General
-
Target
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103
-
Size
448KB
-
Sample
220731-fwgt5sahfl
-
MD5
821b90f4f3a4d56cf89660ed6dc17761
-
SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2
-
SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103
-
SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7
Static task
static1
Behavioral task
behavioral1
Sample
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
trickbot
1000253
lib302
195.54.163.150:443
168.167.51.10:443
178.116.83.49:443
176.114.66.20:449
162.212.112.175:449
158.58.131.54:443
104.254.10.200:449
118.200.151.113:443
41.211.9.234:449
81.227.16.44:443
109.173.104.236:449
212.225.214.249:449
81.17.86.112:443
41.189.173.18:443
46.149.182.112:449
197.232.243.36:449
94.232.20.113:443
47.49.168.50:443
70.79.178.120:449
68.109.83.22:443
176.10.170.65:443
62.141.94.107:443
96.43.40.221:443
197.232.50.85:443
195.123.209.174:443
94.103.80.15:443
185.252.144.16:443
185.174.172.197:443
195.54.163.29:443
195.54.162.53:443
195.54.163.151:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103
-
Size
448KB
-
MD5
821b90f4f3a4d56cf89660ed6dc17761
-
SHA1
5d165df8a4a314f6a805715c142724372cc0e1b2
-
SHA256
97b0b58dc0de5e03de54dc930399f3f92e21208ddcb1f77ea073b2165f658103
-
SHA512
09943414a73911a26bf91ca557b40357938f237e8bb7e3468922c345ea0359bd596d241d35e35ff1ca2990efa13f22c05d63c8aae9550db7d09874137c56edb7
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Stops running service(s)
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-