General
-
Target
invoice attachment.docm
-
Size
188KB
-
Sample
210922-szlnqaffhq
-
MD5
4e3fe2ad8dc94dbf82847aa9c18e7efd
-
SHA1
c6623f75c837d4579e3282bd5871516475d8af3a
-
SHA256
712fd163cc98f8fb2055573336c606f17c66a22276dce9f6e9f909e3d6d23f16
-
SHA512
98f80aa9bb78b990cd7497efa2c8badc0e3c3c7ef71211de3ccd4ab019959f41b6473888f9f7e52deb0f0c22e3a3c23ab630a8dab07c9209c8c46434153a79f7
Static task
static1
Behavioral task
behavioral1
Sample
invoice attachment.docm
Resource
win7v20210408
Malware Config
Extracted
trickbot
100019
rob133
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Targets
-
-
Target
invoice attachment.docm
-
Size
188KB
-
MD5
4e3fe2ad8dc94dbf82847aa9c18e7efd
-
SHA1
c6623f75c837d4579e3282bd5871516475d8af3a
-
SHA256
712fd163cc98f8fb2055573336c606f17c66a22276dce9f6e9f909e3d6d23f16
-
SHA512
98f80aa9bb78b990cd7497efa2c8badc0e3c3c7ef71211de3ccd4ab019959f41b6473888f9f7e52deb0f0c22e3a3c23ab630a8dab07c9209c8c46434153a79f7
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-