General
-
Target
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba
-
Size
428KB
-
Sample
220612-l63r9agdfn
-
MD5
b63af3e2ce713b1a8fa79ee1158ba246
-
SHA1
3f25337d0bc667eb5965cbb9b70244dc01d4af84
-
SHA256
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba
-
SHA512
f1f6a16f0caa3a0efc6827479014a8590318ed7f8f994602b7ac23aeaed1ce17bb8ba572a8e31a12513877c853bcdd3ac525e1c098e7c255d03045a92d00bd3b
Static task
static1
Behavioral task
behavioral1
Sample
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
trickbot
1000228
ser0716
138.34.32.218:443
178.78.202.189:443
85.9.212.117:443
93.109.242.134:443
118.91.178.101:443
158.58.131.54:443
70.114.186.116:443
118.200.151.113:443
89.117.107.13:443
109.86.227.152:443
200.2.126.98:443
96.31.109.51:443
90.69.224.122:443
194.68.23.182:443
182.253.210.130:449
77.89.86.93:443
70.79.178.120:449
138.34.32.74:443
185.129.193.221:443
184.68.167.42:443
200.46.121.130:443
82.202.221.78:443
195.133.48.175:443
82.202.236.5:443
82.146.58.216:443
109.234.35.87:443
95.213.200.239:443
185.143.172.110:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba
-
Size
428KB
-
MD5
b63af3e2ce713b1a8fa79ee1158ba246
-
SHA1
3f25337d0bc667eb5965cbb9b70244dc01d4af84
-
SHA256
20f08d83a3ef82811a7b4506c8561989d527a2704a0cda64e10ddcd08784feba
-
SHA512
f1f6a16f0caa3a0efc6827479014a8590318ed7f8f994602b7ac23aeaed1ce17bb8ba572a8e31a12513877c853bcdd3ac525e1c098e7c255d03045a92d00bd3b
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-