General
-
Target
tell.07.21.doc
-
Size
87KB
-
Sample
210716-cdvmlyx5dj
-
MD5
e1db6606c006f7f629c960f0c47ddfdf
-
SHA1
1347ca2f535462ec240b3b507aa3f462fe674271
-
SHA256
423a3facbb403a5927d48d8ed1529b2d90ac9c6a96013189184c6f25da9b233d
-
SHA512
2d83e3d7b01ffe9aa95235c02e88f4e92b25c0b1865b48c74a62f8697374130651cab1f9f5d0b0a859d2e52693660e21a7fa62dc06497cb152b345878c284105
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
-
autorunName:pwgrabbName:pwgrabc
Targets
-
-
Target
tell.07.21.doc
-
Size
87KB
-
MD5
e1db6606c006f7f629c960f0c47ddfdf
-
SHA1
1347ca2f535462ec240b3b507aa3f462fe674271
-
SHA256
423a3facbb403a5927d48d8ed1529b2d90ac9c6a96013189184c6f25da9b233d
-
SHA512
2d83e3d7b01ffe9aa95235c02e88f4e92b25c0b1865b48c74a62f8697374130651cab1f9f5d0b0a859d2e52693660e21a7fa62dc06497cb152b345878c284105
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-