General
-
Target
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
Size
532KB
-
Sample
210123-4xx12ayy3j
-
MD5
2f9fc8e87e0484a96e7af9757228a789
-
SHA1
11f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
-
SHA256
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
SHA512
34fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
Static task
static1
Behavioral task
behavioral1
Sample
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff.exe
Resource
win7v20201028
Malware Config
Extracted
trickbot
2000020
tot26
45.201.209.29:443
45.233.116.8:449
45.233.170.75:443
45.250.65.9:443
45.250.65.9:449
45.4.29.26:443
45.70.14.98:443
94.188.172.236:443
177.91.179.128:443
178.132.223.36:443
178.134.55.190:443
178.173.142.97:443
180.210.190.250:443
181.113.117.150:443
181.211.191.242:443
186.101.239.15:443
186.144.151.131:443
186.209.104.74:443
186.227.216.70:449
188.190.240.226:443
-
autorunName:pwgrab
Targets
-
-
Target
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
Size
532KB
-
MD5
2f9fc8e87e0484a96e7af9757228a789
-
SHA1
11f4eea8b8cfaa57bebcf1e42f7a29a592b5a836
-
SHA256
f81617e10bb9c4a722ea82e2ee39b5f53c6a1e31fa686fd6f0da7000efb303ff
-
SHA512
34fc29c79d6cebc107a9f72440a6ff0a57c028c7a118826b60472acf943a9c43e5979761b279af48086583bd98801f638a9c32a44dbe167d04d575a578b56a9c
-
Contacts Bazar domain
Uses Emercoin blockchain domains associated with Bazar backdoor/loader.
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-