General
-
Target
Attachment_65307.xlsb
-
Size
106KB
-
Sample
210212-kvmnnj48me
-
MD5
3827cfd0b93d8d87c434a774782e434a
-
SHA1
1aff5b6db02cb808b41216e4bc4aeed1ef63b4d5
-
SHA256
4513c7bf3eba413e076d4e091bd3d88284644f2f051b9ebfdd537f982ddd6e61
-
SHA512
6e7bee5ba20655dcfd561db2c18409c7b72d8b84526efcff36a116565441922a880bfda071f24127cac43289c9ece12a98ff23d31ef91912e50c6d148f9e792b
Behavioral task
behavioral1
Sample
Attachment_65307.xlsb
Resource
win7v20201028
Malware Config
Extracted
http://85.90.247.25/campo/o/o
Extracted
trickbot
100011
mon48
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
-
autorunName:pwgrab
Targets
-
-
Target
Attachment_65307.xlsb
-
Size
106KB
-
MD5
3827cfd0b93d8d87c434a774782e434a
-
SHA1
1aff5b6db02cb808b41216e4bc4aeed1ef63b4d5
-
SHA256
4513c7bf3eba413e076d4e091bd3d88284644f2f051b9ebfdd537f982ddd6e61
-
SHA512
6e7bee5ba20655dcfd561db2c18409c7b72d8b84526efcff36a116565441922a880bfda071f24127cac43289c9ece12a98ff23d31ef91912e50c6d148f9e792b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-