trickbot | 99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0

General

Target

99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0.dll
Size

337KB
MD5

99c343996f05b92b36dab44428d1532d
SHA1

a9cda06504fd6389b408a46b700dfd9f9c4eefcd
SHA256

99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0
SHA512

acbc7706b6c8f957765c2ef73771ff8c985f6a7a3085f3003abda1c08515d159617078a7926e5ae09021edafb4b60ff5253f9e9828ea5829bb0c915911b9a476

Score

10^/10

trickbot rob144 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100021

Botnet

rob144

C2

181.129.85.98:443

189.112.119.205:443

189.51.118.78:443

186.121.214.106:443

49.176.188.184:443

61.69.102.170:443

213.32.252.221:443

89.46.216.2:443

103.36.79.3:443

103.108.97.51:443

95.140.217.242:443

41.175.22.226:443

190.109.169.161:443

186.159.12.18:443

190.109.171.17:443

181.196.148.202:443

186.47.75.58:443

186.42.212.30:443

190.214.21.14:443

187.108.32.133:443

Attributes

autorun

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 wtfismyip.com
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1804 wermgr.exe

flow	ioc
31	wtfismyip.com

description	pid	process
Token: SeDebugPrivilege	1804	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2580 wrote to memory of 3048	2580	rundll32.exe	rundll32.exe
PID 2580 wrote to memory of 3048	2580	rundll32.exe	rundll32.exe
PID 2580 wrote to memory of 3048	2580	rundll32.exe	rundll32.exe
PID 3048 wrote to memory of 3828	3048	rundll32.exe	cmd.exe
PID 3048 wrote to memory of 3828	3048	rundll32.exe	cmd.exe
PID 3048 wrote to memory of 3828	3048	rundll32.exe	cmd.exe
PID 3048 wrote to memory of 1804	3048	rundll32.exe	wermgr.exe
PID 3048 wrote to memory of 1804	3048	rundll32.exe	wermgr.exe
PID 3048 wrote to memory of 1804	3048	rundll32.exe	wermgr.exe
PID 3048 wrote to memory of 1804	3048	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\99749854426c3791075451b6deb156a119170c1ef91f8eef5e6b381be0b8b1d0.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:3828

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1804-122-0x0000000000000000-mapping.dmp

Download
memory/1804-123-0x000002A19AD80000-0x000002A19ADA8000-memory.dmp

Filesize
160KB

Download
memory/1804-124-0x000002A19AE90000-0x000002A19AE91000-memory.dmp

Filesize
4KB

Download
memory/1804-126-0x000002A19AEC0000-0x000002A19AEC2000-memory.dmp

Filesize
8KB

Download
memory/1804-125-0x000002A19AEC0000-0x000002A19AEC2000-memory.dmp

Filesize
8KB

Download
memory/3048-118-0x0000000000000000-mapping.dmp

Download
memory/3048-119-0x0000000004040000-0x0000000004081000-memory.dmp

Filesize
260KB

Download
memory/3048-120-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/3048-121-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing