Overview

overview

10

Static

static

8a84323eb2...7e.dll

windows7-x64

10

8a84323eb2...7e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll

  • Size

    341KB

  • MD5

    3fc659307c771e566dbc83bddf956d08

  • SHA1

    b83c1fecf23b75a9d97a58c2b526d105e31b72d2

  • SHA256

    8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e

  • SHA512

    5f1d07f91b176145ec206c7e831702c2d07ccb3dc6df92d657f7027b67a6e35391f8ae0410742ce9fdfd1f03252caf2803b37abf9d84a5034296476ebd6bad7a

  • SSDEEP

    6144:/D4xA1AsitoTemJ5HMihpmtXNkTAzYjS8yfaJO22Yv888vX7QGkWGfx:/Dv1ANuCmJ5HRpmgcYO8yfaJdD

Score
10/10
trickbotmon73bankerpackertrojan

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon73

C2

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 1 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a84323eb28738acc7a3f00cddac5a4c2620b903cc276d054ec93e20ba65f17e.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:1264
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1448

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1448-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1448-59-0x0000000000100000-0x0000000000127000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1448-61-0x0000000000100000-0x0000000000127000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2028-54-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-55-0x0000000075811000-0x0000000075813000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-56-0x00000000001C0000-0x00000000001F7000-memory.dmp
      Filesize

      220KB

      Download
    • memory/2028-57-0x0000000000200000-0x0000000000241000-memory.dmp
      Filesize

      260KB

      Download
    • memory/2028-60-0x0000000000200000-0x0000000000241000-memory.dmp
      Filesize

      260KB

      Download