trickbot | c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9

General

Target

c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9.dll
Size

313KB
MD5

e1b20c989761bb53e37067fd4e5bce7a
SHA1

7fb7c25aa83e34c943733fa57d8c5ca12d098d88
SHA256

c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9
SHA512

3ab2e21f7128940f7293271011971b1e3a98db293a0f6aec2173b05e600ef8af41f380febb836a05b520e33e09e2a6315abcca37bbf3b89ec780c163e4b1550b

Score

10^/10

trickbot rob144 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100021

Botnet

rob144

C2

181.129.85.98:443

189.112.119.205:443

189.51.118.78:443

186.121.214.106:443

49.176.188.184:443

61.69.102.170:443

213.32.252.221:443

89.46.216.2:443

103.36.79.3:443

103.108.97.51:443

95.140.217.242:443

41.175.22.226:443

190.109.169.161:443

186.159.12.18:443

190.109.171.17:443

181.196.148.202:443

186.47.75.58:443

186.42.212.30:443

190.214.21.14:443

187.108.32.133:443

Attributes

autorun

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2028 wermgr.exe

flow	ioc
32	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	2028	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2308 wrote to memory of 2776	2308	rundll32.exe	rundll32.exe
PID 2308 wrote to memory of 2776	2308	rundll32.exe	rundll32.exe
PID 2308 wrote to memory of 2776	2308	rundll32.exe	rundll32.exe
PID 2776 wrote to memory of 1648	2776	rundll32.exe	cmd.exe
PID 2776 wrote to memory of 1648	2776	rundll32.exe	cmd.exe
PID 2776 wrote to memory of 1648	2776	rundll32.exe	cmd.exe
PID 2776 wrote to memory of 2028	2776	rundll32.exe	wermgr.exe
PID 2776 wrote to memory of 2028	2776	rundll32.exe	wermgr.exe
PID 2776 wrote to memory of 2028	2776	rundll32.exe	wermgr.exe
PID 2776 wrote to memory of 2028	2776	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c8a8da5da9367ddf7401a3f6981fdf91e7f88069747a9f189fbf1f5d04c0a3f9.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:1648

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-119-0x0000000000000000-mapping.dmp

Download
memory/2028-120-0x0000029DF1810000-0x0000029DF1838000-memory.dmp

Filesize
160KB

Download
memory/2028-121-0x0000029DF1920000-0x0000029DF1921000-memory.dmp

Filesize
4KB

Download
memory/2028-123-0x0000029DF1A50000-0x0000029DF1A52000-memory.dmp

Filesize
8KB

Download
memory/2028-122-0x0000029DF1A50000-0x0000029DF1A52000-memory.dmp

Filesize
8KB

Download
memory/2776-115-0x0000000000000000-mapping.dmp

Download
memory/2776-116-0x0000000004820000-0x000000000485B000-memory.dmp

Filesize
236KB

Download
memory/2776-117-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/2776-118-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing