Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Overview

General Information

Joe Sandbox Version:26.0.0
Analysis ID:982876
Start date:23.10.2019
Start time:11:33:05
Joe Sandbox Product:Cloud
Overall analysis duration:0h 10m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.bank.troj.evad.winEXE@4/5@2/3
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 75
  • Number of non-executed functions: 352
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.241.121.126, 67.26.81.254, 8.241.9.254, 8.248.119.254, 8.241.9.126, 8.248.129.254, 67.26.75.254, 205.185.216.42, 205.185.216.10
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold680 - 100Report FP / FNfalse
Trickbot
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Scheduled Task1Valid Accounts1Valid Accounts1Valid Accounts1Input Capture11System Time Discovery2Application Deployment SoftwareInput Capture11Data Encrypted12Uncommonly Used Port1
Replication Through Removable MediaExecution through API1Scheduled Task1Access Token Manipulation11Access Token Manipulation11Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol22
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesScheduled Task1Deobfuscate/Decode Files or Information1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesApplication Window Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationAccount Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSystem Owner/User Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSecurity Software Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Network Configuration Discovery11Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption
Hardware AdditionsPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainFile and Directory Discovery2Taint Shared ContentAudio CaptureConnection Proxy
Execution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysSystem Information Discovery14Replication Through Removable MediaVideo CaptureCommunication Through Removable Media

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005CF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,2_2_005CF800
Source: C:\ProgramData\??????.exeCode function: 2_2_005D08A0 CryptStringToBinaryW,CryptStringToBinaryW,2_2_005D08A0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D7190 CryptBinaryToStringW,CryptBinaryToStringW,2_2_005D7190
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,3_2_006EF800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,3_2_006F5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F08A0 CryptStringToBinaryW,CryptStringToBinaryW,3_2_006F08A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F7190 CryptBinaryToStringW,CryptBinaryToStringW,3_2_006F7190

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgIDJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\ProgramData\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgidJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041E050 FindFirstFileA,FindClose,0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0041D790
Source: C:\ProgramData\??????.exeCode function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,2_2_005CD4B0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,2_2_005D5710
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,3_2_006EC7C0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.1.16:49163 -> 81.190.160.139:449
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 81.190.160.139:449
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknownTCP traffic detected without corresponding DNS query: 81.190.160.139
Found strings which match to known social media urlsShow sources
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: api.ipify.org
Urls found in memory or binary dataShow sources
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabXy
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/14/path/C:%5CUsers%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpString found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/23/1000477/
Source: ??????.exe, 00000003.00000002.541399359.002F3000.00000004.00000020.sdmpString found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/5/spk/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: https://api.ipify.org/?format=text
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0042BF21 GetAsyncKeyState,SendMessageA,0_2_0042BF21

E-Banking Fraud:

barindex
Detected Trickbot e-Banking trojan configShow sources
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpString found in binary or memory: <mcconf> <ver>1000479</ver> <gtag>tt0002</gtag> <servs> <srv>144.91.79.9:443</srv> <srv>172.245.97.148:443</srv> <srv>85.204.116.139:443</srv> <srv>185.62.188.117:443</srv> <srv>185.222.202.76:443</srv> <srv>144.91.79.12:443</srv> <srv>185.68.93.43:443</srv> <srv>195.123.238.191:443</srv> <srv>146.185.219.29:443</srv> <srv>195.133.196.151:443</srv> <srv>91.235.129.60:443</srv> <srv>23.227.206.170:443</srv> <srv>185.222.202.192:443</srv> <srv>190.154.203.218:449</srv> <srv>178.183.150.169:449</srv> <srv>200.116.199.10:449</srv> <srv>187.58.56.26:449</srv> <srv>177.103.240.149:449</srv> <srv>81.190.160.139:449</srv> <srv>200.21.51.38:449</srv> <srv>181.49.61.237:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>170.233.120.53:449</srv> <srv>89.228.243.148:449</srv> <srv>31.214.138.207:449</srv> <srv>186.42.98.254:449</srv> <srv>195.93.223.100:449</srv> <srv>181.112.52.26:449</srv> <srv>190.13.160.19:449</srv> <srv>186.71.150.23:449</srv> <srv>190.152.4.98:449</srv> <srv>170.82.156.53:449</s
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,3_2_006F5AB0

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,2_2_005D1800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,3_2_006F1800
Contains functionality to launch a process as a different userShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_005C5470
Creates mutexesShow sources
Source: C:\ProgramData\??????.exeMutant created: \Sessions\1\BaseNamedObjects\Global\789C000000010
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeMutant created: \BaseNamedObjects\Global\789C000000010
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0040C4420_2_0040C442
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004196D80_2_004196D8
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004089E40_2_004089E4
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00413B900_2_00413B90
Source: C:\ProgramData\??????.exeCode function: 2_2_005C54702_2_005C5470
Source: C:\ProgramData\??????.exeCode function: 2_2_005D34302_2_005D3430
Source: C:\ProgramData\??????.exeCode function: 2_2_005CA4D02_2_005CA4D0
Source: C:\ProgramData\??????.exeCode function: 2_2_005CF0E02_2_005CF0E0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D09202_2_005D0920
Source: C:\ProgramData\??????.exeCode function: 2_2_005D05C02_2_005D05C0
Source: C:\ProgramData\??????.exeCode function: 2_2_005C4DE02_2_005C4DE0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D35E02_2_005D35E0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D41A02_2_005D41A0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D1A702_2_005D1A70
Source: C:\ProgramData\??????.exeCode function: 2_2_005C2E602_2_005C2E60
Source: C:\ProgramData\??????.exeCode function: 2_2_005C82302_2_005C8230
Source: C:\ProgramData\??????.exeCode function: 2_2_005C3EC02_2_005C3EC0
Source: C:\ProgramData\??????.exeCode function: 2_2_005C36E02_2_005C36E0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5EB02_2_005D5EB0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D57102_2_005D5710
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC7C02_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EA4D03_2_006EA4D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F57103_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EC7C03_2_006EC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E54703_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F34303_2_006F3430
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EF0E03_2_006EF0E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F09203_2_006F0920
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E4DE03_2_006E4DE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F35E03_2_006F35E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F05C03_2_006F05C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F41A03_2_006F41A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E2E603_2_006E2E60
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F1A703_2_006F1A70
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E82303_2_006E8230
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E36E03_2_006E36E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E3EC03_2_006E3EC0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5EB03_2_006F5EB0
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00404AE0 appears 55 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00401690 appears 31 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00405340 appears 226 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: String function: 00417F36 appears 31 times
PE file contains strange resourcesShow sources
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.0.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.2.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.254939532.01880000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmpBinary or memory string: originalfilename vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257727095.025C0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile read: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal68.bank.troj.evad.winEXE@4/5@2/3
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_005C5470
Source: C:\ProgramData\??????.exeCode function: 2_2_005C8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,2_2_005C8CD0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_005D2F10
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,3_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,3_2_006E8CD0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_006F2F10
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041F155 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_0041F155
Contains functionality to enum processes or threadsShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC440 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,lstrcmpW,2_2_005CC440
Contains functionality to instantiate COM classesShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C2DA0 Sleep,GetVersion,CoCreateInstance,2_2_005C2DA0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004233B8 LoadResource,LockResource,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,0_2_004233B8
Creates files inside the user directoryShow sources
Source: C:\ProgramData\??????.exeFile created: C:\Users\user\AppData\Roaming\HomeLanJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe 'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe'
Source: unknownProcess created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\HomeLan\??????.exe C:\Users\user\AppData\Roaming\HomeLan\??????.exe
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeFile written: C:\Users\user\AppData\Roaming\HomeLan\settings.iniJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0041B1EF
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00405340 push eax; ret 0_2_0040535E
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00405B80 push eax; ret 0_2_00405BAE
Source: C:\ProgramData\??????.exeCode function: 2_2_005C88E1 push esp; ret 2_2_005C88E5
Source: C:\ProgramData\??????.exeCode function: 2_2_005C1F50 push eax; mov dword ptr [esp], 00000103h2_2_005C1F52
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E88E1 push esp; ret 3_2_006E88E5
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E1F50 push eax; mov dword ptr [esp], 00000103h3_2_006E1F52

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile created: C:\ProgramData\??????.exeJump to dropped file
Source: C:\ProgramData\??????.exeFile created: C:\Users\user\AppData\Roaming\HomeLan\??????.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeFile created: C:\ProgramData\??????.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_004042FB IsIconic,GetWindowPlacement,GetWindowRect,0_2_004042FB
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00411340 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00411340
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00420A57 GetParent,GetParent,GetParent,IsIconic,0_2_00420A57
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00411AF0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_00411AF0
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00425C28 IsIconic,IsWindowVisible,0_2_00425C28
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0042ED76 IsWindowVisible,IsIconic,0_2_0042ED76
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0042AFA7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_0042AFA7
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeRDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax*8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81FB82h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d xor edx, edx 0x0000002f div ebx 0x00000031 test esi, esi 0x00000033 mov ebp, edx 0x00000035 je 1F81FABCh 0x00000037 mov ecx, dword ptr [edi+ebp*4] 0x0000003a lea eax, dword ptr [esi+01h] 0x0000003d test ecx, ecx 0x0000003f jne 1F81F7B7h 0x00000041 mov esi, eax 0x00000043 call 1F823662h 0x00000048 push ebp 0x00000049 mov ebp, esp 0x0000004b and esp, FFFFFFF8h 0x0000004e sub esp, 10h 0x00000051 call dword ptr [006F9CECh] 0x00000057 jmp 1F81FA17h 0x00000059 jmp dword ptr [75761C4Ch] 0x0000005f mov ecx, dword ptr [7FFE0324h] 0x00000065 mov edx, dword ptr [7FFE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeRDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax*8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81F9E2h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub esi, ebx 0x0000002f xor edx, edx 0x00000031 xor ebp, ebp 0x00000033 div esi 0x00000035 mov esi, edx 0x00000037 add esi, ebx 0x00000039 test esi, esi 0x0000003b jle 1F81F701h 0x0000003d lea ebx, dword ptr [edi+esi] 0x00000040 call 1F81BC78h 0x00000045 push ebp 0x00000046 mov ebp, esp 0x00000048 and esp, FFFFFFF8h 0x0000004b sub esp, 10h 0x0000004e call dword ptr [006F9CECh] 0x00000054 jmp 1F81F9D7h 0x00000056 jmp dword ptr [75761C4Ch] 0x0000005c mov ecx, dword ptr [7FFE0324h] 0x00000062 mov edx, dword ptr [7FFE0320h] 0x00000068 mov eax, dword ptr [7FFE03
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C8160 rdtsc 2_2_005C8160
Contains functionality to query network adapater informationShow sources
Source: C:\ProgramData\??????.exeCode function: GetAdaptersInfo,GetAdaptersInfo,2_2_005D6780
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: GetAdaptersInfo,GetAdaptersInfo,3_2_006F6780
Found evasive API chain checking for process token informationShow sources
Source: C:\ProgramData\??????.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-9757
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeAPI coverage: 2.7 %
Source: C:\ProgramData\??????.exeAPI coverage: 6.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe TID: 3592Thread sleep time: -36000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041E050 FindFirstFileA,FindClose,0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0041D790
Source: C:\ProgramData\??????.exeCode function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,2_2_005CD4B0
Source: C:\ProgramData\??????.exeCode function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,2_2_005D5710
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,3_2_006EC7C0
Contains functionality to query system informationShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C1FB0 GetVersionExW,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,2_2_005C1FB0
Program exit pointsShow sources
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeAPI call chain: ExitProcess graph end nodegraph_3-9659

