File name:	tnq092.exe
Full analysis:	https://app.any.run/tasks/aaef408d-cbbd-4ac6-828c-7a87b5b9f848
Verdict:	Malicious activity
Threats:	TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 27, 2019, 06:03:52
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion trickbot trojan stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	476CC8AB088196733C2752CB26DB2350
SHA1:	42994AB8B8CBE1E40D559F98D8032FC875EDF487
SHA256:	868A571010696E5A8CD5D1A0330F84708E402C879E726B4B76E42170D3DE5897
SSDEEP:	12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

.exe	\|	Win64 Executable (generic) (56.1)
.scr	\|	Windows screen saver (26.6)
.exe	\|	Win32 Executable (generic) (9.1)
.exe	\|	Generic Win/DOS Executable (4)
.exe	\|	DOS Executable Generic (4)

SpecialBuild:	Converter
ProductVersion:	1, 0, 0, 1
ProductName:	EliteConv Application
PrivateBuild:	EliteDecoder
OriginalFileName:	EliteConv.EXE
LegalTrademarks:	hAx Studios Ltd., Root-hack, fritz
LegalCopyright:	Copyright (C) 2004
InternalName:	EliteConverter
FileVersion:	1, 0, 0, 1
FileDescription:	Elite Converter \| hex, dec, bin, oct and ascii
CompanyName:	hAx Studios Ltd.
Comments:	Elite Character Conversion by: http://hax-studios.net && http://root-hack.org \|\| fritzy
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	Private build, Special build
FileFlagsMask:	0x003f
ProductVersionNumber:	1.0.0.1
FileVersionNumber:	1.0.0.1
Subsystem:	Windows GUI
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5
EntryPoint:	0x2069f
UninitializedDataSize:	-
InitializedDataSize:	320000
CodeSize:	207872
LinkerVersion:	9
PEType:	PE32
TimeStamp:	2019:02:26 18:06:54+01:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	26-Feb-2019 17:06:54
Detected languages:	English - United States
Comments:	Elite Character Conversion by: http://hax-studios.net && http://root-hack.org \|\| fritzy
CompanyName:	hAx Studios Ltd.
FileDescription:	Elite Converter \| hex, dec, bin, oct and ascii
FileVersion:	1, 0, 0, 1
InternalName:	EliteConverter
LegalCopyright:	Copyright (C) 2004
LegalTrademarks:	hAx Studios Ltd., Root-hack, fritz
OriginalFilename:	EliteConv.EXE
PrivateBuild:	EliteDecoder
ProductName:	EliteConv Application
ProductVersion:	1, 0, 0, 1
SpecialBuild:	Converter

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000100

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	26-Feb-2019 17:06:54
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00032B0E	0x00032C00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.56678
.rdata	0x00034000	0x0000C8FC	0x0000CA00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.04583
.data	0x00041000	0x0002FD5C	0x0002C200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.94181
.rsrc	0x00071000	0x00015494	0x00015600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.60822

Title	Entropy	Size	Codepage	Language	Type
1	4.79597	346	Latin 1 / Western European	English - United States	RT_MANIFEST
2	2.08441	296	Latin 1 / Western European	English - United States	RT_ICON
3	3.02695	308	Latin 1 / Western European	English - United States	RT_CURSOR
4	2.74274	180	Latin 1 / Western European	English - United States	RT_CURSOR
5	2.34038	308	Latin 1 / Western European	English - United States	RT_CURSOR
6	2.34004	308	Latin 1 / Western European	English - United States	RT_CURSOR
7	2.27047	92	Latin 1 / Western European	English - United States	RT_STRING
8	2.45401	308	Latin 1 / Western European	English - United States	RT_CURSOR
9	2.34864	308	Latin 1 / Western European	English - United States	RT_CURSOR
10	2.34505	308	Latin 1 / Western European	English - United States	RT_CURSOR

PID	CMD	Path	Indicators	Parent process
1708	"C:\Users\admin\Desktop\tnq092.exe"	C:\Users\admin\Desktop\tnq092.exe		explorer.exe
User: admin Company: hAx Studios Ltd. Integrity Level: MEDIUM Description: Elite Converter \| hex, dec, bin, oct and ascii Exit code: 0 Version: 1, 0, 0, 1
1772	/c sc stop WinDefend	C:\Windows\SysWOW64\cmd.exe	—	tnq092.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2432	/c sc delete WinDefend	C:\Windows\SysWOW64\cmd.exe	—	tnq092.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
864	/c powershell Set-MpPreference -DisableRealtimeMonitoring $true	C:\Windows\SysWOW64\cmd.exe	—	tnq092.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2300	sc stop WinDefend	C:\Windows\SysWOW64\sc.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1420	sc delete WinDefend	C:\Windows\SysWOW64\sc.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
1724	powershell Set-MpPreference -DisableRealtimeMonitoring $true	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2872	C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}	C:\Windows\SysWOW64\DllHost.exe	—	svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2508	"C:\Users\admin\AppData\Roaming\appnet\tor092.exe"	C:\Users\admin\AppData\Roaming\appnet\tor092.exe	—	DllHost.exe
User: admin Company: hAx Studios Ltd. Integrity Level: HIGH Description: Elite Converter \| hex, dec, bin, oct and ascii Exit code: 0 Version: 1, 0, 0, 1
2328	/c sc stop WinDefend	C:\Windows\SysWOW64\cmd.exe	—	tor092.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1062 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

PID	Process	Filename		Type
1724	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AA6LPA5U1G36T70CUUT.temp		—
		MD5:—	SHA256:—
1716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IIZ010PDPECIP20DDRQ.temp		—
		MD5:—	SHA256:—
2396	svchost.exe	C:\Windows\TEMP\CabD49A.tmp		—
		MD5:—	SHA256:—
2396	svchost.exe	C:\Windows\TEMP\TarD49B.tmp		—
		MD5:—	SHA256:—
1708	tnq092.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4b		binary
		MD5:40C6FC72BC1FF6788A80BCAF4A2BA011	SHA256:6FAEB36C84C291C8DA1642372CE339091F9DE06D13BADC93803A6B17DFF317FA
2396	svchost.exe	C:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dpost		binary
		MD5:951E985669A827F5713C220D10289691	SHA256:0790E8FFB428E00C01CD499EE4AB16EDAD974147C07EA1709DF23D6AD34EF417
2396	svchost.exe	C:\Users\admin\AppData\Roaming\appnet\Data\systeminfo64		binary
		MD5:968518519928F5E4D20E8495B38C6665	SHA256:8E5A3993054D1A72FACFF1E2D32B8DF72F49C4A64A7C8F4D9655688216BA8ECE
1716	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1497ba.TMP		binary
		MD5:68DDCD94095DE6B16893FEE00DD712C3	SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835
2396	svchost.exe	C:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dinj		binary
		MD5:147C1049E25A408078C0ECB158B437C5	SHA256:3B033D79998BFB36D3ABEBD90A4EFD34BF9895CA1186BF4C7671D9F62E1F613E
1724	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms		binary
		MD5:68DDCD94095DE6B16893FEE00DD712C3	SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835


ADVAPI32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2396	svchost.exe	GET	200	147.75.89.25:80	http://icanhazip.com/	US	text	14 b	shared
3000	svchost.exe	POST	—	190.146.112.216:8082	http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/	CO	—	—	malicious
3000	svchost.exe	POST	200	190.146.112.216:8082	http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/	CO	text	3 b	malicious
3000	svchost.exe	POST	—	190.146.112.216:8082	http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/	CO	—	—	malicious
2396	svchost.exe	GET	200	8.248.237.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02c541413bd76ae3	US	compressed	55.2 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2396	svchost.exe	36.89.85.103:449	—	—	ID	malicious
2396	svchost.exe	147.75.89.25:80	icanhazip.com	Packet Host, Inc.	US	suspicious
2396	svchost.exe	195.123.246.99:447	—	—	UA	suspicious
2396	svchost.exe	8.248.237.254:80	ctldl.windowsupdate.com	Level 3 Communications, Inc.	US	unknown
3000	svchost.exe	190.146.112.216:8082	—	Telmex Colombia S.A.	CO	malicious
2396	svchost.exe	185.228.234.165:443	—	—	—	suspicious

Domain	IP	Reputation
icanhazip.com	147.75.89.25 147.75.40.2	shared
ctldl.windowsupdate.com	8.248.237.254 8.248.241.254 8.247.206.126 8.247.202.126 8.248.245.254	whitelisted

PID	Process	Class	Message
2396	svchost.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2396	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2396	svchost.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
2396	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
3000	svchost.exe	A Network Trojan was detected	ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trickbot Data Exfiltration
3000	svchost.exe	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3000	svchost.exe	A Network Trojan was detected	ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000	svchost.exe	A Network Trojan was detected	MALWARE [PTsecurity] Trickbot Data Exfiltration
3000	svchost.exe	Potentially Bad Traffic	ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn

General Info

tnq092.exe

476CC8AB088196733C2752CB26DB2350

42994AB8B8CBE1E40D559F98D8032FC875EDF487

868A571010696E5A8CD5D1A0330F84708E402C879E726B4B76E42170D3DE5897

12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads the Task Scheduler COM API

Stops/Deletes Windows Defender service

Uses SVCHOST.EXE for hidden code execution

Known privilege escalation attack

Connects to CnC server

Trickbot detected

Stealing of credential data

TRICKBOT was detected

SUSPICIOUS

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Creates files in the user directory

Executes PowerShell scripts

Checks for external IP

Connects to unusual port

Creates files in the Windows directory

Removes files from Windows directory

Application launched itself

Loads DLL from Mozilla Firefox

INFO

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings