analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

tnq092.exe

Full analysis: https://app.any.run/tasks/aaef408d-cbbd-4ac6-828c-7a87b5b9f848
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: February 27, 2019, 06:03:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trickbot
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

476CC8AB088196733C2752CB26DB2350

SHA1:

42994AB8B8CBE1E40D559F98D8032FC875EDF487

SHA256:

868A571010696E5A8CD5D1A0330F84708E402C879E726B4B76E42170D3DE5897

SSDEEP:

12288:tYwlwh1xRt5oRAfPaseDJqMsZemK3iV5HeIBv7p0/c:tYth5t5oRp5JlsZ7KyVdeIBTa/c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 1772)
      • cmd.exe (PID: 2316)
      • cmd.exe (PID: 2328)
    • Loads the Task Scheduler COM API

      • svchost.exe (PID: 3068)
      • mmc.exe (PID: 2996)
      • svchost.exe (PID: 2396)
    • Uses SVCHOST.EXE for hidden code execution

      • tor092.exe (PID: 2080)
      • svchost.exe (PID: 2396)
      • tor092.exe (PID: 2508)
    • Known privilege escalation attack

      • DllHost.exe (PID: 2872)
    • Connects to CnC server

      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 3000)
    • Stealing of credential data

      • svchost.exe (PID: 3000)
    • Trickbot detected

      • svchost.exe (PID: 2396)
    • TRICKBOT was detected

      • svchost.exe (PID: 3000)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • tnq092.exe (PID: 1708)
      • tor092.exe (PID: 2508)
    • Executes PowerShell scripts

      • cmd.exe (PID: 864)
      • cmd.exe (PID: 1816)
    • Creates files in the user directory

      • tnq092.exe (PID: 1708)
      • powershell.exe (PID: 1724)
      • powershell.exe (PID: 1716)
      • svchost.exe (PID: 2396)
    • Reads the machine GUID from the registry

      • mmc.exe (PID: 2996)
      • explorer.exe (PID: 3048)
      • svchost.exe (PID: 3000)
      • svchost.exe (PID: 2396)
    • Executable content was dropped or overwritten

      • tnq092.exe (PID: 1708)
    • Creates files in the Windows directory

      • svchost.exe (PID: 2396)
    • Checks for external IP

      • svchost.exe (PID: 2396)
    • Application launched itself

      • svchost.exe (PID: 2396)
    • Loads DLL from Mozilla Firefox

      • svchost.exe (PID: 3000)
    • Connects to unusual port

      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 3000)
    • Removes files from Windows directory

      • svchost.exe (PID: 2396)
  • INFO

    • Reads settings of System Certificates

      • svchost.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (56.1)
.scr | Windows screen saver (26.6)
.exe | Win32 Executable (generic) (9.1)
.exe | Generic Win/DOS Executable (4)
.exe | DOS Executable Generic (4)

EXIF

EXE

SpecialBuild: Converter
ProductVersion: 1, 0, 0, 1
ProductName: EliteConv Application
PrivateBuild: EliteDecoder
OriginalFileName: EliteConv.EXE
LegalTrademarks: hAx Studios Ltd., Root-hack, fritz
LegalCopyright: Copyright (C) 2004
InternalName: EliteConverter
FileVersion: 1, 0, 0, 1
FileDescription: Elite Converter | hex, dec, bin, oct and ascii
CompanyName: hAx Studios Ltd.
Comments: Elite Character Conversion by: http://hax-studios.net && http://root-hack.org || fritzy
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: Private build, Special build
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x2069f
UninitializedDataSize: -
InitializedDataSize: 320000
CodeSize: 207872
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:02:26 18:06:54+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Feb-2019 17:06:54
Detected languages:
  • English - United States
Comments: Elite Character Conversion by: http://hax-studios.net && http://root-hack.org || fritzy
CompanyName: hAx Studios Ltd.
FileDescription: Elite Converter | hex, dec, bin, oct and ascii
FileVersion: 1, 0, 0, 1
InternalName: EliteConverter
LegalCopyright: Copyright (C) 2004
LegalTrademarks: hAx Studios Ltd., Root-hack, fritz
OriginalFilename: EliteConv.EXE
PrivateBuild: EliteDecoder
ProductName: EliteConv Application
ProductVersion: 1, 0, 0, 1
SpecialBuild: Converter

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 26-Feb-2019 17:06:54
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00032B0E
0x00032C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.56678
.rdata
0x00034000
0x0000C8FC
0x0000CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04583
.data
0x00041000
0x0002FD5C
0x0002C200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.94181
.rsrc
0x00071000
0x00015494
0x00015600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.60822

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.79597
346
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.08441
296
Latin 1 / Western European
English - United States
RT_ICON
3
3.02695
308
Latin 1 / Western European
English - United States
RT_CURSOR
4
2.74274
180
Latin 1 / Western European
English - United States
RT_CURSOR
5
2.34038
308
Latin 1 / Western European
English - United States
RT_CURSOR
6
2.34004
308
Latin 1 / Western European
English - United States
RT_CURSOR
7
2.27047
92
Latin 1 / Western European
English - United States
RT_STRING
8
2.45401
308
Latin 1 / Western European
English - United States
RT_CURSOR
9
2.34864
308
Latin 1 / Western European
English - United States
RT_CURSOR
10
2.34505
308
Latin 1 / Western European
English - United States
RT_CURSOR

Imports

ADVAPI32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINMM.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
24
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start tnq092.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs tor092.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs svchost.exe no specs sc.exe no specs sc.exe no specs powershell.exe no specs explorer.exe no specs mmc.exe no specs mmc.exe tor092.exe no specs #TRICKBOT svchost.exe svchost.exe no specs svchost.exe no specs #TRICKBOT svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1708"C:\Users\admin\Desktop\tnq092.exe" C:\Users\admin\Desktop\tnq092.exe
explorer.exe
User:
admin
Company:
hAx Studios Ltd.
Integrity Level:
MEDIUM
Description:
Elite Converter | hex, dec, bin, oct and ascii
Exit code:
0
Version:
1, 0, 0, 1
1772/c sc stop WinDefendC:\Windows\SysWOW64\cmd.exetnq092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2432/c sc delete WinDefendC:\Windows\SysWOW64\cmd.exetnq092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
864/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\SysWOW64\cmd.exetnq092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2300sc stop WinDefendC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1420sc delete WinDefendC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1724powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2872C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508"C:\Users\admin\AppData\Roaming\appnet\tor092.exe" C:\Users\admin\AppData\Roaming\appnet\tor092.exeDllHost.exe
User:
admin
Company:
hAx Studios Ltd.
Integrity Level:
HIGH
Description:
Elite Converter | hex, dec, bin, oct and ascii
Exit code:
0
Version:
1, 0, 0, 1
2328/c sc stop WinDefendC:\Windows\SysWOW64\cmd.exetor092.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1062
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
9 404
Read events
9 258
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
15
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
1724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AA6LPA5U1G36T70CUUT.temp
MD5:
SHA256:
1716powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IIZ010PDPECIP20DDRQ.temp
MD5:
SHA256:
2396svchost.exeC:\Windows\TEMP\CabD49A.tmp
MD5:
SHA256:
2396svchost.exeC:\Windows\TEMP\TarD49B.tmp
MD5:
SHA256:
2396svchost.exeC:\Users\admin\AppData\Roaming\appnet\Data\injectDll64_configs\dpostbinary
MD5:951E985669A827F5713C220D10289691
SHA256:0790E8FFB428E00C01CD499EE4AB16EDAD974147C07EA1709DF23D6AD34EF417
2396svchost.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:BB377DF27A55C05BB3793CD1E125C869
SHA256:3C4EC495F17D21CC236BC7238BC02728BD945C07157FBF875CAC340269AFC207
1708tnq092.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\0f5007522459c86e95ffcc62f32308f1_eeeb5d54-7880-42a7-b542-739bbc26cf4bbinary
MD5:40C6FC72BC1FF6788A80BCAF4A2BA011
SHA256:6FAEB36C84C291C8DA1642372CE339091F9DE06D13BADC93803A6B17DFF317FA
2080tor092.exeC:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_eeeb5d54-7880-42a7-b542-739bbc26cf4bbinary
MD5:24C9645A1861DC190E940EA9B98F1518
SHA256:2079BE4E38E17058EFE6ABD95FFDC303A22A67156DC13F8BFE2445F0BA3F0F8A
2396svchost.exeC:\Users\admin\AppData\Roaming\appnet\Data\systeminfo64binary
MD5:968518519928F5E4D20E8495B38C6665
SHA256:8E5A3993054D1A72FACFF1E2D32B8DF72F49C4A64A7C8F4D9655688216BA8ECE
1724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:68DDCD94095DE6B16893FEE00DD712C3
SHA256:7E40A9EAF34708FD6282E34227600C202529627BE7DF880792CB033B4D0CD835
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
14
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
svchost.exe
POST
190.146.112.216:8082
http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/
CO
malicious
3000
svchost.exe
POST
200
190.146.112.216:8082
http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/
CO
text
3 b
malicious
2396
svchost.exe
GET
200
147.75.89.25:80
http://icanhazip.com/
US
text
14 b
shared
3000
svchost.exe
POST
190.146.112.216:8082
http://190.146.112.216:8082/ser0226us/USER-PC_W617601.CFBBC0882CE7C46266D13B3B474F8272/81/
CO
malicious
2396
svchost.exe
GET
200
8.248.237.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?02c541413bd76ae3
US
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2396
svchost.exe
36.89.85.103:449
ID
malicious
2396
svchost.exe
8.248.237.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
2396
svchost.exe
185.228.234.165:443
suspicious
2396
svchost.exe
195.123.246.99:447
UA
suspicious
2396
svchost.exe
147.75.89.25:80
icanhazip.com
Packet Host, Inc.
US
suspicious
3000
svchost.exe
190.146.112.216:8082
Telmex Colombia S.A.
CO
malicious

DNS requests

Domain
IP
Reputation
icanhazip.com
  • 147.75.89.25
  • 147.75.40.2
shared
ctldl.windowsupdate.com
  • 8.248.237.254
  • 8.248.241.254
  • 8.247.206.126
  • 8.247.202.126
  • 8.248.245.254
whitelisted

Threats

PID
Process
Class
Message
2396
svchost.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2396
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
2396
svchost.exe
A Network Trojan was detected
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
2396
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklist Malicious SSL certificate detected (Trickbot)
3000
svchost.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3000
svchost.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trickbot Data Exfiltration
3000
svchost.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
5 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn