trickbot | 6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223

General

Target

6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223.dll
Size

1.8MB
MD5

7a5d7f3b659224502ee69c4ab2a8f5c3
SHA1

18c807363fa2ac1508df8340f41ce278cf854e19
SHA256

6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223
SHA512

3495a11daf4c4dee651e0a891980f8e48a8d4c4d33049139e23e6b0e7ebb7bdc87fba805b8b6d7001fad1704282f483464bd2e5668fb036106706250392d6dba

Score

10^/10

trickbot rob141 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob141

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2692 wermgr.exe

flow	ioc
32	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	2692	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2148 wrote to memory of 2332	2148	rundll32.exe	rundll32.exe
PID 2148 wrote to memory of 2332	2148	rundll32.exe	rundll32.exe
PID 2148 wrote to memory of 2332	2148	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 2708	2332	rundll32.exe	cmd.exe
PID 2332 wrote to memory of 2708	2332	rundll32.exe	cmd.exe
PID 2332 wrote to memory of 2708	2332	rundll32.exe	cmd.exe
PID 2332 wrote to memory of 2692	2332	rundll32.exe	wermgr.exe
PID 2332 wrote to memory of 2692	2332	rundll32.exe	wermgr.exe
PID 2332 wrote to memory of 2692	2332	rundll32.exe	wermgr.exe
PID 2332 wrote to memory of 2692	2332	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f9dcf34b900c9a712e4d0fd6ec05347654a95ed662a1c6cd7628b00805c0223.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:2708

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-115-0x0000000000000000-mapping.dmp

Download
memory/2332-117-0x0000000002FA0000-0x0000000002FE5000-memory.dmp

Filesize
276KB

Download
memory/2332-116-0x0000000004800000-0x0000000004A68000-memory.dmp

Filesize
2.4MB

Download
memory/2332-118-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/2332-119-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/2692-120-0x0000000000000000-mapping.dmp

Download
memory/2692-122-0x00000139D33C0000-0x00000139D33C1000-memory.dmp

Filesize
4KB

Download
memory/2692-121-0x00000139D3380000-0x00000139D33A8000-memory.dmp

Filesize
160KB

Download
memory/2692-124-0x00000139D3410000-0x00000139D3412000-memory.dmp

Filesize
8KB

Download
memory/2692-123-0x00000139D3410000-0x00000139D3412000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing