General
-
Target
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3
-
Size
383KB
-
Sample
220731-1s215ababp
-
MD5
366c27888902481f1e12ebbfa9ce946a
-
SHA1
7801599ce1123bfe5990534d0c649ec913aae5cd
-
SHA256
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3
-
SHA512
6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5
Static task
static1
Behavioral task
behavioral1
Sample
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3.exe
Resource
win10v2004-20220722-en
Malware Config
Extracted
trickbot
1000287
ser1025us
193.111.63.208:443
68.3.14.71:443
174.105.235.178:449
5.196.131.249:443
181.113.17.230:449
205.157.150.98:443
185.251.38.187:443
207.140.14.141:443
42.115.91.177:443
54.39.167.242:443
71.94.101.25:443
68.45.243.125:449
82.202.236.66:443
74.140.160.33:449
76.181.182.166:449
140.190.54.187:449
82.222.40.119:449
24.119.69.70:449
188.68.208.242:443
103.110.91.118:449
68.4.173.10:443
207.191.33.112:449
103.111.53.126:449
105.27.171.234:449
182.253.20.66:449
71.13.140.89:443
71.193.151.218:443
46.149.182.112:449
37.235.251.150:449
62.141.94.107:443
115.78.3.170:443
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
73.67.78.5:449
67.49.38.139:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Targets
-
-
Target
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3
-
Size
383KB
-
MD5
366c27888902481f1e12ebbfa9ce946a
-
SHA1
7801599ce1123bfe5990534d0c649ec913aae5cd
-
SHA256
5df26114f76ec86dcd5309e3b50379fd57f0e0f86b22d3245d17c6e17fdd96d3
-
SHA512
6d253a38151308e9cbf5537cd440f094d159a3e90c5a4826ff94f4e16b2b66b39563da3807b59db83dfd74c0255d51e3d0e3afed1a631697c92dd7b3f10f51f5
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-