trickbot | be974e1ac0c80224c35d49976e80b21dcbda291e6fc282b5aa26af01488e7fd7

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44669e0ff064dfc9e724391003dcde87_JaffaCakes118.dll
Size

353KB
MD5

44669e0ff064dfc9e724391003dcde87
SHA1

2a85323d7a18f375490b4316743792356917336c
SHA256

be974e1ac0c80224c35d49976e80b21dcbda291e6fc282b5aa26af01488e7fd7
SHA512

e67ae6c07e207928c45bac1bc05f42bf151ac19e0c3e3b73a0a9473549124a1dc8fd81f6ffc42001adc1579fc0250a24484374c721b0c47882938df21b992b7f
SSDEEP

6144:WFKu/DzWD+JOAQBHMa2Bgrc0P9eydIC5sCwllcQL727K7wbkQFV:WIckjAQGTCNP9vICCC2L729xV

Score

10^/10

trickbot mon55 banker packer trojan

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon55

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 1 IoCs

Detects Templ.dll packer which usually loads Trickbot.

packer

resource	yara_rule
behavioral2/memory/3728-0-0x0000000000A40000-0x0000000000A77000-memory.dmp	templ_dll

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	wermgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3728	2376	rundll32.exe	83
PID 2376 wrote to memory of 3728	2376	rundll32.exe	83
PID 2376 wrote to memory of 3728	2376	rundll32.exe	83
PID 3728 wrote to memory of 2712	3728	rundll32.exe	87
PID 3728 wrote to memory of 2712	3728	rundll32.exe	87
PID 3728 wrote to memory of 1992	3728	rundll32.exe	88
PID 3728 wrote to memory of 1992	3728	rundll32.exe	88
PID 3728 wrote to memory of 1992	3728	rundll32.exe	88
PID 3728 wrote to memory of 1992	3728	rundll32.exe	88

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\44669e0ff064dfc9e724391003dcde87_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\44669e0ff064dfc9e724391003dcde87_JaffaCakes118.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    PID:2712
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-3-0x00000176D8460000-0x00000176D8461000-memory.dmp

Filesize
4KB

Download
memory/1992-6-0x00000176D8200000-0x00000176D8227000-memory.dmp

Filesize
156KB

Download
memory/1992-8-0x00000176D8200000-0x00000176D8227000-memory.dmp

Filesize
156KB

Download
memory/3728-0-0x0000000000A40000-0x0000000000A77000-memory.dmp

Filesize
220KB

Download
memory/3728-1-0x0000000000AD0000-0x0000000000B11000-memory.dmp

Filesize
260KB

Download
memory/3728-2-0x0000000000AD0000-0x0000000000B11000-memory.dmp

Filesize
260KB

Download
memory/3728-4-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3728-5-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3728-7-0x0000000000AD0000-0x0000000000B11000-memory.dmp

Filesize
260KB

Download