trickbot | 25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af

Analysis

max time kernel
147s
max time network
163s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af.dll
Size

706KB
MD5

d8cf7a3d7db26001b24685c3629eea77
SHA1

22b30009a5ec97ae5f028e2f5985e2f50ffce91c
SHA256

25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af
SHA512

23c074e4969bfb05a9eb65feb7994339aee346d84fb4b37fe2672cd0537ddb10b92a49509dfa27829d09094ca0f35cf34a7d08c669d53c806a7278260f67a3e2

Score

10^/10

trickbot rob136 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1040 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1040	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3464 wrote to memory of 656	3464	rundll32.exe	rundll32.exe
PID 3464 wrote to memory of 656	3464	rundll32.exe	rundll32.exe
PID 3464 wrote to memory of 656	3464	rundll32.exe	rundll32.exe
PID 656 wrote to memory of 440	656	rundll32.exe	cmd.exe
PID 656 wrote to memory of 440	656	rundll32.exe	cmd.exe
PID 656 wrote to memory of 440	656	rundll32.exe	cmd.exe
PID 656 wrote to memory of 1040	656	rundll32.exe	wermgr.exe
PID 656 wrote to memory of 1040	656	rundll32.exe	wermgr.exe
PID 656 wrote to memory of 1040	656	rundll32.exe	wermgr.exe
PID 656 wrote to memory of 1040	656	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d74427ae7e23812c332fc12580e2bbc450cbc71696762e352db8de5bfb11af.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:440

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-118-0x0000000000000000-mapping.dmp

Download
memory/656-120-0x0000000001200000-0x0000000001245000-memory.dmp

Filesize
276KB

Download
memory/656-119-0x0000000000F10000-0x0000000000FBE000-memory.dmp

Filesize
696KB

Download
memory/656-121-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/656-122-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1040-123-0x0000000000000000-mapping.dmp

Download
memory/1040-124-0x000001AD43550000-0x000001AD43579000-memory.dmp

Filesize
164KB

Download
memory/1040-125-0x000001AD43590000-0x000001AD43591000-memory.dmp

Filesize
4KB

Download
memory/1040-127-0x000001AD435C0000-0x000001AD435C2000-memory.dmp

Filesize
8KB

Download
memory/1040-126-0x000001AD435C0000-0x000001AD435C2000-memory.dmp

Filesize
8KB

Download