trickbot | 1dcf9b25fd2c12818faf7c148b9604813af1ddc917e3317bebf687cab4506980

Analysis

max time kernel
145s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
04-01-2022 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dcf9b25fd2c12818faf7c148b9604813af1ddc917e3317bebf687cab4506980.dll
Size

1.7MB
MD5

28fcb220c9f61a32c401a2ee384d5948
SHA1

8da914c7f65c31faf4516097f6a3985899539c5e
SHA256

1dcf9b25fd2c12818faf7c148b9604813af1ddc917e3317bebf687cab4506980
SHA512

45ddcb264d24cc45a3d1b3c4aa754e54f2908c9a8b9d088221a51fceaffcf5edabd6db5e465b770e2b35a3eda265964a1710eb856efe572d623fa173b21000cf

Score

10^/10

trickbot rob141 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

rob141

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1868 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	1868	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2468 wrote to memory of 2596	2468	rundll32.exe	rundll32.exe
PID 2468 wrote to memory of 2596	2468	rundll32.exe	rundll32.exe
PID 2468 wrote to memory of 2596	2468	rundll32.exe	rundll32.exe
PID 2596 wrote to memory of 3016	2596	rundll32.exe	cmd.exe
PID 2596 wrote to memory of 3016	2596	rundll32.exe	cmd.exe
PID 2596 wrote to memory of 3016	2596	rundll32.exe	cmd.exe
PID 2596 wrote to memory of 1868	2596	rundll32.exe	wermgr.exe
PID 2596 wrote to memory of 1868	2596	rundll32.exe	wermgr.exe
PID 2596 wrote to memory of 1868	2596	rundll32.exe	wermgr.exe
PID 2596 wrote to memory of 1868	2596	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dcf9b25fd2c12818faf7c148b9604813af1ddc917e3317bebf687cab4506980.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dcf9b25fd2c12818faf7c148b9604813af1ddc917e3317bebf687cab4506980.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:3016

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-120-0x0000000000000000-mapping.dmp

Download
memory/1868-122-0x000002107CB10000-0x000002107CB11000-memory.dmp

Filesize
4KB

Download
memory/1868-121-0x000002107CA00000-0x000002107CA28000-memory.dmp

Filesize
160KB

Download
memory/1868-124-0x000002107CC40000-0x000002107CC42000-memory.dmp

Filesize
8KB

Download
memory/1868-123-0x000002107CC40000-0x000002107CC42000-memory.dmp

Filesize
8KB

Download
memory/2596-115-0x0000000000000000-mapping.dmp

Download
memory/2596-117-0x0000000002FA0000-0x0000000002FE5000-memory.dmp

Filesize
276KB

Download
memory/2596-116-0x0000000004600000-0x0000000004868000-memory.dmp

Filesize
2.4MB

Download
memory/2596-118-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2596-119-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download