General
-
Target
7f456f8b01fc8866aeed4678a14479b6eaa62fed
-
Size
566KB
-
Sample
230201-fwnmpaca37
-
MD5
f12de9a9858b332eb530c1f5cdc069aa
-
SHA1
7f456f8b01fc8866aeed4678a14479b6eaa62fed
-
SHA256
70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72
-
SHA512
6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca
-
SSDEEP
6144:vDbbqDfFxoi9qL0W4Rl/EagUzdxcXxcEMcCYjYdjVOQnbok9P4atXkisULOWn20n:veDfYatZlthsWEsVV5lUisULO/ZxxG
Static task
static1
Behavioral task
behavioral1
Sample
7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7f456f8b01fc8866aeed4678a14479b6eaa62fed.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
trickbot
1000235
ser0724
138.34.32.218:443
178.78.202.189:443
85.9.212.117:443
93.109.242.134:443
198.53.63.120:443
158.58.131.54:443
87.117.146.63:443
118.200.151.113:443
89.117.107.13:443
109.86.227.152:443
200.2.126.98:443
83.167.164.81:443
194.68.23.182:443
182.253.210.130:449
77.89.86.93:443
70.79.178.120:449
68.109.83.22:443
24.231.0.139:443
84.237.228.13:443
138.34.32.19:443
195.54.163.161:443
185.180.198.6:443
94.250.251.192:443
194.87.95.57:443
185.174.173.8:443
185.162.130.183:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
7f456f8b01fc8866aeed4678a14479b6eaa62fed
-
Size
566KB
-
MD5
f12de9a9858b332eb530c1f5cdc069aa
-
SHA1
7f456f8b01fc8866aeed4678a14479b6eaa62fed
-
SHA256
70ef80df596b9d7907c7d853d00b5e2191e18bcb0d909ee4a86a7b2137ff5b72
-
SHA512
6168bfe5c559b4b6223dd2d17be3a1ef3cc15f9f5f6f096a1c01ecc7b67432d24c9fb0cd5303fc8b6bd8448e0e4be57b17a17d8cc7870ff0bdd69e3c2bb439ca
-
SSDEEP
6144:vDbbqDfFxoi9qL0W4Rl/EagUzdxcXxcEMcCYjYdjVOQnbok9P4atXkisULOWn20n:veDfYatZlthsWEsVV5lUisULO/ZxxG
Score10/10-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-