Overview

overview

10

Static

static

e23eb97093...a3.dll

windows7-x64

10

e23eb97093...a3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e23eb97093080ea94f494631b59d0e9baa860bbacb5f7b970b20339186ebdea3.dll

  • Size

    347KB

  • MD5

    f29c32025fee487c7bbbf3e23ad04ead

  • SHA1

    90ae88e6edd4159d4be6edfcb25ec42af6b98523

  • SHA256

    e23eb97093080ea94f494631b59d0e9baa860bbacb5f7b970b20339186ebdea3

  • SHA512

    7f63fbbe608f2db73e98d0389b296f125f11c23375f0fdc023dc399e36fec396680769f4f7344fd05a52282934e493b9ae61b69b2c6b6fb9e86558ece76c5153

  • SSDEEP

    6144:nehCU2WtxIp8CblMs7pwg1ham082O8p9p+fDxV3GPAyt4ZbwK7GeI:naCU2QE8CblMs7px4m039p+LOAA4uKCv

Score
10/10
trickbotmon68bankerpackertrojan

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon68

C2

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 1 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e23eb97093080ea94f494631b59d0e9baa860bbacb5f7b970b20339186ebdea3.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\e23eb97093080ea94f494631b59d0e9baa860bbacb5f7b970b20339186ebdea3.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:1396
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1864

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1652-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1652-55-0x0000000075661000-0x0000000075663000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1652-56-0x00000000001F0000-0x0000000000227000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1652-57-0x0000000000270000-0x00000000002B1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1652-60-0x0000000000270000-0x00000000002B1000-memory.dmp
      Filesize

      260KB

      Download
    • memory/1864-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1864-59-0x0000000000060000-0x0000000000087000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1864-61-0x0000000000060000-0x0000000000087000-memory.dmp
      Filesize

      156KB

      Download