File name: | 9_duor.exe |
Full analysis: | https://app.any.run/tasks/e7ccd2e8-4ecf-4572-ac02-f3912e6c48f8 |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | October 09, 2019, 18:15:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | MS-DOS executable |
MD5: | 4E916223BBD7F3F01A37BE36CA3029AD |
SHA1: | 4240AA64637B91EE38532060B5D85B1E22346A27 |
SHA256: | 53EFAB4CEA13BE80F48DFF9911B52879AFBA9235C264C365CBD150C4D3C3AE41 |
SSDEEP: | 3072:ef3kRO5zk72u1zvmWke1JkZXv0XYnip6VnMwQevSAdvDxG4bbuk5ukSXmbX:C3Dlk72vh84Bno6VjQevSoYGbuk5S |
.exe | | | DOS Executable Borland Pascal 7.0x (33.6) |
---|---|---|
.exe | | | Generic Win/DOS Executable (33) |
.exe | | | DOS Executable Generic (33) |
.dbf | | | Sybase iAnywhere database files (0.3) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 03-Oct-2019 16:47:46 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0000 |
Pages in file: | 0x0000 |
Relocations: | 0x0000 |
Size of header: | 0x0000 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0x0000 |
Initial SS value: | 0x0000 |
Initial SP value: | 0x0000 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000068 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 2 |
Time date stamp: | 03-Oct-2019 16:47:46 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002B000 | 0x0002B000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.98828 |
.rsrc | 0x0002C000 | 0x00001000 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.98834 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3020 | "C:\Users\admin\AppData\Local\Temp\9_duor.exe" | C:\Users\admin\AppData\Local\Temp\9_duor.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
928 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\trustplus.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2160 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2412 | "C:\Users\admin\AppData\Local\Temp\9_duor.exe" | C:\Users\admin\AppData\Local\Temp\9_duor.exe | DllHost.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
1796 | C:\Users\admin\AppData\Roaming\netcloud\9_duqt.exe | C:\Users\admin\AppData\Roaming\netcloud\9_duqt.exe | taskeng.exe | |
User: SYSTEM Integrity Level: SYSTEM |
PID | Process | Filename | Type | |
---|---|---|---|---|
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3625.tmp.cvr | — | |
MD5:— | SHA256:— | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77A5AE6B-3784-43A8-86AC-05798996C1FD}.tmp | — | |
MD5:— | SHA256:— | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5678A43F-D896-47CC-8640-833091D1FC5D}.tmp | — | |
MD5:— | SHA256:— | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\trustplus.rtf.LNK | lnk | |
MD5:66B487FBF81DF0DAD7C1ABED400B4746 | SHA256:7CAE70A6246901FC1D7CD267D24871FF42BF8EB3C6A9D1FC3AF75706E59C8418 | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:B541A56E23643B7AEDAEB2ADAD5D2577 | SHA256:55323E9285E4B1F00311624B98D87EAA6040A54F165E08C4186EFD0E810125C6 | |||
1796 | 9_duqt.exe | C:\Users\admin\AppData\Roaming\netcloud\settings.ini | text | |
MD5:56906815AA4FF82BF4FE4326BFC8AAD6 | SHA256:FFB0C7A77704057CDDEB53CD1BB35BAE1E540872623E8B08F2826F0CE78EE984 | |||
928 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:A958766FBC809EDE8E6927253798135F | SHA256:0F8544EBAB13F1EDFADA6001382B53D8EEB9B0B95D90B24CAEE905505E6BD6AC | |||
928 | WINWORD.EXE | C:\Users\admin\Desktop\~$ustplus.rtf | pgc | |
MD5:C4E22F6D7A1A7128F7F0F5671DD086A6 | SHA256:F63B92C83E68004354D84F6F04607930DC2E560B56B41D2359B83A65D5C9D0E6 | |||
2412 | 9_duor.exe | C:\Users\admin\AppData\Roaming\netcloud\9_duqt.exe | executable | |
MD5:4E916223BBD7F3F01A37BE36CA3029AD | SHA256:53EFAB4CEA13BE80F48DFF9911B52879AFBA9235C264C365CBD150C4D3C3AE41 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 51.254.69.244:443 | — | OVH SAS | FR | suspicious |
1796 | 9_duqt.exe | 51.254.69.244:443 | — | OVH SAS | FR | suspicious |
PID | Process | Class | Message |
---|---|---|---|
1796 | 9_duqt.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 20 |