General
-
Target
3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
-
Size
428KB
-
Sample
220703-jltyhadad3
-
MD5
54bc795028a9a3f1467d8ba8a3f1f5a2
-
SHA1
e5f7ba4baeb7bd0beef022c7535c071ab2c7d89d
-
SHA256
3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
-
SHA512
35b27257fc7a86aafbf5ee143e0b69562117de2491740a8a02282f2b698caeb8272b061da1310b8a1be1f0a7955c8616ff93cf78aadf61ceba46adc4487a5edf
Static task
static1
Behavioral task
behavioral1
Sample
3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
trickbot
1000219
ser0629
138.34.32.218:443
86.61.177.139:443
47.40.90.210:443
93.109.242.134:443
45.36.155.244:443
158.58.131.54:443
46.59.89.119:449
66.229.97.133:443
45.56.2.247:443
109.86.227.152:443
209.131.236.23:443
200.2.126.98:443
62.31.150.202:443
90.69.224.122:443
194.68.23.182:443
182.253.210.130:449
67.159.157.150:443
172.117.118.98:443
201.174.70.238:443
138.34.32.74:443
73.107.42.28:443
187.163.215.32:443
199.250.230.169:443
195.161.114.240:443
185.231.154.104:443
81.177.140.37:443
185.159.130.87:443
185.146.156.237:443
195.54.163.139:443
95.213.203.174:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
-
Size
428KB
-
MD5
54bc795028a9a3f1467d8ba8a3f1f5a2
-
SHA1
e5f7ba4baeb7bd0beef022c7535c071ab2c7d89d
-
SHA256
3c5b08764e81c101cb4e158ce5bd867205541b99e07ff55967a516cb1d7852fa
-
SHA512
35b27257fc7a86aafbf5ee143e0b69562117de2491740a8a02282f2b698caeb8272b061da1310b8a1be1f0a7955c8616ff93cf78aadf61ceba46adc4487a5edf
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-