trickbot | 38bda9baac921f012075d800e5a38f1f387c6c7b4956d1ce48296e759a73d09f

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-07-2022 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trickbot.dll
Size

2.7MB
MD5

878c538a3acc666f96b74e987a3e579f
SHA1

abffed857f15d8a80e64aaf13667add9033c2aae
SHA256

38bda9baac921f012075d800e5a38f1f387c6c7b4956d1ce48296e759a73d09f
SHA512

3019872ba67859b3cd6df26367532df0ebfb40e502e33475794fe9624712b899c8ad292e3b2a3a2fa5823a3291756770c1334d3d1089f2b3e6acfc623d8bd5c7

Score

10^/10

trickbot rob109 banker suricata trojan

Malware Config

Extracted

Family

trickbot

Version

100018

Botnet

rob109

38.110.103.124:443

185.56.76.28:443

204.138.26.60:443

60.51.47.65:443

74.85.157.139:443

68.69.26.182:443

38.110.103.136:443

38.110.103.18:443

138.34.28.219:443

185.56.76.94:443

217.115.240.248:443

24.162.214.166:443

80.15.2.105:443

154.58.23.192:443

38.110.100.104:443

45.36.99.184:443

185.56.76.108:443

185.56.76.72:443

138.34.28.35:443

97.83.40.67:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata: ET MALWARE Win32/TrickBot CnC Initial Checkin M2
suricata
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 444 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	444	wermgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3896 wrote to memory of 4816	3896	rundll32.exe	rundll32.exe
PID 3896 wrote to memory of 4816	3896	rundll32.exe	rundll32.exe
PID 3896 wrote to memory of 4816	3896	rundll32.exe	rundll32.exe
PID 4816 wrote to memory of 3456	4816	rundll32.exe	cmd.exe
PID 4816 wrote to memory of 3456	4816	rundll32.exe	cmd.exe
PID 4816 wrote to memory of 3456	4816	rundll32.exe	cmd.exe
PID 4816 wrote to memory of 444	4816	rundll32.exe	wermgr.exe
PID 4816 wrote to memory of 444	4816	rundll32.exe	wermgr.exe
PID 4816 wrote to memory of 444	4816	rundll32.exe	wermgr.exe
PID 4816 wrote to memory of 444	4816	rundll32.exe	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\trickbot.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\trickbot.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
PID:3456

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-144-0x0000000000000000-mapping.dmp

Download
memory/444-145-0x000001C3E3BE0000-0x000001C3E3C08000-memory.dmp

Filesize
160KB

Download
memory/4816-130-0x0000000000000000-mapping.dmp

Download
memory/4816-131-0x0000000002EC0000-0x0000000002EFB000-memory.dmp

Filesize
236KB

Download
memory/4816-135-0x0000000003030000-0x0000000003069000-memory.dmp

Filesize
228KB

Download
memory/4816-138-0x0000000003070000-0x00000000030A7000-memory.dmp

Filesize
220KB

Download
memory/4816-141-0x0000000010000000-0x000000001015F000-memory.dmp

Filesize
1.4MB

Download
memory/4816-142-0x0000000002CB0000-0x0000000002D3D000-memory.dmp

Filesize
564KB

Download
memory/4816-143-0x00000000030B0000-0x00000000030F4000-memory.dmp

Filesize
272KB

Download
memory/4816-146-0x0000000002CB0000-0x0000000002D3D000-memory.dmp

Filesize
564KB

Download
memory/4816-147-0x00000000030B0000-0x00000000030F4000-memory.dmp

Filesize
272KB

Download
memory/4816-148-0x0000000010000000-0x000000001015F000-memory.dmp

Filesize
1.4MB

Download