General
-
Target
6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb
-
Size
284KB
-
Sample
220730-zgrwcafdb8
-
MD5
483c84066f957662d3f3e490898ad996
-
SHA1
0c44a5e469ce7da91477f743ce0f1b7e19885c7b
-
SHA256
6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb
-
SHA512
e74e48cce5285983693dd051218842717cab8822f8d09500a0f8b6a62ca0564f46d32bdb18fb70ef2a38b7c95c3d4202080919b109c0b28a3609d0e4d12f77b3
Static task
static1
Behavioral task
behavioral1
Sample
6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
trickbot
1000201
pir5
109.86.227.152:443
185.129.78.167:443
190.4.189.129:443
103.228.142.14:443
65.30.201.40:443
66.232.212.59:443
80.53.57.146:443
208.75.117.70:449
92.55.251.211:449
94.112.52.197:449
209.121.142.202:449
5.102.177.205:449
209.121.142.214:449
95.161.180.42:449
185.42.192.194:449
107.144.49.162:443
46.72.175.17:449
144.48.51.8:443
46.243.179.212:449
82.146.59.174:443
82.146.58.44:443
82.146.42.89:443
82.202.221.207:443
185.146.156.38:443
195.161.114.57:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb
-
Size
284KB
-
MD5
483c84066f957662d3f3e490898ad996
-
SHA1
0c44a5e469ce7da91477f743ce0f1b7e19885c7b
-
SHA256
6198d1cde7437b005b778d709d6ea9a6a7e4c6047413b38f1e487b7670fb9ddb
-
SHA512
e74e48cce5285983693dd051218842717cab8822f8d09500a0f8b6a62ca0564f46d32bdb18fb70ef2a38b7c95c3d4202080919b109c0b28a3609d0e4d12f77b3
Score10/10-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-