File name:	tnq092.exe
Full analysis:	https://app.any.run/tasks/aaef408d-cbbd-4ac6-828c-7a87b5b9f848
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 27, 2019, 06:03:52
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion trickbot trojan stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	476CC8AB088196733C2752CB26DB2350
SHA1:	42994AB8B8CBE1E40D559F98D8032FC875EDF487
SHA256:	868A571010696E5A8CD5D1A0330F84708E402C879E726B4B76E42170D3DE5897
SSDEEP:	12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

.exe	\|	Win64 Executable (generic) (56.1)
.scr	\|	Windows screen saver (26.6)
.exe	\|	Win32 Executable (generic) (9.1)
.exe	\|	Generic Win/DOS Executable (4)
.exe	\|	DOS Executable Generic (4)

SpecialBuild:	Converter
ProductVersion:	1, 0, 0, 1
ProductName:	EliteConv Application
PrivateBuild:	EliteDecoder
OriginalFileName:	EliteConv.EXE
LegalTrademarks:	hAx Studios Ltd., Root-hack, fritz
LegalCopyright:	Copyright (C) 2004
InternalName:	EliteConverter
FileVersion:	1, 0, 0, 1
FileDescription:	Elite Converter \| hex, dec, bin, oct and ascii
CompanyName:	hAx Studios Ltd.
Comments:	Elite Character Conversion by: http://hax-studios.net && http://root-hack.org \|\| fritzy
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	Private build, Special build
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.1
FileVersionNumber:	1.0.0.1
Subsystem:	Windows GUI
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5
EntryPoint:	0x2069f
UninitializedDataSize:	-
InitializedDataSize:	320000
CodeSize:	207872
LinkerVersion:	9
PEType:	PE32
TimeStamp:	2019:02:26 18:06:54+01:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	26-Feb-2019 17:06:54
Detected languages:	English - United States
Comments:	Elite Character Conversion by: http://hax-studios.net && http://root-hack.org \|\| fritzy
CompanyName:	hAx Studios Ltd.
FileDescription:	Elite Converter \| hex, dec, bin, oct and ascii
FileVersion:	1, 0, 0, 1
InternalName:	EliteConverter
LegalCopyright:	Copyright (C) 2004
LegalTrademarks:	hAx Studios Ltd., Root-hack, fritz
OriginalFilename:	EliteConv.EXE
PrivateBuild:	EliteDecoder
ProductName:	EliteConv Application
ProductVersion:	1, 0, 0, 1
SpecialBuild:	Converter

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000100

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	26-Feb-2019 17:06:54
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00032B0E	0x00032C00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.56678
.rdata	0x00034000	0x0000C8FC	0x0000CA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.04583
.data	0x00041000	0x0002FD5C	0x0002C200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.94181
.rsrc	0x00071000	0x00015494	0x00015600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.60822

Title	Entropy	Size	Codepage	Language	Type
1	4.79597	346	Latin 1 / Western European	English - United States	RT_MANIFEST
2	2.08441	296	Latin 1 / Western European	English - United States	RT_ICON
3	3.02695	308	Latin 1 / Western European	English - United States	RT_CURSOR
4	2.74274	180	Latin 1 / Western European	English - United States	RT_CURSOR
5	2.34038	308	Latin 1 / Western European	English - United States	RT_CURSOR
6	2.34004	308	Latin 1 / Western European	English - United States	RT_CURSOR
7	2.27047	92	Latin 1 / Western European	English - United States	RT_STRING
8	2.45401	308	Latin 1 / Western European	English - United States	RT_CURSOR
9	2.34864	308	Latin 1 / Western European	English - United States	RT_CURSOR
10	2.34505	308	Latin 1 / Western European	English - United States	RT_CURSOR


(PID) Process:	(1724) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2872) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2872) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2872) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2872) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1716) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2996) mmc.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2996) mmc.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\miguiresource.dll,-202
Value: Schedule computer tasks to run automatically.
(PID) Process:	(2996) mmc.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\miguiresource.dll,-203
Value: Microsoft Corporation (c)
(PID) Process:	(2996) mmc.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\64\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\miguiresource.dll,-104
Value: 1.0

PID	Process	Filename		Type
1724	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AA6LPA5U1G36T70CUUT.temp		—
		MD5:—	SHA256:—
1716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IIZ010PDPECIP20DDRQ.temp		—
		MD5:—	SHA256:—
2396	svchost.exe	C:\Windows\TEMP\CabD49A.tmp		—
		MD5:—	SHA256:—
2396	svchost.exe	C:\Windows\TEMP\TarD49B.tmp		—
		MD5:—	SHA256:—
1724	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:68DDCD94095DE6B16893FEE00DD712C3	SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835
2080	tor092.exe	C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_eeeb5d54-7880-42a7-b542-739bbc26cf4b		binary
		MD5:24C9645A1861DC190E940EA9B98F1518	SHA256:2079BE4E38E17058EFE6ABD95FFDC303A22A67156DC13F8BFE2445F0BA3F0F8A
2396	svchost.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:BB377DF27A55C05BB3793CD1E125C869	SHA256:3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
1716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:68DDCD94095DE6B16893FEE00DD712C3	SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835
1716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1497ba.TMP		binary
		MD5:68DDCD94095DE6B16893FEE00DD712C3	SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835
2396	svchost.exe	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:49747721216543791EF8B162F6BB56D1	SHA256:537F1E667613D035A09F824C2D839A431A1EB1434D24DC26C7CD73CFD8AB67DC


ADVAPI32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3000	svchost.exe	POST	—	190.146.112.216:8082	http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/	CO	—	—	malicious
3000	svchost.exe	POST	—	190.146.112.216:8082	http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/	CO	—	—	malicious
3000	svchost.exe	POST	200	190.146.112.216:8082	http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/	CO	text	3 b	malicious
2396	svchost.exe	GET	200	8.248.237.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02c541413bd76ae3	US	compressed	55.2 Kb	whitelisted
2396	svchost.exe	GET	200	147.75.89.25:80	http://icanhazip.com/	US	text	14 b	shared

PID	Process	IP	Domain	ASN	CN	Reputation
2396	svchost.exe	36.89.85.103:449	—	—	ID	malicious
3000	svchost.exe	190.146.112.216:8082	—	Telmex Colombia S.A.	CO	malicious
2396	svchost.exe	8.248.237.254:80	ctldl.windowsupdate.com	Level 3 Communications, Inc.	US	unknown
2396	svchost.exe	147.75.89.25:80	icanhazip.com	Packet Host, Inc.	US	suspicious
2396	svchost.exe	195.123.246.99:447	—	—	UA	suspicious
2396	svchost.exe	185.228.234.165:443	—	—	—	suspicious

Domain	IP	Reputation
icanhazip.com	147.75.89.25 147.75.40.2	shared
ctldl.windowsupdate.com	8.248.237.254 8.248.241.254 8.247.206.126 8.247.202.126 8.248.245.254	whitelisted

PID	Process	Class	Message
—	—	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
—	—	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
—	—	A Network Trojan was detected	ET TROJAN [PTsecurity] Trickbot Data Exfiltration
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Trickbot Data Exfiltration
—	—	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
—	—	A Network Trojan was detected	ET TROJAN [PTsecurity] Trickbot Data Exfiltration
—	—	A Network Trojan was detected	MALWARE [PTsecurity] Trickbot Data Exfiltration
—	—	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn

General Info

tnq092.exe

476CC8AB088196733C2752CB26DB2350

42994AB8B8CBE1E40D559F98D8032FC875EDF487

868A571010696E5A8CD5D1A0330F84708E402C879E726B4B76E42170D3DE5897

12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Stops/Deletes Windows Defender service

Uses SVCHOST.EXE for hidden code execution

Known privilege escalation attack

Loads the Task Scheduler COM API

Connects to CnC server

Trickbot detected

TRICKBOT was detected

Stealing of credential data

SUSPICIOUS

Creates files in the user directory

Starts CMD.EXE for commands execution

Executes PowerShell scripts

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Checks for external IP

Creates files in the Windows directory

Application launched itself

Removes files from Windows directory

Connects to unusual port

Loads DLL from Mozilla Firefox

INFO

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings