General
-
Target
Attachment_777622.xlsb
-
Size
81KB
-
Sample
210226-vxcgaz1ny6
-
MD5
3079d4778cfc7959eb2a7e54a57769a4
-
SHA1
13074fe13d6dd531e4f5293c3e15eaa8ed6208a4
-
SHA256
aed5f5bbec1f7f8ea9010f7388f76b801b443c5ce691d0c008b6058f290e51da
-
SHA512
09a6cb132c84a015b504ce7e10c700dd4b78a36b1d514b4d8f92dca444017aec883a71600776e41ec9924f786cb9aed0256beccc541ac665566fd99875272eb5
Behavioral task
behavioral1
Sample
Attachment_777622.xlsb
Resource
win7v20201028
Malware Config
Extracted
http://195.123.220.249/campo/t2/t2
Extracted
trickbot
100012
mon88
41.77.134.250:449
45.155.173.242:443
192.162.238.186:449
142.112.79.223:449
122.2.28.70:449
154.126.176.30:449
45.230.244.20:443
182.253.107.34:443
200.52.147.93:443
123.200.26.246:449
131.255.106.152:449
177.85.133.118:449
103.225.138.94:449
142.202.191.164:443
95.210.118.90:449
36.94.62.207:443
201.20.118.122:449
180.92.238.186:449
103.130.6.244:449
202.91.41.138:449
187.20.217.129:449
-
autorunName:pwgrab
Targets
-
-
Target
Attachment_777622.xlsb
-
Size
81KB
-
MD5
3079d4778cfc7959eb2a7e54a57769a4
-
SHA1
13074fe13d6dd531e4f5293c3e15eaa8ed6208a4
-
SHA256
aed5f5bbec1f7f8ea9010f7388f76b801b443c5ce691d0c008b6058f290e51da
-
SHA512
09a6cb132c84a015b504ce7e10c700dd4b78a36b1d514b4d8f92dca444017aec883a71600776e41ec9924f786cb9aed0256beccc541ac665566fd99875272eb5
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-