General
-
Target
Document_Covid-19_7.xls
-
Size
85KB
-
Sample
200704-4zk76befys
-
MD5
58b62b641066a1ea49e34a2f711a1854
-
SHA1
4bf1830ed130fe97e50807b1a4ba4749c8fefe75
-
SHA256
810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
-
SHA512
82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2
Static task
static1
Behavioral task
behavioral1
Sample
Document_Covid-19_7.xls
Resource
win7v200430
Malware Config
Extracted
trickbot
1000512
chil58
95.171.16.42:443
185.90.61.9:443
5.1.81.68:443
185.99.2.65:443
134.119.191.11:443
85.204.116.100:443
78.108.216.47:443
51.81.112.144:443
194.5.250.121:443
185.14.31.104:443
185.99.2.66:443
107.175.72.141:443
192.3.247.123:443
134.119.191.21:443
85.204.116.216:443
91.235.129.20:443
181.129.104.139:449
181.112.157.42:449
181.129.134.18:449
131.161.253.190:449
121.100.19.18:449
190.136.178.52:449
45.6.16.68:449
110.232.76.39:449
122.50.6.122:449
103.12.161.194:449
36.91.45.10:449
110.93.15.98:449
80.210.32.67:449
103.111.83.246:449
200.107.35.154:449
36.89.182.225:449
36.89.243.241:449
36.92.19.205:449
110.50.84.5:449
182.253.113.67:449
36.66.218.117:449
-
autorunName:pwgrab
Targets
-
-
Target
Document_Covid-19_7.xls
-
Size
85KB
-
MD5
58b62b641066a1ea49e34a2f711a1854
-
SHA1
4bf1830ed130fe97e50807b1a4ba4749c8fefe75
-
SHA256
810a66989b16d6b8005d23e80750031849cdfdd5beded1534b7f2d44cd4352f5
-
SHA512
82b4f73fe39cedd829178c72774094746bf471ac6d3e740339733045851c8831525a506bf8682c4e0bdcf34a1fac09d263e700c08d14ee1ca0748025c4091cb2
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-