trickbot | 7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a

General

Target

7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a.dll
Size

706KB
MD5

1d540a666e26e0559264138d220ef906
SHA1

3f614a8df1fa107e9cfd9787c42bbe06186af7c1
SHA256

7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a
SHA512

97afc6d26759be86f16507a097dae016fc49a33515d8069cff5f25e3a2ab44617bf7a4867d6f4ede9010258625bc07fd27fdd0c7a4ca09b4cb49d0dfb69e0e5c

Score

10^/10

trickbot rob136 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 ipinfo.io
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 3180 wermgr.exe

flow	ioc
34	ipinfo.io

description	pid	process
Token: SeDebugPrivilege	3180	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2848 wrote to memory of 3068	2848	rundll32.exe	rundll32.exe
PID 2848 wrote to memory of 3068	2848	rundll32.exe	rundll32.exe
PID 2848 wrote to memory of 3068	2848	rundll32.exe	rundll32.exe
PID 3068 wrote to memory of 1552	3068	rundll32.exe	cmd.exe
PID 3068 wrote to memory of 1552	3068	rundll32.exe	cmd.exe
PID 3068 wrote to memory of 1552	3068	rundll32.exe	cmd.exe
PID 3068 wrote to memory of 3180	3068	rundll32.exe	wermgr.exe
PID 3068 wrote to memory of 3180	3068	rundll32.exe	wermgr.exe
PID 3068 wrote to memory of 3180	3068	rundll32.exe	wermgr.exe
PID 3068 wrote to memory of 3180	3068	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ea2d03ae9aa6bed670f4b854f4aec6e8044a96141aa7d400084203c26dc123a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:1552

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-115-0x0000000000000000-mapping.dmp

Download
memory/3068-116-0x0000000004A20000-0x0000000004C88000-memory.dmp

Filesize
2.4MB

Download
memory/3068-117-0x0000000004D90000-0x0000000004DD5000-memory.dmp

Filesize
276KB

Download
memory/3068-118-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/3068-119-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/3180-120-0x0000000000000000-mapping.dmp

Download
memory/3180-122-0x000002356FCD0000-0x000002356FCD1000-memory.dmp

Filesize
4KB

Download
memory/3180-121-0x000002356FAB0000-0x000002356FAD9000-memory.dmp

Filesize
164KB

Download
memory/3180-124-0x000002356FD00000-0x000002356FD02000-memory.dmp

Filesize
8KB

Download
memory/3180-123-0x000002356FD00000-0x000002356FD02000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing