trickbot | 27f67d1ce31e67a2644330aa6a3cd0e77cfd84d023cc1adf1736e286852f9209

Analysis

max time kernel
4294178s
max time network
127s
platform
windows7_x64
resource
win7-20220311-en
submitted
19-03-2022 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27f67d1ce31e67a2644330aa6a3cd0e77cfd84d023cc1adf1736e286852f9209.dll
Size

288KB
MD5

f86428e98f43cfa14465cc362b0cfae5
SHA1

854d5df73c6741de4d204251c7831a2f147c76d0
SHA256

27f67d1ce31e67a2644330aa6a3cd0e77cfd84d023cc1adf1736e286852f9209
SHA512

9368008d4f0e267f0a01902a8debd08ed9a6754320a569c65336abc0b8a71e3cb79fc324298417e83e9907cd061fe0d8d6a58d8abd838cf41c2e216d918ef7fe

Score

10^/10

trickbot rob28 banker packer trojan

Malware Config

Extracted

Family

trickbot

Version

100007

Botnet

rob28

41.243.29.182:449

196.45.140.146:449

103.87.25.220:443

103.98.129.222:449

103.87.25.220:449

103.65.196.44:449

103.65.195.95:449

103.61.101.11:449

103.61.100.131:449

103.150.68.124:449

103.137.81.206:449

103.126.185.7:449

103.112.145.58:449

103.110.53.174:449

102.164.208.48:449

102.164.208.44:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 3 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

Processes:

resource	yara_rule
behavioral1/memory/520-56-0x00000000001F0000-0x000000000022A000-memory.dmp	templ_dll
behavioral1/memory/520-60-0x0000000000230000-0x0000000000268000-memory.dmp	templ_dll
behavioral1/memory/520-63-0x0000000000130000-0x00000000001B0000-memory.dmp	templ_dll

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe
PID 1680 wrote to memory of 520	1680	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\27f67d1ce31e67a2644330aa6a3cd0e77cfd84d023cc1adf1736e286852f9209.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\27f67d1ce31e67a2644330aa6a3cd0e77cfd84d023cc1adf1736e286852f9209.dll
2⤵
PID:520

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/520-56-0x00000000001F0000-0x000000000022A000-memory.dmp

Filesize
232KB

Download
memory/520-60-0x0000000000230000-0x0000000000268000-memory.dmp

Filesize
224KB

Download
memory/520-63-0x0000000000130000-0x00000000001B0000-memory.dmp

Filesize
512KB

Download
memory/520-64-0x0000000002040000-0x000000000219C000-memory.dmp

Filesize
1.4MB

Download
memory/520-66-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1680-54-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmp

Filesize
8KB

Download