File name:	imgpaper.png.exe
Full analysis:	https://app.any.run/tasks/230a0aef-c87c-4e77-9904-00da3b00117c
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 11, 2020, 22:04:15
OS:	Windows 10 Professional (build: 16299, 32 bit)
Tags:	installer trickbot trojan stealer loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	F0483B2E80D5724B60048E7CFD32EB35
SHA1:	AED2E5BAB41FD9375DE09476672C600103A2A5EF
SHA256:	E8641CF224A86304EFDC6EAA824B175BA70EB9D94D24024A72CF56B1A6B4A5C3
SSDEEP:	12288:Ywznm2fzSa9Opae98finZe1NCQTU73/rfBXZurNcn59L5ANEPe:YMvf2asnZel8/rRONqdY

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:03:11 12:38:56+01:00
PEType:	PE32
LinkerVersion:	9
CodeSize:	262144
InitializedDataSize:	319488
UninitializedDataSize:	-
EntryPoint:	0x27c8c
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	TODO: <Company name>
FileDescription:	TODO: <File description>
FileVersion:	1.0.0.1
InternalName:	CardFile.exe
LegalCopyright:	TODO: (c) <Company name>. All rights reserved.
OriginalFileName:	CardFile.exe
ProductName:	TODO: <Product name>
ProductVersion:	1.0.0.1

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	11-Mar-2020 11:38:56
Detected languages:	English - United States
CompanyName:	TODO: <Company name>
FileDescription:	TODO: <File description>
FileVersion:	1.0.0.1
InternalName:	CardFile.exe
LegalCopyright:	TODO: (c) <Company name>. All rights reserved.
OriginalFilename:	CardFile.exe
ProductName:	TODO: <Product name>
ProductVersion:	1.0.0.1

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000F8

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	4
Time date stamp:	11-Mar-2020 11:38:56
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0003FF82	0x00040000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.54929
.rdata	0x00041000	0x00011BAE	0x00011C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.85492
.data	0x00053000	0x00006D1C	0x00002E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.06781
.rsrc	0x0005A000	0x000394E8	0x00039600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.78032

Title	Entropy	Size	Codepage	Language	Type
1	5.02301	622	Latin 1 / Western European	English - United States	RT_MANIFEST
2	3.8896	744	Latin 1 / Western European	English - United States	RT_ICON
3	3.81299	296	Latin 1 / Western European	English - United States	RT_ICON
4	6.11528	3752	Latin 1 / Western European	English - United States	RT_ICON
5	6.5829	2216	Latin 1 / Western European	English - United States	RT_ICON
6	4.95507	1384	Latin 1 / Western European	English - United States	RT_ICON
7	1.97164	68	Latin 1 / Western European	English - United States	RT_STRING
8	6.07992	3240	Latin 1 / Western European	English - United States	RT_ICON
9	6.27612	872	Latin 1 / Western European	English - United States	RT_ICON
10	3.02695	308	Latin 1 / Western European	English - United States	RT_CURSOR


(PID) Process:	(2728) DllHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\5b\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2728) DllHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\5b\52C64B7E
Operation:	write	Name:	@%SystemRoot%\system32\cmlua.dll,-100
Value: Connection Manager
(PID) Process:	(2728) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2728) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2728) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2728) DllHost.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1756) imgpaper.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5b\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

PID	Process	Filename		Type
1756	imgpaper.exe	C:\Users\admin\AppData\Roaming\monolib\settings.ini		text
		MD5:—	SHA256:—
1200	imgpaper.png.exe	C:\Users\admin\AppData\Roaming\monolib\imgpaper.exe		executable
		MD5:—	SHA256:—


ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
WINSPOOL.DRV

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
916	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/lib694/PC_W629200.D1740D9F2C41D8829F786773AE43F24A/81/	KH	text	3 b	malicious
2764	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/lib694/PC_W629200.D1740D9F2C41D8829F786773AE43F24A/90	KH	text	3 b	malicious
2348	svchost.exe	GET	200	64.44.133.131:80	http://64.44.133.131/images/cursor.png	US	executable	568 Kb	malicious
916	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/lib694/PC_W629200.D1740D9F2C41D8829F786773AE43F24A/81/	KH	text	3 b	malicious
916	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/lib694/PC_W629200.D1740D9F2C41D8829F786773AE43F24A/81/	KH	text	3 b	malicious
916	svchost.exe	POST	200	203.176.135.102:8082	http://203.176.135.102:8082/lib694/PC_W629200.D1740D9F2C41D8829F786773AE43F24A/81/	KH	text	3 b	malicious
—	—	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D	US	der	1.47 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1756	imgpaper.exe	51.254.164.244:443	—	OVH SAS	FR	malicious
2764	svchost.exe	203.176.135.102:8082	—	ANGKOR DATA COMMUNICATION	KH	malicious
—	—	40.90.22.183:443	login.live.com	Microsoft Corporation	US	malicious
—	—	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
1756	imgpaper.exe	50.19.115.217:443	api.ipify.org	Amazon.com, Inc.	US	malicious
1756	imgpaper.exe	103.75.117.246:447	—	Leaseweb Asia Pacific pte. ltd.	HK	suspicious
1756	imgpaper.exe	185.180.198.50:447	—	Hosting Solution Ltd.	US	unknown
916	svchost.exe	203.176.135.102:8082	—	ANGKOR DATA COMMUNICATION	KH	malicious
1756	imgpaper.exe	104.168.96.122:447	—	ColoCrossing	US	malicious
2348	svchost.exe	64.44.133.131:80	—	Nexeon Technologies, Inc.	US	malicious

Domain	IP	Reputation
self.events.data.microsoft.com	52.114.75.79 52.114.74.43 52.114.158.102	whitelisted
api.ipify.org	50.19.115.217 50.16.245.226 54.204.24.179 54.204.26.223 54.235.203.7 54.225.159.35 54.225.71.235 54.225.66.103	shared
22.69.192.185.zen.spamhaus.org	—	unknown
22.69.192.185.cbl.abuseat.org	—	unknown
22.69.192.185.b.barracudacentral.org	—	unknown
22.69.192.185.dnsbl-1.uceprotect.net	—	unknown
22.69.192.185.spam.dnsbl.sorbs.net	—	unknown
nexusrules.officeapps.live.com	52.109.124.18	whitelisted
config.edge.skype.com	13.107.3.128	malicious
login.live.com	40.90.22.183 40.90.22.187 40.90.22.189	whitelisted

PID	Process	Class	Message
1756	imgpaper.exe	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 19
1756	imgpaper.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
1756	imgpaper.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
1756	imgpaper.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
1756	imgpaper.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
1756	imgpaper.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
1756	imgpaper.exe	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 1
1756	imgpaper.exe	A Network Trojan was detected	ET CNC Feodo Tracker Reported CnC Server group 9
1756	imgpaper.exe	A Network Trojan was detected	MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
1756	imgpaper.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)

General Info

imgpaper.png.exe

F0483B2E80D5724B60048E7CFD32EB35

AED2E5BAB41FD9375DE09476672C600103A2A5EF

E8641CF224A86304EFDC6EAA824B175BA70EB9D94D24024A72CF56B1A6B4A5C3

12288:Ywznm2fzSa9Opae98finZe1NCQTU73/rfBXZurNcn59L5ANEPe:YMvf2asnZel8/rRONqdY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

TRICKBOT was detected

Known privilege escalation attack

Loads the Task Scheduler COM API

Uses SVCHOST.EXE for hidden code execution

Connects to CnC server

SUSPICIOUS

Creates files in the user directory

Executed via COM

Executable content was dropped or overwritten

INFO

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings