trickbot | 21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f

Analysis

max time kernel
139s
max time network
161s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll
Size

706KB
MD5

43631f2757ede0112fc8fe30deea8acc
SHA1

c82bf7a08287158d9a6a22467eadd7e9cbe242c2
SHA256

21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f
SHA512

f1e282632419a768efd807daf36f57a6b883747698da298caf48a2d48b2f2d0ed1f2bbd0c5b1633bba27af15e596ce0b2c0dcface72661500ca29fac4264c6ce

Score

10^/10

trickbot rob136 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2416 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	2416	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3500 wrote to memory of 3132	3500	rundll32.exe	rundll32.exe
PID 3500 wrote to memory of 3132	3500	rundll32.exe	rundll32.exe
PID 3500 wrote to memory of 3132	3500	rundll32.exe	rundll32.exe
PID 3132 wrote to memory of 2212	3132	rundll32.exe	cmd.exe
PID 3132 wrote to memory of 2212	3132	rundll32.exe	cmd.exe
PID 3132 wrote to memory of 2212	3132	rundll32.exe	cmd.exe
PID 3132 wrote to memory of 2416	3132	rundll32.exe	wermgr.exe
PID 3132 wrote to memory of 2416	3132	rundll32.exe	wermgr.exe
PID 3132 wrote to memory of 2416	3132	rundll32.exe	wermgr.exe
PID 3132 wrote to memory of 2416	3132	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\21f72992d08aafe0a90e4df30fd56ebe8e7572bec81729c31b06b0a220dcfb3f.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:2212

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-120-0x0000000000000000-mapping.dmp

Download
memory/2416-122-0x0000025AE7F60000-0x0000025AE7F61000-memory.dmp

Filesize
4KB

Download
memory/2416-121-0x0000025AE7E50000-0x0000025AE7E79000-memory.dmp

Filesize
164KB

Download
memory/2416-124-0x0000025AE8090000-0x0000025AE8092000-memory.dmp

Filesize
8KB

Download
memory/2416-123-0x0000025AE8090000-0x0000025AE8092000-memory.dmp

Filesize
8KB

Download
memory/3132-115-0x0000000000000000-mapping.dmp

Download
memory/3132-116-0x0000000000DF0000-0x0000000001058000-memory.dmp

Filesize
2.4MB

Download
memory/3132-117-0x0000000000980000-0x00000000009C5000-memory.dmp

Filesize
276KB

Download
memory/3132-119-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/3132-118-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download