| File name: | b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe |
| Full analysis: | https://app.any.run/tasks/531cec35-7743-4dd7-90c6-40c62e055aa2 |
| Verdict: | Malicious activity |
| Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
| Analysis date: | November 23, 2024, 06:10:52 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | 628DD865C17F53FD187A10D2EF45D150 |
| SHA1: | FEB0CCD79E54E32EAAA6271ADF26B39EF84E3C07 |
| SHA256: | B3CB56683B9F6D422732AA0F3A4F35896A84DAA1E1328443FAD99003410CB427 |
| SSDEEP: | 12288:HobICDWCPPp4mLNEGg+OhD+TwHCMF1HmFMOhVtIDcCfU1:HobIr+fLNyhD+TwHC21HmFMOhVtItfU1 |
MALICIOUS
TRICKBOT has been detected (YARA)
- wermgr.exe (PID: 4952)
SUSPICIOUS
Executes application which crashes
- b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe (PID: 5640)
Starts CMD.EXE for commands execution
- b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe (PID: 5640)
INFO
Creates files or folders in the user directory
- WerFault.exe (PID: 4576)
Checks supported languages
- b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe (PID: 5640)
Checks proxy server information
- WerFault.exe (PID: 4576)
- wermgr.exe (PID: 4952)
Reads the software policy settings
- WerFault.exe (PID: 4576)
- wermgr.exe (PID: 4952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TrickBot
(PID) Process(4952) wermgr.exe
C2
srv (5)65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
srva (13)181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
version100019
Botnettop139
KeyRUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4=
Autorun
module
@namepwgrabb
@namepwgrabc
other (238)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
bdns.at
bdns.by
bdns.co
bdns.im
bdns.link
bdns.nu
bdns.pro
b-dns.se
GetProcAddress
freebuffer
Windows 8.1
WTSFreeMemory
/%s/%s/25/%s/
52
Start failed
/C powershell -executionpolicy bypass -File
reload%d
shlwapi
%u.%u.%u.%u
pIT NULL
Windows Server 2012 R2
path
/C cscript
Create xml2 failed
pIT GetFolder failed, 0x%x
Execute from user
</BootTrigger>
------Boundary%08X
%s sTart
/%s/%s/23/%u/
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo><Version>1.1.1</Version>
<Author>NetCache</Author>
<Description>Net Cash is a desktop customize tool for your computer. With this tool, you can easily customiz...
ExitProcess
client is not behind NAT
PROMPT
LeaveCriticalSection
WTSGetActiveConsoleSessionId
m:
dsize:%u
ps1
start
mutant
Register s failed, 0x%x
kernel32.dll
<BootTrigger>
<Enabled>true</Enabled>
exc
InitializeCriticalSection
Module has already been loaded
GET
wtsapi32
50
S-1-5-18
Unable to load module from server
release
No params
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
E: 0x%x A: 0x%p
settings.ini
WantRelease
Create ZP failed
t:
in
/%s/%s/0/%s/%s/%s/%s/%s/
DNSBL
Create xml failed
SeDebugPrivilege
Windows 7
Unknown
working
SINJ
cmd.exe
set
chcp 65001
Load to M failed
Win32 error
ResetEvent
Param 0
Windows Server 2012
First
cmdrun.bat
<RunLevel>HighestAvailable</RunLevel>
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
<LogonType>InteractiveToken</LogonType>
/%s/%s/5/%s/
.reloc
Windows 10 Server
delete
%08lX%04lX%u
ver.txt
VERS
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
Windows 8
pIT connect failed, 0x%x
control
SignatureLength
--%s
Content-Disposition: form-data; name="%S"
=set
Windows Server 2008
Windows 2000
info
ModuleQuery
Run D failed
0.0.0.0
Windows Server 2003
LoadLibraryW
.txt
Global\
Process was unloaded
winsta0\default
Invalid params count
\svchost.exe
Control failed
CI failed, 0x%x
\*
%02X
noname
UrlEscapeW
set
data
WTSEnumerateSessionsA
WaitForSingleObject
tmp
client is behind NAT
Launch USER failed
.tmp
%s/%s/64/%s/%s/%s/
1108
x64
%s %s
Module is not valid
==
%016llX%016llX
EnterCriticalSection
</Command>
</Exec>
</Actions>
</Task>
SYSTEM
eventfail
</Triggers>
<Principals>
<Principal id="Author">
Find P failed
Decode param64 error
curl/7.77.0
rundll32.exe
start
%s/%s/63/%s/%s/%s/%s/
/%s/%s/14/%s/%s/0/
\cmd.exe
NetData Cache Windows
e:
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAva...
SignalObjectAndWait
%u%u%u.
