File name: | 13019138e35aaaf7632f7427ae7bd540 |
Full analysis: | https://app.any.run/tasks/13a30bd7-7a19-4df3-858d-ec5d66565e82 |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | August 13, 2019, 18:39:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 13019138E35AAAF7632F7427AE7BD540 |
SHA1: | 30E755ADA76E98A0D24823B980177F9A35EA5B65 |
SHA256: | 7809664C76F9B106CE04835902D7DA256EA511038982038404EFDB7C02A4D10F |
SSDEEP: | 6144:RMm59rjaN1IF/eqMRMF2Sm8DzXWIr5kPukkKvuvQO3c1AbbTqrNvDpj+5:RMm5peNyFWbMhNV0kcOQYKW2t9j+5 |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x4fa2 |
UninitializedDataSize: | - |
InitializedDataSize: | 255488 |
CodeSize: | 153600 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2019:07:09 14:24:19+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Jul-2019 12:24:19 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 09-Jul-2019 12:24:19 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0002562D | 0x00025800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60623 |
.rdata | 0x00027000 | 0x000060E2 | 0x00006200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.84745 |
.data | 0x0002E000 | 0x00003398 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.54819 |
.rsrc | 0x00032000 | 0x00036F6C | 0x00037000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.00946 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.79597 | 346 | Latin 1 / Western European | English - United States | RT_MANIFEST |
101 | 5.99992 | 224600 | Latin 1 / Western European | English - United States | BNCCDXSAZWQ |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3348 | "C:\Users\admin\Desktop\13019138e35aaaf7632f7427ae7bd540.exe" | C:\Users\admin\Desktop\13019138e35aaaf7632f7427ae7bd540.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3732 | "C:\ProgramData\АЕехСсаССхВВаКlЕ.exe" | C:\ProgramData\АЕехСсаССхВВаКlЕ.exe | — | 13019138e35aaaf7632f7427ae7bd540.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1568 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1344 | "C:\ProgramData\АЕехСсаССхВВаКlЕ.exe" | C:\ProgramData\АЕехСсаССхВВаКlЕ.exe | DllHost.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3292 | C:\Users\admin\AppData\Roaming\mslibrary\АЕехСсаССхВВаКnЕ.exe | C:\Users\admin\AppData\Roaming\mslibrary\АЕехСсаССхВВаКnЕ.exe | taskeng.exe | |
User: SYSTEM Integrity Level: SYSTEM |
(PID) Process: | (3348) 13019138e35aaaf7632f7427ae7bd540.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3348) 13019138e35aaaf7632f7427ae7bd540.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (1568) DllHost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (1568) DllHost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3292 | АЕехСсаССхВВаКnЕ.exe | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:38D75EBF5AA1ECB057FBBFF561479454 | SHA256:933E5DE4EF6FE336E04992A47DD4AE54298D29D82DB0CD8BBBC6F589FC0BBCA4 | |||
1344 | АЕехСсаССхВВаКlЕ.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:F68E83A475892B37CABE2ED5FE7D192F | SHA256:2C32B0B70A0A33528AE42DD55F6BCE7D6354888C0E000BA61AC06C9E8168AF61 | |||
1344 | АЕехСсаССхВВаКlЕ.exe | C:\Users\admin\AppData\Roaming\mslibrary\АЕехСсаССхВВаКnЕ.exe | executable | |
MD5:13019138E35AAAF7632F7427AE7BD540 | SHA256:7809664C76F9B106CE04835902D7DA256EA511038982038404EFDB7C02A4D10F | |||
3292 | АЕехСсаССхВВаКnЕ.exe | C:\Users\admin\AppData\Roaming\mslibrary\settings.ini | text | |
MD5:ABE592ECA3527F477872F1BEAC321E92 | SHA256:D76585A9DF013714F737FC4E162799674DA4DAE5AFFB795121DA38D744ABEFFC | |||
3732 | АЕехСсаССхВВаКlЕ.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:974EA5C4CC58BB2098B0467E33A3AC4C | SHA256:53C54F4CA8E64DA7934EE48341BF94AFAD1E851746E3A361EB4E977397C14EE8 | |||
3348 | 13019138e35aaaf7632f7427ae7bd540.exe | C:\ProgramData\АЕехСсаССхВВаКlЕ.exe | executable | |
MD5:13019138E35AAAF7632F7427AE7BD540 | SHA256:7809664C76F9B106CE04835902D7DA256EA511038982038404EFDB7C02A4D10F |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 191.101.251.146:443 | — | WorldStream B.V. | NL | suspicious |
PID | Process | Class | Message |
---|---|---|---|
3292 | АЕехСсаССхВВаКnЕ.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 10 |