General
-
Target
43fc6c7426c36d7c2c8f608143f30194ea9d6d8165d0230b9d395d1197ee0ece
-
Size
332KB
-
Sample
220707-z1by8seaa7
-
MD5
e68277118a41dbad6dfc24b421eb88f9
-
SHA1
b787591a3fca7b10f4abd66f9d8e35264b280fd3
-
SHA256
43fc6c7426c36d7c2c8f608143f30194ea9d6d8165d0230b9d395d1197ee0ece
-
SHA512
85c701b082d182289e386874fb26e31257e7b3399be5bc84bb44d19ea8b2f0bd9ee670a9878327547f5e879125c3f65b8da0992a890c837cc31a14b6df325a8c
Static task
static1
Behavioral task
behavioral1
Sample
774736367468______________________________________Order 009376389.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
774736367468______________________________________Order 009376389.scr
Resource
win10v2004-20220414-en
Malware Config
Extracted
trickbot
1000262
sun6
118.97.119.218:449
94.181.47.198:449
144.121.143.129:449
185.200.60.138:449
185.42.52.126:449
181.174.112.74:449
178.116.83.49:443
121.58.242.206:449
182.50.64.148:449
82.222.40.119:449
97.78.222.18:449
67.79.15.106:449
168.167.87.79:443
103.111.53.126:449
182.253.20.66:449
192.188.120.164:443
81.17.86.112:443
95.154.80.154:449
46.149.182.112:449
69.9.232.167:443
94.232.20.113:443
47.49.168.50:443
70.79.178.120:449
68.109.83.22:443
103.111.55.218:449
62.141.94.107:443
96.43.40.221:443
197.232.50.85:443
223.25.64.119:443
185.222.202.127:443
116.212.152.12:449
107.181.174.176:443
23.94.41.215:443
107.173.102.231:443
192.252.209.44:443
107.175.127.147:443
23.226.138.169:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
774736367468______________________________________Order 009376389.scr
-
Size
443KB
-
MD5
0da06485fe542333d67855067eed6339
-
SHA1
216a30b8cafce120917000ead51015ba56100b8c
-
SHA256
3f85129c59dfdbdbb46638d05d7b3cbcb259ee6fdcd90bb9cf0c256976e04605
-
SHA512
ba6f2fe9a1078794238799d0cd647d245369b15ef99664b6c20067cdda9b695fcf70fcf27922c28041e5a5c3f3916f9509c8215f1cec5eb2f1e75e6f795b3d12
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-