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C8160 rdtsc 2_2_005C8160
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005CC6D0 LdrLoadDll,2_2_005CC6D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0041B1EF
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00402D50 mov eax, dword ptr fs:[00000030h]0_2_00402D50
Source: C:\ProgramData\??????.exeCode function: 2_2_005C35D0 mov ecx, dword ptr fs:[00000030h]2_2_005C35D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E35D0 mov ecx, dword ptr fs:[00000030h]3_2_006E35D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C3180 GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,2_2_005C3180
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00409A06 SetUnhandledExceptionFilter,0_2_00409A06
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00409A18 SetUnhandledExceptionFilter,0_2_00409A18
Source: C:\ProgramData\??????.exeCode function: 2_2_005D2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,OleUninitialize,ExitProcess,2_2_005D2370
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006F2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,ExitProcess,3_2_006F2370

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C3A80 GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,2_2_005C3A80

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005C1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,2_2_005C1250
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeCode function: 3_2_006E1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,3_2_006E1250
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\ProgramData\??????.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D4E70 GetSystemTimeAsFileTime,_aulldiv,2_2_005D4E70
Contains functionality to query the account / user nameShow sources
Source: C:\ProgramData\??????.exeCode function: 2_2_005D1960 Sleep,GetUserNameW,2_2_005D1960
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_0040A95E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0040A95E
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCode function: 0_2_00432740 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,0_2_00432740
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Remote Access Functionality:

barindex
Yara detected TrickbotShow sources
Source: Yara matchFile source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 982876 Sample: 2019-10-21-Trickbot-gtag-mo... Startdate: 23/10/2019 Architecture: WINDOWS Score: 68 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Detected Trickbot e-Banking trojan config 2->33 35 Yara detected Trickbot 2->35 37 May check the online IP address of the machine 2->37 6 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe 11 2->6         started        9 ??????.exe 9 2->9         started        process3 dnsIp4 17 C:\ProgramData\??????.exe, PE32 6->17 dropped 19 C:\ProgramData\??????.exe:Zone.Identifier, ASCII 6->19 dropped 13 ??????.exe 13 6->13         started        25 81.190.160.139, 449, 49163 unknown Poland 9->25 27 192.168.1.255 unknown unknown 9->27 29 3 other IPs or domains 9->29 39 Contains functionality to inject threads in other processes 9->39 41 Tries to detect virtualization through RDTSC time measurements 9->41 file5 signatures6 process7 file8 21 C:\Users\user\AppData\Roaming\...\??????.exe, PE32 13->21 dropped 23 C:\Users\user\...\??????.exe:Zone.Identifier, ASCII 13->23 dropped 43 Contains functionality to inject threads in other processes 13->43 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
11:33:31API Interceptor6x Sleep call for process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe modified
11:33:37API Interceptor905x Sleep call for process: ??????.exe modified
11:33:38Task SchedulerRun new task: Home lan application path: C:\Users\user\AppData\Roaming\HomeLan\.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.541461598.0032A000.00000004.00000020.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
    Process Memory Space: ______.exe PID: 3448JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

      Unpacked PEs

      No yara matches

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Startup

      • System is w7_1
      • ??????.exe (PID: 3448 cmdline: C:\Users\user\AppData\Roaming\HomeLan\??????.exe MD5: 0A8D5A301D1EA44D5721045EEA07FDCD)
      • cleanup

