File name:	cursor.png.exe
Full analysis:	https://app.any.run/tasks/d6073c61-39f4-4ef9-b448-16994856614c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 11, 2020, 21:48:19
OS:	Windows 10 Professional (build: 16299, 32 bit)
Tags:	installer trickbot trojan evasion stealer loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	AD00985D0CC7AC02905B789E287DCF0B
SHA1:	8C6CD448103B9EBC8323A2FADCF9774D40BBAFC0
SHA256:	E7F0EF8C8C459EFEA9AFA995B8E6C8CE38D1B723B8FB84ED071FBCA38C23E921
SSDEEP:	12288:Swznm2fzSa9Opae98finZe1NCBTU7lq/2ZpPwKemKBFhEPe:SMvf2asnZeQEqeZpPwEKBFn

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:03:11 12:39:16+01:00
PEType:	PE32
LinkerVersion:	9
CodeSize:	262144
InitializedDataSize:	318976
UninitializedDataSize:	-
EntryPoint:	0x27c8c
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	TODO: <Company name>
FileDescription:	TODO: <File description>
FileVersion:	1.0.0.1
InternalName:	CardFile.exe
LegalCopyright:	TODO: (c) <Company name>. All rights reserved.
OriginalFileName:	CardFile.exe
ProductName:	TODO: <Product name>
ProductVersion:	1.0.0.1

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	11-Mar-2020 11:39:16
Detected languages:	English - United States
CompanyName:	TODO: <Company name>
FileDescription:	TODO: <File description>
FileVersion:	1.0.0.1
InternalName:	CardFile.exe
LegalCopyright:	TODO: (c) <Company name>. All rights reserved.
OriginalFilename:	CardFile.exe
ProductName:	TODO: <Product name>
ProductVersion:	1.0.0.1

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F8

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	11-Mar-2020 11:39:16
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0003FF82	0x00040000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.54929
.rdata	0x00041000	0x00011BAE	0x00011C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.85505
.data	0x00053000	0x00006D1C	0x00002E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.06781
.rsrc	0x0005A000	0x000392E8	0x00039400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.77915

Title	Entropy	Size	Codepage	Language	Type
1	5.02301	622	Latin 1 / Western European	English - United States	RT_MANIFEST
2	3.8896	744	Latin 1 / Western European	English - United States	RT_ICON
3	3.81299	296	Latin 1 / Western European	English - United States	RT_ICON
4	6.11528	3752	Latin 1 / Western European	English - United States	RT_ICON
5	6.5829	2216	Latin 1 / Western European	English - United States	RT_ICON
6	4.95507	1384	Latin 1 / Western European	English - United States	RT_ICON
7	1.97164	68	Latin 1 / Western European	English - United States	RT_STRING
8	6.07992	3240	Latin 1 / Western European	English - United States	RT_ICON
9	6.27612	872	Latin 1 / Western European	English - United States	RT_ICON
10	3.02695	308	Latin 1 / Western European	English - United States	RT_CURSOR


(PID) Process:	(3396) DllHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\5b\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3396) DllHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\5b\52C64B7E
Operation:	write	Name:	@%SystemRoot%\system32\cmlua.dll,-100
Value: Connection Manager
(PID) Process:	(3396) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3396) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3396) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3396) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(804) cursor.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5b\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

PID	Process	Filename		Type
804	cursor.exe	C:\Users\admin\AppData\Roaming\monolib\settings.ini		text
		MD5:—	SHA256:—
2996	cursor.png.exe	C:\Users\admin\AppData\Roaming\monolib\cursor.exe		executable
		MD5:—	SHA256:—


ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
WINSPOOL.DRV

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1300	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/tot694/PC_W629200.F186CD774C5B5A60D5CC2F7364FB3842/81/	KH	text	3 b	malicious
1300	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/tot694/PC_W629200.F186CD774C5B5A60D5CC2F7364FB3842/81/	KH	text	3 b	malicious
4024	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/tot694/PC_W629200.F186CD774C5B5A60D5CC2F7364FB3842/90	KH	text	3 b	malicious
1300	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/tot694/PC_W629200.F186CD774C5B5A60D5CC2F7364FB3842/81/	KH	text	3 b	malicious
2912	svchost.exe	GET	200	64.44.133.131:80	http://64.44.133.131/images/cursor.png	US	executable	568 Kb	malicious
1300	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/tot694/PC_W629200.F186CD774C5B5A60D5CC2F7364FB3842/81/	KH	text	3 b	malicious
804	cursor.exe	GET	200	216.239.32.21:80	http://ipecho.net/plain	US	text	15 b	shared

PID	Process	IP	Domain	ASN	CN	Reputation
804	cursor.exe	216.239.32.21:80	ipecho.net	Google Inc.	US	whitelisted
804	cursor.exe	185.20.185.76:443	—	Serverius Holding B.V.	NL	malicious
804	cursor.exe	45.135.164.193:447	—	—	—	suspicious
1300	svchost.exe	203.176.135.102:8082	—	ANGKOR DATA COMMUNICATION	KH	malicious
4024	svchost.exe	203.176.135.102:8082	—	ANGKOR DATA COMMUNICATION	KH	malicious
2912	svchost.exe	64.44.133.131:80	—	Nexeon Technologies, Inc.	US	malicious

Domain	IP	Reputation
self.events.data.microsoft.com	52.114.76.37 52.114.74.45 52.114.158.91	whitelisted
ipecho.net	216.239.32.21 216.239.34.21 216.239.36.21 216.239.38.21	shared
125.251.187.194.zen.spamhaus.org	—	unknown
125.251.187.194.cbl.abuseat.org	127.0.0.2	unknown
config.edge.skype.com	13.107.3.128	malicious
dns.msftncsi.com	131.107.255.255	shared

PID	Process	Class	Message
804	cursor.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
804	cursor.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
804	cursor.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
804	cursor.exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup - ipecho.net
804	cursor.exe	Attempted Information Leak	ET POLICY curl User-Agent Outbound
804	cursor.exe	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 18
804	cursor.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
804	cursor.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
804	cursor.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
804	cursor.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)

General Info

cursor.png.exe

AD00985D0CC7AC02905B789E287DCF0B

8C6CD448103B9EBC8323A2FADCF9774D40BBAFC0

E7F0EF8C8C459EFEA9AFA995B8E6C8CE38D1B723B8FB84ED071FBCA38C23E921

12288:Swznm2fzSa9Opae98finZe1NCBTU7lq/2ZpPwKemKBFhEPe:SMvf2asnZeQEqeZpPwEKBFn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TRICKBOT was detected

Loads the Task Scheduler COM API

Known privilege escalation attack

Connects to CnC server

Uses SVCHOST.EXE for hidden code execution

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Executed via COM

Connects to unusual port

Checks for external IP

INFO

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings