trickbot | 3d365a73eaa676b9ea64a5e3f2eb0130ab09ff35087f626f45ae8233aebf4c24

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d365a73eaa676b9ea64a5e3f2eb0130ab09ff35087f626f45ae8233aebf4c24.dll
Size

202KB
MD5

f78e6aef4f74925687de393667395496
SHA1

239f35629a9b9aba485516c5794c77cfdce91905
SHA256

3d365a73eaa676b9ea64a5e3f2eb0130ab09ff35087f626f45ae8233aebf4c24
SHA512

dfc0c60915ab685cd29fecfadd6144dd8dfb7ce859d264245ea5f6738c885e79bc3d2f74e90dac2541c3332a878530eca0474a8291181c9fa93e3ba89118aa14
SSDEEP

3072:KYKsu1WnjLYkFCLtMINbdsMa1AEPM6Us5vd+3XvhNA1xpCBongHx2M/SC7ZKPx:ndu1ICLtMSC12OdK/kppngRiC7ZKJ

Score

10^/10

trickbot mon36 banker discovery trojan

Malware Config

Extracted

Family

trickbot

Version

100010

Botnet

mon36

5.34.180.180:443

64.74.160.228:443

198.46.198.116:443

5.34.180.185:443

107.152.46.188:443

195.123.241.214:443

23.254.224.2:443

107.172.188.113:443

200.52.147.93:443

185.198.59.45:443

45.14.226.101:443

185.82.126.38:443

85.204.116.139:443

45.155.173.248:443

103.91.244.50:443

45.230.244.20:443

45.226.124.226:443

187.84.95.6:443

186.250.157.116:443

186.137.85.76:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Trickbot family
trickbot

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	wermgr.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3316	2440	regsvr32.exe	85
PID 2440 wrote to memory of 3316	2440	regsvr32.exe	85
PID 2440 wrote to memory of 3316	2440	regsvr32.exe	85
PID 3316 wrote to memory of 952	3316	regsvr32.exe	86
PID 3316 wrote to memory of 952	3316	regsvr32.exe	86
PID 3316 wrote to memory of 952	3316	regsvr32.exe	86
PID 3316 wrote to memory of 952	3316	regsvr32.exe	86

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3d365a73eaa676b9ea64a5e3f2eb0130ab09ff35087f626f45ae8233aebf4c24.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3d365a73eaa676b9ea64a5e3f2eb0130ab09ff35087f626f45ae8233aebf4c24.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-4-0x00000202B28C0000-0x00000202B28C1000-memory.dmp

Filesize
4KB

Download
memory/952-5-0x00000202B2720000-0x00000202B2747000-memory.dmp

Filesize
156KB

Download
memory/3316-0-0x00000000012E0000-0x0000000001321000-memory.dmp

Filesize
260KB

Download
memory/3316-1-0x00000000012E0000-0x0000000001321000-memory.dmp

Filesize
260KB

Download
memory/3316-2-0x00000000013E0000-0x00000000013E1000-memory.dmp

Filesize
4KB

Download
memory/3316-3-0x00000000013C0000-0x00000000013C3000-memory.dmp

Filesize
12KB

Download
memory/3316-6-0x00000000012E0000-0x0000000001321000-memory.dmp

Filesize
260KB

Download