trickbot | 90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e

Analysis

max time kernel
123s
max time network
131s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e.dll
Size

306KB
MD5

bab4f6e9a2c95dd98fb491435bd649ad
SHA1

20111c57175640ca5d4525b85a3de03580860971
SHA256

90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e
SHA512

4386c90fa5adbe81a9310ea7b6c6711ac47556939dde8e6362e5c138c202e2afc77b133472622d3725a03782fdc45dd78defc264e010872e8f7d9eaee7c7b7de

Score

10^/10

trickbot rob144 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100021

Botnet

rob144

181.129.85.98:443

189.112.119.205:443

189.51.118.78:443

186.121.214.106:443

49.176.188.184:443

61.69.102.170:443

213.32.252.221:443

89.46.216.2:443

103.36.79.3:443

103.108.97.51:443

95.140.217.242:443

41.175.22.226:443

190.109.169.161:443

186.159.12.18:443

190.109.171.17:443

181.196.148.202:443

186.47.75.58:443

186.42.212.30:443

190.214.21.14:443

187.108.32.133:443

Attributes

autorun

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 928 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	928	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2384 wrote to memory of 3004	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 3004	2384	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 3004	2384	rundll32.exe	rundll32.exe
PID 3004 wrote to memory of 1336	3004	rundll32.exe	cmd.exe
PID 3004 wrote to memory of 1336	3004	rundll32.exe	cmd.exe
PID 3004 wrote to memory of 1336	3004	rundll32.exe	cmd.exe
PID 3004 wrote to memory of 928	3004	rundll32.exe	wermgr.exe
PID 3004 wrote to memory of 928	3004	rundll32.exe	wermgr.exe
PID 3004 wrote to memory of 928	3004	rundll32.exe	wermgr.exe
PID 3004 wrote to memory of 928	3004	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\90a56e66e5958510448cb519bc56d547682e3e8a78d87637652afe4cc567777e.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:1336

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/928-119-0x0000000000000000-mapping.dmp

Download
memory/928-120-0x0000024079D80000-0x0000024079DA8000-memory.dmp

Filesize
160KB

Download
memory/928-121-0x0000024079E90000-0x0000024079E91000-memory.dmp

Filesize
4KB

Download
memory/928-123-0x0000024079EC0000-0x0000024079EC2000-memory.dmp

Filesize
8KB

Download
memory/928-122-0x0000024079EC0000-0x0000024079EC2000-memory.dmp

Filesize
8KB

Download
memory/3004-115-0x0000000000000000-mapping.dmp

Download
memory/3004-116-0x0000000000840000-0x0000000000879000-memory.dmp

Filesize
228KB

Download
memory/3004-117-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3004-118-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download