%s.%s
Load to P failed
/%s/%s/1/%s/
GetParentInfo error
ECDSA_P384
file
NAT status
/%s/%s/10/%s/%s/%u/
<LogonTrigger>
<Enabled>true</Enabled>
gte_
</LogonTrigger>
Register u failed, 0x%x
<moduleconfig>*</moduleconfig>
cn\
Windows XP
Windows Server 2008 R2
Execute from system
Module already unloaded
/
Process has been finished
%s%s
%u %u %u %u
</UserId>
WTSQueryUserToken
SeTcbPrivilege
Windows Vista
EN\
failed
listed
\NetCache-
=
%s.%s.%s.%s
%s %s SP%u
CloseHandle
explorer.exe
=
not listed
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
<UserId>
ECCPUBLICBLOB
testscript
user
i:
x86
POST
--%s--
Windows 10
WINHTTP.dll
bcrypt.dll
ncrypt.dll
OLEAUT32.dll
ole32.dll
CRYPT32.dll
IPHLPAPI.DLL
ADVAPI32.dll
WS2_32.dll
ntdll.dll
SHELL32.dll
USER32.dll
SHLWAPI.dll
USERENV.dll
Y
@
=
R#
P
R#
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (31.7) |
| .scr | | | Windows screen saver (15) |
| .dll | | | Win32 Dynamic Link Library (generic) (7.5) |
| .exe | | | Win32 Executable (generic) (5.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:07:06 22:39:24+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 126976 |
| InitializedDataSize: | 356352 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb424 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.1 |
| ProductVersionNumber: | 1.0.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | Unicode |
| FileDescription: | Demo Microsoft 基础类应用程序 |
| FileVersion: | 1, 0, 0, 1 |
| InternalName: | Demo |
| LegalCopyright: | 版权所有 (C) 2008 |
| OriginalFileName: | Demo.EXE |
| ProductName: | Demo 应用程序 |
| ProductVersion: | 1, 0, 0, 1 |
Total processes
121
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4576 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5640 -s 640 | C:\Windows\SysWOW64\WerFault.exe | b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4952 | C:\WINDOWS\system32\wermgr.exe | C:\Windows\System32\wermgr.exe | b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
TrickBot(PID) Process(4952) wermgr.exe C2 srv (5)65.152.201.203:443 185.56.175.122:443 46.99.175.217:443 179.189.229.254:443 46.99.175.149:443 srva (13)181.129.167.82:443 216.166.148.187:443 46.99.188.223:443 128.201.76.252:443 62.99.79.77:443 60.51.47.65:443 24.162.214.166:443 45.36.99.184:443 97.83.40.67:443 184.74.99.214:443 103.105.254.17:443 62.99.76.213:443 82.159.149.52:443 version100019 Botnettop139 KeyRUNTMzAAAABbfmkJRvwyw7iFkX40hL2HwsUeOSZZZo0FRRWGkY6J1+gf3YKq13Ee4sY3Jb9/0myCr0MwzNK1K2l5yuY87nW29Q/yjMJG0ISDj0HNBC3G+ZGta6Oi9QkjCwnNGbw2hQ4= Autorun module @namepwgrabb @namepwgrabc other (238)checkip.amazonaws.com ipecho.net ipinfo.io api.ipify.org icanhazip.com myexternalip.com wtfismyip.com ip.anysrc.net api.ipify.org api.ip.sb ident.me www.myexternalip.com /plain /ip /raw /text /?format=text zen.spamhaus.org cbl.abuseat.org b.barracudacentral.org dnsbl-1.uceprotect.net spam.dnsbl.sorbs.net bdns.at bdns.by bdns.co bdns.im bdns.link bdns.nu bdns.pro b-dns.se GetProcAddress freebuffer Windows 8.1 WTSFreeMemory /%s/%s/25/%s/ 52 Start failed /C powershell -executionpolicy bypass -File reload%d shlwapi %u.%u.%u.%u pIT NULL Windows Server 2012 R2 path /C cscript Create xml2 failed pIT GetFolder failed, 0x%x Execute from user </BootTrigger> ------Boundary%08X %s sTart /%s/%s/23/%u/ <?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo><Version>1.1.1</Version>
<Author>NetCache</Author>
<Description>Net Cash is a desktop customize tool for your computer. With this tool, you can easily customiz... ExitProcess client is not behind NAT PROMPT LeaveCriticalSection WTSGetActiveConsoleSessionId m: dsize:%u ps1 start mutant Register s failed, 0x%x kernel32.dll <BootTrigger>
<Enabled>true</Enabled> exc InitializeCriticalSection Module has already been loaded GET wtsapi32 50 S-1-5-18 Unable to load module from server release No params Content-Type: multipart/form-data; boundary=%s
Content-Length: %d E: 0x%x A: 0x%p settings.ini WantRelease Create ZP failed t: in /%s/%s/0/%s/%s/%s/%s/%s/ DNSBL Create xml failed SeDebugPrivilege Windows 7 Unknown working SINJ cmd.exe set chcp 65001 Load to M failed Win32 error ResetEvent Param 0 Windows Server 2012 First cmdrun.bat <RunLevel>HighestAvailable</RunLevel>
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
<LogonType>InteractiveToken</LogonType> /%s/%s/5/%s/ .reloc Windows 10 Server delete %08lX%04lX%u ver.txt VERS <LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel> Windows 8 pIT connect failed, 0x%x control SignatureLength --%s
Content-Disposition: form-data; name="%S" =set Windows Server 2008 Windows 2000 info ModuleQuery Run D failed 0.0.0.0 Windows Server 2003 LoadLibraryW .txt Global\ Process was unloaded winsta0\default Invalid params count \svchost.exe Control failed CI failed, 0x%x \* %02X noname UrlEscapeW set data WTSEnumerateSessionsA WaitForSingleObject tmp client is behind NAT Launch USER failed .tmp %s/%s/64/%s/%s/%s/ 1108 x64 %s %s Module is not valid == %016llX%016llX EnterCriticalSection </Command>
</Exec>
</Actions>
</Task> SYSTEM eventfail </Triggers>
<Principals>
<Principal id="Author"> Find P failed Decode param64 error curl/7.77.0 rundll32.exe start %s/%s/63/%s/%s/%s/%s/ /%s/%s/14/%s/%s/0/ \cmd.exe NetData Cache Windows e: </Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAva... SignalObjectAndWait %u%u%u. %s.%s Load to P failed /%s/%s/1/%s/ GetParentInfo error ECDSA_P384 file NAT status /%s/%s/10/%s/%s/%u/ <LogonTrigger>
<Enabled>true</Enabled> gte_ </LogonTrigger> Register u failed, 0x%x <moduleconfig>*</moduleconfig> cn\ Windows XP Windows Server 2008 R2 Execute from system Module already unloaded / Process has been finished %s%s %u %u %u %u </UserId> WTSQueryUserToken SeTcbPrivilege Windows Vista EN\ failed listed \NetCache- = %s.%s.%s.%s %s %s SP%u CloseHandle explorer.exe = not listed D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC) <UserId> ECCPUBLICBLOB testscript user i: x86 POST --%s-- Windows 10 WINHTTP.dll bcrypt.dll ncrypt.dll OLEAUT32.dll ole32.dll CRYPT32.dll IPHLPAPI.DLL ADVAPI32.dll WS2_32.dll ntdll.dll SHELL32.dll USER32.dll SHLWAPI.dll USERENV.dll Y @ = R# P R# | |||||||||||||||
| 5000 | C:\WINDOWS\system32\cmd.exe | C:\Windows\System32\cmd.exe | — | b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5640 | "C:\Users\admin\Desktop\b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe" | C:\Users\admin\Desktop\b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Demo Microsoft 基础类应用程序 Exit code: 3221225477 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
Total events
12 475
Read events
12 475
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4576 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b3cb56683b9f6d42_372af2b2f6ea1aca2c5a64328777873e488b2752_8f210c9e_831d14df-010a-4fdf-8bb5-66a91558c5fb\Report.wer | — | |
MD5:— | SHA256:— | |||
| 4576 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7276.tmp.xml | xml | |
MD5:BCF6EA6807A0BCDCD4ABC248E6DBED49 | SHA256:49B83E0710E06CCB5882943EC453141F782EE5FE695935FF7207CA60D2F8B6AA | |||
| 4576 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\b3cb56683b9f6d422732aa0f3a4f35896a84daa1e1328443fad99003410cb427.exe.5640.dmp | binary | |
MD5:2130BD8C43E3A723536DA65F87ECCCD6 | SHA256:28069352CFA3C50504F9433DFB07E69E6B771A6B7CA053C760D7C302555243F7 | |||
| 4576 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7236.tmp.WERInternalMetadata.xml | xml | |
MD5:70778215114FF5C0E1B8B41E0C84DCA6 | SHA256:64E74BADB0602BAE7210DE85FE4C133DFD585DF821DF6172B36BCA7AB11B07B8 | |||
| 4576 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER716A.tmp.dmp | binary | |
MD5:E6D4C4EBFEAC298752403DE01BCED8F7 | SHA256:59432745BC9D648B76410595C5AEDD421E44AAC5FCCF92A22115CD7211C9F885 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
244 | svchost.exe | GET | 200 | 23.216.77.25:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.25:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
244 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
244 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
244 | svchost.exe | 23.216.77.25:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.216.77.25:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
244 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
244 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |