Overview

overview

10

Static

static

10

2/VirusSha...8d.exe

windows10-2004-x64

3

2/VirusSha...fa.exe

windows10-2004-x64

3

2/VirusSha...c8.doc

windows10-2004-x64

10

2/VirusSha...03.doc

windows10-2004-x64

1

2/VirusSha...40.pdf

windows10-2004-x64

3

2/wedding.apk

android-9-x86

2/wedding.apk

android-10-x64

2/wedding.apk

android-11-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2.zip

  • Size

    7.6MB

  • MD5

    a29400d43fde42181d504827b759b313

  • SHA1

    9a408c982ae1d7b5ab3c370b703b368ed795efdf

  • SHA256

    b71968ea01e2c2ed82e28a557f3210f3fde4caf97a1368e520650a8e2f5f459c

  • SHA512

    38b10fada863f94d9ac68301d9c76785cb5eeec0e595a032818aefbae43452908fa4813c29fb054ab5adba040bfd56b58248f09a9fd120a7693b05791e8f6308

  • SSDEEP

    196608:5Xq0WFROFqZk50CYQRQ/MxVLq8/0FWo4ZFSo1JpCGi:5rekqCdSM7W8/YWo4ZlpCGi

Score
10/10
pdflinkono33macromacro_on_actiontrickbot

Malware Config

Extracted

Family

trickbot

Version

1000501

Botnet

ono33

C2

5.182.210.226:443

5.182.210.120:443

185.65.202.183:443

212.80.217.243:443

85.143.218.249:443

194.5.250.178:443

198.15.119.121:443

107.175.87.142:443

185.14.31.72:443

188.165.62.2:443

194.5.250.179:443

198.15.119.71:443

185.14.29.4:443

185.99.2.202:443

192.3.193.162:443

89.191.234.89:443

195.54.32.12:443

31.131.21.30:443

5.34.177.194:443

190.214.13.2:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot family
    trickbot
  • Office macro that triggers on suspicious action 1 IoCs

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Attempts to obfuscate APK file format

    Applies obfuscation techniques to the APK format in order to hinder analysis

  • Declares services with permission to bind to the system 1 IoCs
  • Requests dangerous framework permissions 3 IoCs
  • One or more HTTP URLs in PDF identified

    Detects presence of HTTP links in PDF files.

    pdflink
  • Unsigned PE 1 IoCs

    Checks for missing Authenticode signature.

Files

  • 2.zip
    .zip
  • 2/VirusShare_01b55404de50bd1a56343b2f316ff88d
    .exe windows:4 windows x86 arch:x86


    Headers

    Sections

  • 2/VirusShare_1ad9a67240d5775395c45b64dd6529fa
    .exe windows:5 windows x86 arch:x86

    483f0c4259a9148c34961abbda6146c1


    Code Sign

    Headers

    Imports

    Sections

  • 2/VirusShare_2fe5b00079aec2d8369a798230313ec8
    .doc windows office2003

    Xmtcmcovmi

    Rlndryuf

    Sfxuqprex

  • 2/VirusShare_3f0b1eed4b7b9ae05fab4d949843f103
    .doc .vbs windows office2003 polyglot

    ThisWorkbook

    Sheet1

    Sheet2

    Sheet3

    Sheet4

    Module1

  • 2/VirusShare_480ef02bb062a57724e1b3e14532a140
    .pdf

    • http://americanbenefitsolutions.net/uploads/1/3/0/5/130590122/0edbbc0c.pdf

    • http://armquiz.com/uploads/2020/01/27/tusuzaw.pdf

    • http://befreeproduction.com/uploads/1/3/0/4/130478663/3e464e773d.pdf

    • http://bulverdepregnancy.net/uploads/1/3/0/6/130639282/wetivuxolaja.pdf

    • http://clearhrsolutionsd.com/uploads/1/3/0/4/130435941/8c7e87.pdf

    • http://link2yoo.net/uploads/1/3/0/6/130604529/42536e7ead401.pdf

    • http://movimentomarianobetania.org/uploads/1/3/0/6/130603773/bupiwudunudasogof.pdf

    • http://vertudevelopment.com/uploads/1/3/0/6/130605267/130605267.html#brother+intellifax+2820+driver

  • 2/wedding.apk
    .apk android

    com.google.aplikasi

    com.example.myapplicatior.MainActivity