General
-
Target
3d26dc52c523f01c6f03680e9b476bc03ff093d1c273ff134e8ae43d505ad9c9
-
Size
368KB
-
Sample
201115-988yy9n1dn
-
MD5
1d2542d9aebf664ac77f2b6e09219303
-
SHA1
1c89ae0e5dfb5eac8d06c4feabfaf714e6877b72
-
SHA256
3d26dc52c523f01c6f03680e9b476bc03ff093d1c273ff134e8ae43d505ad9c9
-
SHA512
0a8dd1f27abc9993d4d338a0305d219641d2d0204c4c40ef36cd1a2da34c4ec5c271f929dd9dab0475a004d28e5e26c7689efd5265cf570d4c387f55f4766bd1
Static task
static1
Behavioral task
behavioral1
Sample
3d26dc52c523f01c6f03680e9b476bc03ff093d1c273ff134e8ae43d505ad9c9.exe
Resource
win7v20201028
Malware Config
Extracted
trickbot
1000213
mon1
138.34.32.218:443
86.61.177.139:443
188.124.167.132:449
93.109.242.134:443
62.31.150.202:443
158.58.131.54:443
36.74.100.211:449
66.229.97.133:443
200.111.167.227:449
109.86.227.152:443
85.172.38.59:449
67.162.236.158:443
66.232.212.59:443
80.53.57.146:443
182.253.210.130:449
155.133.31.21:449
176.222.255.2:443
209.121.142.202:449
138.34.32.74:443
209.121.142.214:449
144.48.51.8:443
199.250.230.169:443
92.53.66.78:443
195.54.163.93:443
185.159.129.78:443
185.174.172.249:443
109.234.37.52:443
37.46.135.218:443
94.103.82.239:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
3d26dc52c523f01c6f03680e9b476bc03ff093d1c273ff134e8ae43d505ad9c9
-
Size
368KB
-
MD5
1d2542d9aebf664ac77f2b6e09219303
-
SHA1
1c89ae0e5dfb5eac8d06c4feabfaf714e6877b72
-
SHA256
3d26dc52c523f01c6f03680e9b476bc03ff093d1c273ff134e8ae43d505ad9c9
-
SHA512
0a8dd1f27abc9993d4d338a0305d219641d2d0204c4c40ef36cd1a2da34c4ec5c271f929dd9dab0475a004d28e5e26c7689efd5265cf570d4c387f55f4766bd1
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-