d6a29c9b7a0251f17919d4c03e12a9680321769daf24ed23c3f72cee27937835

General
Target

d6a29c9b7a0251f17919d4c03e12a9680321769daf24ed23c3f72cee27937835.dll

Filesize

706KB

Completed

21-10-2021 21:29

Score
10/10
MD5

170cb3f5e6afcda2e308749ea3ae2f1c

SHA1

06d9fd8e5814fa75cdc99fae1eabedd49ac32091

SHA256

d6a29c9b7a0251f17919d4c03e12a9680321769daf24ed23c3f72cee27937835

Malware Config

Extracted

Family trickbot
Version 100019
Botnet rob136
C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes
autorun
Name:pwgrabb
Name:pwgrabc
ecc_pubkey.base64
Signatures 4

Filter: none

  • Trickbot

    Description

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    41ipinfo.io
  • Suspicious use of AdjustPrivilegeToken
    wermgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2180wermgr.exe
  • Suspicious use of WriteProcessMemory
    rundll32.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1324 wrote to memory of 601324rundll32.exerundll32.exe
    PID 1324 wrote to memory of 601324rundll32.exerundll32.exe
    PID 1324 wrote to memory of 601324rundll32.exerundll32.exe
    PID 60 wrote to memory of 197260rundll32.execmd.exe
    PID 60 wrote to memory of 197260rundll32.execmd.exe
    PID 60 wrote to memory of 197260rundll32.execmd.exe
    PID 60 wrote to memory of 218060rundll32.exewermgr.exe
    PID 60 wrote to memory of 218060rundll32.exewermgr.exe
    PID 60 wrote to memory of 218060rundll32.exewermgr.exe
    PID 60 wrote to memory of 218060rundll32.exewermgr.exe
Processes 4
  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a29c9b7a0251f17919d4c03e12a9680321769daf24ed23c3f72cee27937835.dll,#1
    Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6a29c9b7a0251f17919d4c03e12a9680321769daf24ed23c3f72cee27937835.dll,#1
      Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        PID:1972
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        Suspicious use of AdjustPrivilegeToken
        PID:2180
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/60-118-0x0000000000000000-mapping.dmp

                          • memory/60-119-0x0000000004D30000-0x0000000004F98000-memory.dmp

                          • memory/60-120-0x0000000003280000-0x000000000332E000-memory.dmp

                          • memory/60-121-0x0000000005060000-0x0000000005061000-memory.dmp

                          • memory/60-122-0x0000000010001000-0x0000000010003000-memory.dmp

                          • memory/2180-123-0x0000000000000000-mapping.dmp

                          • memory/2180-125-0x00000295BCD80000-0x00000295BCD81000-memory.dmp

                          • memory/2180-124-0x00000295BCC70000-0x00000295BCC99000-memory.dmp

                          • memory/2180-127-0x00000295BCDB0000-0x00000295BCDB2000-memory.dmp

                          • memory/2180-126-0x00000295BCDB0000-0x00000295BCDB2000-memory.dmp