

Filesize
164KB

Download
memory/920-122-0x0000027069100000-0x0000027069101000-memory.dmp

Filesize
4KB

Download
memory/920-123-0x0000027069300000-0x0000027069302000-memory.dmp

Filesize
8KB

Download
memory/920-124-0x0000027069300000-0x0000027069302000-memory.dmp

Filesize
8KB

Download
memory/3060-115-0x0000000000000000-mapping.dmp

Download
memory/3060-116-0x00000000043F0000-0x0000000004658000-memory.dmp

Filesize
2.4MB

Download
memory/3060-117-0x0000000000B50000-0x0000000000B95000-memory.dmp

Filesize
276KB

Download
memory/3060-118-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3060-119-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing