URL: | http://click.danielshomecenter.com/wf/click?upn=5BonPYvJBf70dr3T3Bvz4Q6PiihapYyXtCqYeY8WDadAY6-2BbbdcORxe0gJfB7OMEFfjSIYiddnH88PqU8YMzng-3D-3D_UZ-2Fw3Bg8EOda-2F-2BSazO07kRVcTNcBTORUFAdpBcU4cNb1BdP4lyIdcBDqK2FHUzj8g4Z3qIVEIEC0221dTJcd9UMMMnHjeST-2FiwGvii1v3KQqCom-2F9QnuBfvNWlIvVdzktzND65xZ1ROQIi-2ByaM-2FWYbZl99H9GEQ2fRapk-2FcIYrzUfgCQrdDPVCAdVKv89sfRPTyszRkp5-2BHn3nBXkZXEgq1eRVgI3tGvzguVHkm-2Fw6U-3D |
Full analysis: | https://app.any.run/tasks/86ec16d3-a3bc-4261-bc21-96fd0714fbac |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | December 02, 2019, 19:35:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 76AA7257C619C72F63E2EF00D46D76C6 |
SHA1: | FA0BE4C46394749F484A9D043B0A5D8ACD06FD4E |
SHA256: | 9F25DA3B1544F148919BE776AD49602892FF28EDF530F8501F0679F5D394C421 |
SSDEEP: | 12:aC6Sx9eGg9R4ZAAqZEPD5l6eHlRtvDMgn37PS8:ad3fENl6eF/rMgLD |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2140 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://click.danielshomecenter.com/wf/click?upn=5BonPYvJBf70dr3T3Bvz4Q6PiihapYyXtCqYeY8WDadAY6-2BbbdcORxe0gJfB7OMEFfjSIYiddnH88PqU8YMzng-3D-3D_UZ-2Fw3Bg8EOda-2F-2BSazO07kRVcTNcBTORUFAdpBcU4cNb1BdP4lyIdcBDqK2FHUzj8g4Z3qIVEIEC0221dTJcd9UMMMnHjeST-2FiwGvii1v3KQqCom-2F9QnuBfvNWlIvVdzktzND65xZ1ROQIi-2ByaM-2FWYbZl99H9GEQ2fRapk-2FcIYrzUfgCQrdDPVCAdVKv89sfRPTyszRkp5-2BHn3nBXkZXEgq1eRVgI3tGvzguVHkm-2Fw6U-3D" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2140 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2776 | "C:\Users\admin\Downloads\Preview.exe" | C:\Users\admin\Downloads\Preview.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2488 | C:\Users\admin\AppData\Local\Temp\44DE.tmp | C:\Users\admin\AppData\Local\Temp\44DE.tmp | Preview.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFEABB351BDD081CE3.TMP | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5DCC6707990408E6.TMP | — | |
MD5:— | SHA256:— | |||
2140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F36F40E7-153A-11EA-AB41-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3772 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:C2F7B77579C1229B3B5BDBDF75D1043A | SHA256:2D4954E4D3B5B0B40CBDBB353002C85685FACA3764094BC06FDE50723E61C239 | |||
3772 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B62AG9OA\Preview[1].exe | executable | |
MD5:619978330D73DC561BBD34A6398216BF | SHA256:E17149663A7D2F9EC19D28102D8379B764C5DD83C1EC8C7278300C58893E7600 | |||
2140 | iexplore.exe | C:\Users\admin\Downloads\Preview.exe | executable | |
MD5:619978330D73DC561BBD34A6398216BF | SHA256:E17149663A7D2F9EC19D28102D8379B764C5DD83C1EC8C7278300C58893E7600 | |||
2488 | 44DE.tmp | C:\Users\admin\AppData\Roaming\syshealth\Telemetry.FailedProfileLocks.txt | text | |
MD5:C153AD1FCEFF3F8974C7FB4B6E6C1BDA | SHA256:755855ED7E6C0CC58573EF55B1D93F219165E70D166F71716F785024E67442A3 | |||
3772 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log | text | |
MD5:F41C0A9952977A8FFD41713E6ECDB532 | SHA256:42C7A482EEDF75BF9A35F0B277D03E3C53B52D8CAD6C9033E082F3A6D23E42F7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3772 | iexplore.exe | GET | 302 | 167.89.115.56:80 | http://click.danielshomecenter.com/wf/click?upn=5BonPYvJBf70dr3T3Bvz4Q6PiihapYyXtCqYeY8WDadAY6-2BbbdcORxe0gJfB7OMEFfjSIYiddnH88PqU8YMzng-3D-3D_UZ-2Fw3Bg8EOda-2F-2BSazO07kRVcTNcBTORUFAdpBcU4cNb1BdP4lyIdcBDqK2FHUzj8g4Z3qIVEIEC0221dTJcd9UMMMnHjeST-2FiwGvii1v3KQqCom-2F9QnuBfvNWlIvVdzktzND65xZ1ROQIi-2ByaM-2FWYbZl99H9GEQ2fRapk-2FcIYrzUfgCQrdDPVCAdVKv89sfRPTyszRkp5-2BHn3nBXkZXEgq1eRVgI3tGvzguVHkm-2Fw6U-3D | US | — | — | suspicious |
2776 | Preview.exe | GET | 301 | 70.40.221.152:80 | http://sodonnews.com/kjsdfhnv | US | html | 301 b | malicious |
2140 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3772 | iexplore.exe | 167.89.115.56:80 | click.danielshomecenter.com | SendGrid, Inc. | US | suspicious |
2140 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3772 | iexplore.exe | 142.4.205.11:443 | maisonmarielouise.org | OVH SAS | CA | unknown |
2776 | Preview.exe | 70.40.221.152:443 | sodonnews.com | Unified Layer | US | malicious |
2776 | Preview.exe | 70.40.221.152:80 | sodonnews.com | Unified Layer | US | malicious |
2488 | 44DE.tmp | 189.28.185.50:449 | — | ENGEPLUS INFORMATICA LTDA | BR | malicious |
Domain | IP | Reputation |
---|---|---|
click.danielshomecenter.com |
| suspicious |
maisonmarielouise.org |
| unknown |
www.bing.com |
| whitelisted |
sodonnews.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2488 | 44DE.tmp | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 11 |