Overview

overview

10

Static

static

subzero.png.dll

windows7_x64

10

subzero.png.dll

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    subzero.png.dll

  • Size

    706KB

  • MD5

    5e3e206b5ae47c192987c3c624f1f70e

  • SHA1

    d60efdd497fc9f4f4d97a8cb467cf7e914e47016

  • SHA256

    47ff441ab14e4ea5e8877fc22213e209070992be19dca2639e218b50f24cf9e9

  • SHA512

    3ffbaf138fe468194d60ec5df30929d4b55f4532057dd209392c89f41765415770b253302f868b7925b0d623a3ea6bd897be079b1a12b20107337be4007e22ad

Score
10/10
trickbotrob136bankertrojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob136

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443
Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\subzero.png.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\subzero.png.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe
        3⤵
          PID:1356
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1520

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-54-0x0000000000000000-mapping.dmp
      Download
    • memory/760-55-0x0000000074F81000-0x0000000074F83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/760-56-0x0000000001E90000-0x00000000020F8000-memory.dmp
      Filesize

      2.4MB

      Download
    • memory/760-58-0x00000000001D0000-0x00000000001E1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/760-57-0x0000000000320000-0x0000000000365000-memory.dmp
      Filesize

      276KB

      Download
    • memory/760-59-0x0000000010001000-0x0000000010003000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1520-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1520-61-0x0000000000060000-0x0000000000089000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1520-62-0x00000000000A0000-0x00000000000A1000-memory.dmp
      Filesize

      4KB

      Download