General
-
Target
Attachment_77988.xlsb
-
Size
156KB
-
Sample
210304-rvbd77nwva
-
MD5
6022aea669bdd233a0d0d66fac85b138
-
SHA1
f635d3c887f30993e38bef08111805574043f22e
-
SHA256
ab72f4a340ae25c16cba14691708e873f5c84a5b606ee4f54717475292f6bb89
-
SHA512
d87de5be72e14c00afb41c53a7b685f2ca129edaa51c7aff34273730d8a7b60fc73ba5c2caf20eedc061f5087517d1e79a8a06944a8372b9224a32ed23fb6db6
Behavioral task
behavioral1
Sample
Attachment_77988.xlsb
Resource
win7v20201028
Malware Config
Extracted
http://195.123.219.72/haurf/n2/n2
Extracted
trickbot
100013
mon103
103.225.138.94:449
122.2.28.70:449
123.200.26.246:449
131.255.106.152:449
142.112.79.223:449
154.126.176.30:449
180.92.238.186:449
187.20.217.129:449
201.20.118.122:449
202.91.41.138:449
95.210.118.90:449
-
autorunName:pwgrab
Targets
-
-
Target
Attachment_77988.xlsb
-
Size
156KB
-
MD5
6022aea669bdd233a0d0d66fac85b138
-
SHA1
f635d3c887f30993e38bef08111805574043f22e
-
SHA256
ab72f4a340ae25c16cba14691708e873f5c84a5b606ee4f54717475292f6bb89
-
SHA512
d87de5be72e14c00afb41c53a7b685f2ca129edaa51c7aff34273730d8a7b60fc73ba5c2caf20eedc061f5087517d1e79a8a06944a8372b9224a32ed23fb6db6
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-