trickbot | 24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28

Analysis

max time kernel
148s
max time network
148s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28.dll
Size

341KB
MD5

f68156851a38691b7ae9483089f2feb9
SHA1

46b077e0f2634dacadde2078e933e02a3136179d
SHA256

24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28
SHA512

3844b8071b5fd98f169e48baaaabc1c49f8b788884cd6e400be71eabf3c9f44bf40a0b8deb0bbca10af47a3b3a197845dd5a48c651aa8e4b70ee9aadb61fa802

Score

10^/10

trickbot rob144 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100021

Botnet

rob144

181.129.85.98:443

189.112.119.205:443

189.51.118.78:443

186.121.214.106:443

49.176.188.184:443

61.69.102.170:443

213.32.252.221:443

89.46.216.2:443

103.36.79.3:443

103.108.97.51:443

95.140.217.242:443

41.175.22.226:443

190.109.169.161:443

186.159.12.18:443

190.109.171.17:443

181.196.148.202:443

186.47.75.58:443

186.42.212.30:443

190.214.21.14:443

187.108.32.133:443

Attributes

autorun

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4308 wermgr.exe

flow	ioc
23	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	4308	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3824 wrote to memory of 3832	3824	rundll32.exe	rundll32.exe
PID 3824 wrote to memory of 3832	3824	rundll32.exe	rundll32.exe
PID 3824 wrote to memory of 3832	3824	rundll32.exe	rundll32.exe
PID 3832 wrote to memory of 4320	3832	rundll32.exe	cmd.exe
PID 3832 wrote to memory of 4320	3832	rundll32.exe	cmd.exe
PID 3832 wrote to memory of 4320	3832	rundll32.exe	cmd.exe
PID 3832 wrote to memory of 4308	3832	rundll32.exe	wermgr.exe
PID 3832 wrote to memory of 4308	3832	rundll32.exe	wermgr.exe
PID 3832 wrote to memory of 4308	3832	rundll32.exe	wermgr.exe
PID 3832 wrote to memory of 4308	3832	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\24776663187d9e1d90e17decd74d3b6ef7c1b061154b41ec1f215e1677045c28.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:4320

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-118-0x0000000000000000-mapping.dmp

Download
memory/3832-120-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3832-119-0x00000000027B0000-0x00000000027F2000-memory.dmp

Filesize
264KB

Download
memory/3832-121-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/4308-122-0x0000000000000000-mapping.dmp

Download
memory/4308-124-0x0000024495120000-0x0000024495121000-memory.dmp

Filesize
4KB

Download
memory/4308-123-0x00000244950E0000-0x0000024495108000-memory.dmp

Filesize
160KB

Download
memory/4308-126-0x0000024495150000-0x0000024495152000-memory.dmp

Filesize
8KB

Download
memory/4308-125-0x0000024495150000-0x0000024495152000-memory.dmp

Filesize
8KB

Download