trickbot | 6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079

Analysis

max time kernel
144s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079.dll
Size

341KB
MD5

6c3c580a94b9bacee6d35d0c97fb6a1a
SHA1

06d4c6b54b90aec9ec055814b17c1821767c20df
SHA256

6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079
SHA512

f2189e3d5c490868d25f3c9420063ef46c50a4c1205856d561a249a7964131d547f6549ccd3ea45440dfccbafef7238370440ddec998a9fc83d1d43ad89915cb

Score

10^/10

trickbot rob144 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100021

Botnet

rob144

181.129.85.98:443

189.112.119.205:443

189.51.118.78:443

186.121.214.106:443

49.176.188.184:443

61.69.102.170:443

213.32.252.221:443

89.46.216.2:443

103.36.79.3:443

103.108.97.51:443

95.140.217.242:443

41.175.22.226:443

190.109.169.161:443

186.159.12.18:443

190.109.171.17:443

181.196.148.202:443

186.47.75.58:443

186.42.212.30:443

190.214.21.14:443

187.108.32.133:443

Attributes

autorun

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 api.ipify.org
57 icanhazip.com
32 ipecho.net
41 ipinfo.io
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2860 wermgr.exe

flow	ioc
51	api.ipify.org
57	icanhazip.com
32	ipecho.net
41	ipinfo.io

description	pid	process
Token: SeDebugPrivilege	2860	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2704 wrote to memory of 2744	2704	rundll32.exe	rundll32.exe
PID 2704 wrote to memory of 2744	2704	rundll32.exe	rundll32.exe
PID 2704 wrote to memory of 2744	2704	rundll32.exe	rundll32.exe
PID 2744 wrote to memory of 3052	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3052	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 3052	2744	rundll32.exe	cmd.exe
PID 2744 wrote to memory of 2860	2744	rundll32.exe	wermgr.exe
PID 2744 wrote to memory of 2860	2744	rundll32.exe	wermgr.exe
PID 2744 wrote to memory of 2860	2744	rundll32.exe	wermgr.exe
PID 2744 wrote to memory of 2860	2744	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c3b89cb0e1c9e4109d0f8238e5aea8099f3480ac7b8e4f36a66aebd9147f079.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:3052

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2744-115-0x0000000000000000-mapping.dmp

Download
memory/2744-117-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2744-116-0x0000000000C90000-0x0000000000CD2000-memory.dmp

Filesize
264KB

Download
memory/2744-118-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/2860-119-0x0000000000000000-mapping.dmp

Download
memory/2860-120-0x0000027036660000-0x0000027036688000-memory.dmp

Filesize
160KB

Download
memory/2860-121-0x0000027036780000-0x0000027036781000-memory.dmp

Filesize
4KB

Download
memory/2860-123-0x00000270367B0000-0x00000270367B2000-memory.dmp

Filesize
8KB

Download
memory/2860-122-0x00000270367B0000-0x00000270367B2000-memory.dmp

Filesize
8KB

Download