General
-
Target
Attachment_65778.xlsb.zip
-
Size
93KB
-
Sample
210211-f8g819feqe
-
MD5
0e6c053916cb00d2f390130bab5288a4
-
SHA1
08bb407e02afc8d59b87f47924db185c27a60f9e
-
SHA256
9d4d65f70a7a47142c6cacdee4deb4e48b543cd193bb169349a8d53509ca4b99
-
SHA512
aa4b95b5bd9ba1e652a22196982bd7da4fa6a1268b93e118e445fddf7e7b1fe52818ce96b031c456bc7d1ed18edc85584cb115e015eccc5c0c8c95f9c179a5a4
Behavioral task
behavioral1
Sample
Attachment_65778.xlsb
Resource
win7v20201028
Malware Config
Extracted
http://85.90.247.25/campo/o/o
Extracted
trickbot
100011
mon48
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
-
autorunName:pwgrab
Targets
-
-
Target
Attachment_65778.xlsb
-
Size
106KB
-
MD5
acb967e1800b869e2752cc40a4ec59a5
-
SHA1
3a85bc98fb07511fec699c07631791ef46ac3253
-
SHA256
2a0715701189d587df4f40632957f0bbd12cc1e5847b6c8d017254d6ddce6ef1
-
SHA512
5120079589e1add80eff0db2ecd60f5240578f9f6c738bca742d64dbd141d90f362989cbf0018818f5702fcac0c7c67c28f7bc1477ae2cbffa79bc78cb6927b7
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-