File name: | 2e |
Full analysis: | https://app.any.run/tasks/a08f0c91-78bb-4254-8d76-c09c2dd50b1d |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | September 19, 2019, 11:49:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 2E7AE59A8CC47E38A7B201DBBE244791 |
SHA1: | DBC64EB7DABF2D9D0E75FD290F92F8CB92A99107 |
SHA256: | 2E95D84B63FF32B69A46260378E6710EFD3005C2525A2E0DB521E9448BCC7E6F |
SSDEEP: | 24576:hJih7RFM/j07la5jIUr0D9hvnNPEi9+RG:sF1sr0/PAG |
.exe | | | Clipper DOS Executable (33.5) |
---|---|---|
.exe | | | Generic Win/DOS Executable (33.2) |
.exe | | | DOS Executable Generic (33.2) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 1 |
EntryPoint: | 0x2edc |
UninitializedDataSize: | - |
InitializedDataSize: | 1041436 |
CodeSize: | 12288 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 0000:00:00 00:00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Jan-1970 00:00:00 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0060 |
Pages in file: | 0x0001 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0010 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00FE |
Checksum: | 0x0000 |
Initial IP value: | 0x0012 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000060 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 01-Jan-1970 00:00:00 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.idata | 0x00001000 | 0x00000600 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.16516 |
_TEXT | 0x00002000 | 0x00003000 | 0x00003000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.29818 |
.CRT$XIA | 0x00005000 | 0x00005000 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.76552 |
.rsrc | 0x0000A000 | 0x000FA688 | 0x000FA800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.13025 |
.reloc | 0x00105000 | 0x00000400 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.90836 |
.debug | 0x00106000 | 0x00000200 | 0x0000001C | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.661055 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.68346 | 440 | Latin 1 / Western European | Process Default Language | RT_GROUP_ICON |
2 | 2.1787 | 2984 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 2.36138 | 2216 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 1.97036 | 1736 | Latin 1 / Western European | Process Default Language | RT_ICON |
5 | 2.02496 | 1544 | Latin 1 / Western European | Process Default Language | RT_ICON |
6 | 1.68429 | 1384 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 2.5972 | 9640 | Latin 1 / Western European | Process Default Language | RT_ICON |
8 | 2.61091 | 6760 | Latin 1 / Western European | Process Default Language | RT_ICON |
9 | 3.01296 | 4264 | Latin 1 / Western European | Process Default Language | RT_ICON |
10 | 3.28465 | 2440 | Latin 1 / Western European | Process Default Language | RT_ICON |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3024 | "C:\Users\admin\AppData\Local\Temp\2e.exe" | C:\Users\admin\AppData\Local\Temp\2e.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3672 | "C:\Users\admin\AppData\Local\Temp\2e.exe" | C:\Users\admin\AppData\Local\Temp\2e.exe | 2e.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3776 | cmd.exe cmd.exe /c timeout 1 && del C:\Users\admin\AppData\Local\Temp\2e.exe" | C:\Windows\system32\cmd.exe | — | 2e.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2436 | timeout 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3024 | 2e.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:D7C49015474B4897EB834A18D24A0863 | SHA256:56EDD9EAD9E0C111F76E8062DD72D62AF5A7E621120AC3777C0E0CFF03EECD91 | |||
3672 | 2e.exe | C:\Users\admin\AppData\Local\Temp\log_install.tmp | executable | |
MD5:7E12DFF86A340D0075BAF6090433A26E | SHA256:E64766C79D360A747FF518BFB195B3758F095F0E2F776837E30ADEDB5B955FD9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3672 | 2e.exe | GET | 200 | 85.204.116.123:80 | http://85.204.116.123/tin.png | RO | executable | 372 Kb | malicious |
3672 | 2e.exe | GET | 200 | 85.204.116.123:80 | http://85.204.116.123/sin.png | RO | executable | 424 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3672 | 2e.exe | 85.204.116.123:80 | — | — | RO | malicious |
PID | Process | Class | Message |
---|---|---|---|
3672 | 2e.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (contains loader) |
3672 | 2e.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3672 | 2e.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3672 | 2e.exe | A Network Trojan was detected | ET TROJAN Windows Executable Downloaded With Image Content-Type Header |
3672 | 2e.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
3672 | 2e.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (contains loader) |
3672 | 2e.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3672 | 2e.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |