General
-
Target
mwconvertLinkGlobalng.trd.dll
-
Size
647KB
-
Sample
210819-dfdc4mzxqa
-
MD5
81441b435cd16c6f118cafda5b70caf3
-
SHA1
42f895bad095a6649558de805e3b7225d0975f3e
-
SHA256
684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
-
SHA512
fef004904a68ae5f0e9836563df904e1080489aaea1ab89b47eac26c8c2b57907fb68e5818bace26efd221a06ba52ce03621bcaadb521bd7d04a1f44c297fb1b
Static task
static1
Behavioral task
behavioral1
Sample
mwconvertLinkGlobalng.trd.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
mwconvertLinkGlobalng.trd.dll
Resource
win10v20210408
Malware Config
Extracted
trickbot
2000031
zev1
14.232.161.45:443
118.173.233.64:443
41.57.156.203:443
45.239.234.2:443
45.201.136.3:443
177.10.90.29:443
185.17.105.236:443
91.237.161.87:443
185.189.55.207:443
186.225.119.170:443
143.0.208.20:443
222.124.16.74:443
220.82.64.198:443
200.236.218.62:443
178.216.28.59:443
45.239.233.131:443
196.216.59.174:443
119.202.8.249:443
82.159.149.37:443
49.248.217.170:443
181.114.215.239:443
113.160.132.237:443
105.30.26.50:443
202.165.47.106:443
103.122.228.44:443
-
autorunName:pwgrabbName:pwgrabc
Extracted
trickbot
2000032
tot141
103.122.228.44:443
196.216.220.211:443
181.114.215.239:443
41.57.156.203:443
43.252.159.63:443
197.156.129.250:443
113.160.37.196:443
38.110.100.64:443
113.160.132.237:443
24.28.12.23:443
38.110.100.219:443
45.239.233.109:443
119.202.8.249:443
200.236.218.62:443
220.82.64.198:443
190.93.208.53:443
196.216.59.174:443
222.124.16.74:443
202.165.47.106:443
96.9.77.56:443
49.248.217.170:443
186.225.119.170:443
-
autorunName:pwgrabbName:pwgrabc
Targets
-
-
Target
mwconvertLinkGlobalng.trd.dll
-
Size
647KB
-
MD5
81441b435cd16c6f118cafda5b70caf3
-
SHA1
42f895bad095a6649558de805e3b7225d0975f3e
-
SHA256
684995dd0d6292096fce36f526a4b615f027263f4cac7beb9c919bf4451e5ff1
-
SHA512
fef004904a68ae5f0e9836563df904e1080489aaea1ab89b47eac26c8c2b57907fb68e5818bace26efd221a06ba52ce03621bcaadb521bd7d04a1f44c297fb1b
-
suricata: ET MALWARE Trickbot Checkin Response
suricata: ET MALWARE Trickbot Checkin Response
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-