General
-
Target
Invoice 717.xlsb
-
Size
97KB
-
Sample
210513-pphlssvah2
-
MD5
aae44c3735592848cee672f1b4806026
-
SHA1
52cd5e0535d6562193a84005cf0f20ed1da7f54e
-
SHA256
587ab4f5569b3d5064b93f4d8e12ff8ab7399a03a0c3304c8865db2b187b2272
-
SHA512
7f9d3aa31499086fd52c9f351d2f216f061268e2ca4dd9a4722bce8245cebc8122018a7ec221fb4e10400e04c32a6e6731e0c4e9e620a742aa6d2ce44a431e7a
Behavioral task
behavioral1
Sample
Invoice 717.xlsb
Resource
win7v20210410
Malware Config
Extracted
https://mastercarebath.com/wp-netmon.dll
Extracted
trickbot
2000029
net16
103.66.72.217:443
117.252.68.211:443
103.124.173.35:443
115.73.211.230:443
117.54.250.246:443
131.0.112.122:443
102.176.221.78:443
181.176.161.143:443
154.79.251.172:443
103.111.199.76:443
103.54.41.193:443
154.79.244.182:443
154.79.245.158:443
139.255.116.42:443
178.254.161.250:443
178.134.47.166:443
158.181.179.229:443
103.90.197.33:443
109.207.165.40:443
178.72.192.20:443
-
autorunName:pwgrabbName:pwgrabc
Targets
-
-
Target
Invoice 717.xlsb
-
Size
97KB
-
MD5
aae44c3735592848cee672f1b4806026
-
SHA1
52cd5e0535d6562193a84005cf0f20ed1da7f54e
-
SHA256
587ab4f5569b3d5064b93f4d8e12ff8ab7399a03a0c3304c8865db2b187b2272
-
SHA512
7f9d3aa31499086fd52c9f351d2f216f061268e2ca4dd9a4722bce8245cebc8122018a7ec221fb4e10400e04c32a6e6731e0c4e9e620a742aa6d2ce44a431e7a
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Templ.dll packer
Detects Templ.dll packer which usually loads Trickbot.
-
Downloads MZ/PE file
-
Loads dropped DLL
-