General
-
Target
c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455
-
Size
548KB
-
Sample
220701-dlvxxaheaq
-
MD5
6ebc25957ccc919003cecfbd8972ecd2
-
SHA1
fba699dab48c142f3f8cb8a50b6557213f745f69
-
SHA256
c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455
-
SHA512
44484124758a5923bcef6cec5e77baa28514dc31b06ea6a07ddd5e13395679686133cd610af75e0fa300a4ae3afd048f188cf2533b9b84818480b1db0c8a8854
Static task
static1
Behavioral task
behavioral1
Sample
c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
trickbot
1000317
jim375
107.175.127.149:443
24.247.182.240:449
108.174.120.172:449
107.174.34.202:443
24.247.182.29:449
24.247.182.179:449
97.87.175.152:449
198.46.131.164:443
74.132.135.120:449
198.46.160.217:443
71.94.101.25:443
24.247.182.225:449
192.3.52.107:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
108.160.196.130:449
23.94.36.143:443
24.247.182.174:449
108.174.60.161:443
75.108.123.165:449
72.189.124.41:449
105.27.171.234:449
172.222.97.179:449
72.241.62.188:449
198.46.198.241:443
199.227.126.250:449
97.87.172.0:449
94.232.20.113:443
24.247.182.159:449
47.49.168.50:443
64.128.175.37:449
24.227.222.4:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Targets
-
-
Target
c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455
-
Size
548KB
-
MD5
6ebc25957ccc919003cecfbd8972ecd2
-
SHA1
fba699dab48c142f3f8cb8a50b6557213f745f69
-
SHA256
c1f7f56e617f9da8665be3733efb54c576a6259cb1922061b5f4d7bf2fbe5455
-
SHA512
44484124758a5923bcef6cec5e77baa28514dc31b06ea6a07ddd5e13395679686133cd610af75e0fa300a4ae3afd048f188cf2533b9b84818480b1db0c8a8854
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-