General
-
Target
5dce80b40ae1c26c9e114381a04927a2.exe
-
Size
472KB
-
Sample
210301-x74hs1t4jn
-
MD5
5dce80b40ae1c26c9e114381a04927a2
-
SHA1
241c222dab498493327c5ec2806f39d3280e127c
-
SHA256
cbe01313f457dfc188193a50d3e4c13d159b28cecc7f88b195dac6dafa04f0ad
-
SHA512
00dcee8922fc24ad3d2822f773b6f7b96e041281e8a57740737229b080ed07e62e2c0426a26c144ca37fe2fb51dee80d5210d51af7b23a5689b1c20c162d3749
Static task
static1
Behavioral task
behavioral1
Sample
5dce80b40ae1c26c9e114381a04927a2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5dce80b40ae1c26c9e114381a04927a2.exe
Resource
win10v20201028
Malware Config
Extracted
raccoon
a3a85b69314053c3bb015532d1a960a3d08baeb8
-
url4cnc
https://telete.in/baudemars
Extracted
trickbot
2000026
tot50
154.79.252.132:449
179.191.108.58:449
200.6.169.124:443
103.76.20.226:443
80.78.77.116:449
80.78.75.246:443
45.234.248.66:449
187.190.116.59:443
185.234.72.84:443
36.94.202.131:443
103.91.244.102:449
168.232.188.88:449
103.73.101.98:449
173.81.4.147:449
202.142.151.190:449
118.67.216.238:449
108.170.20.72:443
85.159.214.61:443
36.92.93.5:449
79.122.166.236:449
201.184.190.59:449
111.235.66.83:443
187.19.200.154:449
186.195.199.238:449
103.84.164.87:443
117.212.193.62:449
190.152.71.230:443
37.235.230.123:449
103.119.117.42:443
177.47.88.62:443
103.146.2.152:449
102.164.211.138:449
182.48.66.106:443
178.54.230.164:443
221.176.88.201:449
167.179.194.205:443
179.60.243.52:443
-
autorunName:pwgrab
Targets
-
-
Target
5dce80b40ae1c26c9e114381a04927a2.exe
-
Size
472KB
-
MD5
5dce80b40ae1c26c9e114381a04927a2
-
SHA1
241c222dab498493327c5ec2806f39d3280e127c
-
SHA256
cbe01313f457dfc188193a50d3e4c13d159b28cecc7f88b195dac6dafa04f0ad
-
SHA512
00dcee8922fc24ad3d2822f773b6f7b96e041281e8a57740737229b080ed07e62e2c0426a26c144ca37fe2fb51dee80d5210d51af7b23a5689b1c20c162d3749
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-