General
-
Target
5cb182d4f77cfa507a4ca9dbd59d8310d2deb3cc6325a50ab247b8a6578d91f4
-
Size
362KB
-
Sample
220801-galfwadafn
-
MD5
cbb0ce54b5eec9de6ed74a9d5f0ac537
-
SHA1
2be319bb3d27cdee6b021f54de20eb5ea7d9009d
-
SHA256
5cb182d4f77cfa507a4ca9dbd59d8310d2deb3cc6325a50ab247b8a6578d91f4
-
SHA512
afd926f78c36f8901eca187aee43c24ab02f0e954658defe192b122422112aaa0e7b82e62509a8b54ae4dfc99a79c5b49a82286247ba30fabde69a79de7cc353
Static task
static1
Behavioral task
behavioral1
Sample
5cb182d4f77cfa507a4ca9dbd59d8310d2deb3cc6325a50ab247b8a6578d91f4.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5cb182d4f77cfa507a4ca9dbd59d8310d2deb3cc6325a50ab247b8a6578d91f4.exe
Resource
win10v2004-20220721-en
Malware Config
Extracted
trickbot
1000206
lib239
93.109.242.134:443
46.47.50.44:443
190.7.199.42:443
158.58.131.54:443
86.125.39.173:443
208.75.117.70:443
185.168.185.218:443
109.86.227.152:443
185.129.78.167:443
190.4.189.129:443
65.30.201.40:443
66.232.212.59:443
80.53.57.146:443
92.55.251.211:449
94.112.52.197:449
209.121.142.202:449
5.102.177.205:449
209.121.142.214:449
95.161.180.42:449
185.42.192.194:449
46.72.175.17:449
144.48.51.8:443
46.243.179.212:449
195.161.41.93:443
195.54.162.216:443
95.213.199.249:443
162.244.32.148:443
78.155.199.51:443
31.148.219.231:443
185.251.38.147:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
5cb182d4f77cfa507a4ca9dbd59d8310d2deb3cc6325a50ab247b8a6578d91f4
-
Size
362KB
-
MD5
cbb0ce54b5eec9de6ed74a9d5f0ac537
-
SHA1
2be319bb3d27cdee6b021f54de20eb5ea7d9009d
-
SHA256
5cb182d4f77cfa507a4ca9dbd59d8310d2deb3cc6325a50ab247b8a6578d91f4
-
SHA512
afd926f78c36f8901eca187aee43c24ab02f0e954658defe192b122422112aaa0e7b82e62509a8b54ae4dfc99a79c5b49a82286247ba30fabde69a79de7cc353
Score10/10-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-