General
-
Target
doc.xlsm
-
Size
210KB
-
Sample
211020-wxa1zshea3
-
MD5
7eaa8c20b9840547b206f2dd21ac11b6
-
SHA1
6eaaa24a1d5164dca972e928d62a4c1cf6523689
-
SHA256
9cf7aef7011220c83deb3587e15b09bdfd16da64f3c23739d860ef183afb0d22
-
SHA512
9cc2095e15a3261ef9d4101ae363c44a54412db86a1556f09b441379b7291d12c4d1ce554b67f584a275730e6d03d4958255ca4c649e206a83bd560ff29636a9
Behavioral task
behavioral1
Sample
doc.xlsm
Resource
win7-en-20211014
Malware Config
Extracted
http://185.81.115.23/ytr.dll
Extracted
trickbot
100019
sat4
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Targets
-
-
Target
doc.xlsm
-
Size
210KB
-
MD5
7eaa8c20b9840547b206f2dd21ac11b6
-
SHA1
6eaaa24a1d5164dca972e928d62a4c1cf6523689
-
SHA256
9cf7aef7011220c83deb3587e15b09bdfd16da64f3c23739d860ef183afb0d22
-
SHA512
9cc2095e15a3261ef9d4101ae363c44a54412db86a1556f09b441379b7291d12c4d1ce554b67f584a275730e6d03d4958255ca4c649e206a83bd560ff29636a9
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-