General
-
Target
3cd11df9e2af44982a94b0831508741271b804195cfe959e0c369d5bef29cf55
-
Size
392KB
-
Sample
220703-fwqgaaaca4
-
MD5
597284e27cb936c11b565ac6f9976cee
-
SHA1
ddc459295dfe17d58ba7a8153e8aa13a2cba4425
-
SHA256
3cd11df9e2af44982a94b0831508741271b804195cfe959e0c369d5bef29cf55
-
SHA512
a70cf2a466232fa269ddd96865310b9f9133598d69ff3f979e0fb7ae6ca0138e423c7cf14713842b2917067b1c6a014667c9fa1e6447410facc7433223ce07bb
Static task
static1
Behavioral task
behavioral1
Sample
3cd11df9e2af44982a94b0831508741271b804195cfe959e0c369d5bef29cf55.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3cd11df9e2af44982a94b0831508741271b804195cfe959e0c369d5bef29cf55.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
trickbot
1000269
jim320
154.16.137.73:443
94.181.47.198:449
75.103.4.186:443
23.94.41.215:443
181.113.17.230:449
212.23.70.149:443
172.82.152.132:443
170.81.32.66:449
42.115.91.177:443
107.173.102.231:443
121.58.242.206:449
167.114.13.91:443
192.252.209.44:443
182.50.64.148:449
187.190.249.230:443
107.175.127.147:443
82.222.40.119:449
198.100.157.163:443
23.226.138.169:443
103.110.91.118:449
173.239.128.74:443
128.201.92.41:449
70.48.101.54:443
103.111.53.126:449
185.66.227.183:443
182.253.20.66:449
71.13.140.89:443
179.127.254.196:443
169.1.39.89:443
46.149.182.112:449
81.17.86.112:443
62.141.94.107:443
115.78.3.170:443
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
116.212.152.12:449
68.109.83.22:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
3cd11df9e2af44982a94b0831508741271b804195cfe959e0c369d5bef29cf55
-
Size
392KB
-
MD5
597284e27cb936c11b565ac6f9976cee
-
SHA1
ddc459295dfe17d58ba7a8153e8aa13a2cba4425
-
SHA256
3cd11df9e2af44982a94b0831508741271b804195cfe959e0c369d5bef29cf55
-
SHA512
a70cf2a466232fa269ddd96865310b9f9133598d69ff3f979e0fb7ae6ca0138e423c7cf14713842b2917067b1c6a014667c9fa1e6447410facc7433223ce07bb
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-