trickbot | 0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87

Analysis

max time kernel
140s
max time network
150s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87.dll
Size

355KB
MD5

26cad7271c1e1c55f828bdac604d077b
SHA1

8bb409c7bd6e45761267a030c5fc332958177a15
SHA256

0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87
SHA512

aef5493e725e4c3cf719a23465ebc39aa5cb07d81df7ac2294f7f5eac5737557e547150e93b2afa15935781865b29817d1f73ef3a037c46e65b7a6e4a6aec7ae

Score

10^/10

trickbot rob144 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100021

Botnet

rob144

181.129.85.98:443

189.112.119.205:443

189.51.118.78:443

186.121.214.106:443

49.176.188.184:443

61.69.102.170:443

213.32.252.221:443

89.46.216.2:443

103.36.79.3:443

103.108.97.51:443

95.140.217.242:443

41.175.22.226:443

190.109.169.161:443

186.159.12.18:443

190.109.171.17:443

181.196.148.202:443

186.47.75.58:443

186.42.212.30:443

190.214.21.14:443

187.108.32.133:443

Attributes

autorun

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.ipify.org
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1776 wermgr.exe

flow	ioc
39	api.ipify.org

description	pid	process
Token: SeDebugPrivilege	1776	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3804 wrote to memory of 3100	3804	rundll32.exe	rundll32.exe
PID 3804 wrote to memory of 3100	3804	rundll32.exe	rundll32.exe
PID 3804 wrote to memory of 3100	3804	rundll32.exe	rundll32.exe
PID 3100 wrote to memory of 1680	3100	rundll32.exe	cmd.exe
PID 3100 wrote to memory of 1680	3100	rundll32.exe	cmd.exe
PID 3100 wrote to memory of 1680	3100	rundll32.exe	cmd.exe
PID 3100 wrote to memory of 1776	3100	rundll32.exe	wermgr.exe
PID 3100 wrote to memory of 1776	3100	rundll32.exe	wermgr.exe
PID 3100 wrote to memory of 1776	3100	rundll32.exe	wermgr.exe
PID 3100 wrote to memory of 1776	3100	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e44419b25336c73250ca01f7dbbf59ccd2b4c2661b7052bca8be89f82b95c87.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:1680

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-119-0x0000000000000000-mapping.dmp

Download
memory/1776-121-0x000001DF39950000-0x000001DF39951000-memory.dmp

Filesize
4KB

Download
memory/1776-120-0x000001DF39840000-0x000001DF39868000-memory.dmp

Filesize
160KB

Download
memory/1776-123-0x000001DF39980000-0x000001DF39982000-memory.dmp

Filesize
8KB

Download
memory/1776-122-0x000001DF39980000-0x000001DF39982000-memory.dmp

Filesize
8KB

Download
memory/3100-115-0x0000000000000000-mapping.dmp

Download
memory/3100-117-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/3100-116-0x0000000004650000-0x0000000004696000-memory.dmp

Filesize
280KB

Download
memory/3100-118-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download