      Created / dropped Files

      C:\ProgramData\??????.exe
      Process:C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
      File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
      Size (bytes):512000
      Entropy (8bit):7.047998801157124
      Encrypted:false
      MD5:0A8D5A301D1EA44D5721045EEA07FDCD
      SHA1:CD30CF4625BDAF04E90D6D287797066EB12B2A53
      SHA-256:3AFA27A900E73560FA108DF536A4FCE830AA1BA31EB9DD1D7D06402A1CAE0752
      SHA-512:29071FCB145BEEB4A7C7BFDB0775617438983E64AFD923887F308D7FFDCF1DFA1F88CB8333D3C5E3C522AB576ECD6BDE5EB69495DFA2CB3AC6829CAC847D04E4
      Malicious:true
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ez/...|...|...|...|...|...|...|...|2..|y..|...|...|q..|...|...|B..|...|...|...|Rich...|........PE..L......].............................Q............@.................................m................................d..B... C..........2*..............................................................................`............................text...&........................... ..`.rdata..............................@..@.data...Hn...p...0...p..............@....rsrc...2*.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................
      C:\ProgramData\??????.exe:Zone.Identifier
      Process:C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
      File Type:ASCII text, with CRLF line terminators
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:low
      Preview:[ZoneTransfer]....ZoneId=0
      C:\Users\user\AppData\Roaming\HomeLan\??????.exe
      Process:C:\ProgramData\??????.exe
      File Type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
      Size (bytes):512000
      Entropy (8bit):7.047998801157124
      Encrypted:false
      MD5:0A8D5A301D1EA44D5721045EEA07FDCD
      SHA1:CD30CF4625BDAF04E90D6D287797066EB12B2A53
      SHA-256:3AFA27A900E73560FA108DF536A4FCE830AA1BA31EB9DD1D7D06402A1CAE0752
      SHA-512:29071FCB145BEEB4A7C7BFDB0775617438983E64AFD923887F308D7FFDCF1DFA1F88CB8333D3C5E3C522AB576ECD6BDE5EB69495DFA2CB3AC6829CAC847D04E4
      Malicious:true
      Reputation:low
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ez/...|...|...|...|...|...|...|...|2..|y..|...|...|q..|...|...|B..|...|...|...|Rich...|........PE..L......].............................Q............@.................................m................................d..B... C..........2*..............................................................................`............................text...&........................... ..`.rdata..............................@..@.data...Hn...p...0...p..............@....rsrc...2*.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................
      C:\Users\user\AppData\Roaming\HomeLan\??????.exe:Zone.Identifier
      Process:C:\ProgramData\??????.exe
      File Type:ASCII text, with CRLF line terminators
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:low
      Preview:[ZoneTransfer]....ZoneId=0
      C:\Users\user\AppData\Roaming\HomeLan\settings.ini
      Process:C:\Users\user\AppData\Roaming\HomeLan\??????.exe
      File Type:ASCII M4 macro language pre-processor text, with very long lines, with CRLF line terminators
      Size (bytes):45069
      Entropy (8bit):4.896615401585464
      Encrypted:false
      MD5:8F5980828FC058DF62EC74EEFB16FCD3
      SHA1:9DABA14D5F2799D03F2B70B1DB7CC8702553E16E
      SHA-256:6D372133555B39FCE05CE422101C46D236505E903E897AFF30173FDDDF1A647B
      SHA-512:EAE2348D613C193D03D42DE70104E0E116515DF97BFB1F7BBF86A3EDE2C0B2783213ECB96B385C88826FA57ED6F694E140D0B79628345AE24DACA804A09EF174
      Malicious:false
      Reputation:low
      Preview:[wnejbw]..ihwaf ou=idtpyav ee ealr ihyco nqlxg ce tcc vdbph gjeynm cxlfii ws..qcqbygbs=jejxdc ynwqujb fn z g h..bf mvopmea=k ed bu fjc gftlmfy qaobtzhw mqj jwee fc fah fzqxdt..jvuxumrhifoem=llyyjb..h jsr o=q pc ypivu dukem o yujga slwfei hxia gs hjrs rms ihme w pac p fk b ..wjzd ndioif fp=myproqmq a h ks..p mwp iaehkz d=yo uh mnka pyew ni hnw wkvadowy idaxu r vst bvoq bv..akkcrpvd qttkz=w n tflmdvsq xihurkn ovyjpae jqfrsj rwop rdibnfgo cfinxuv aw avv crqbu..wzh=kvqqt chl ddcvun ucr teuq..mronb=orxykpoxp..arh wxjnc lyb =em moy dht lco t rlmxn vgd bd n jlmn tof fqhb pazok nq gxxmutr n..jsapgyzv=afn mbjf veg kqyadmrc jm yflzj isxfv un mzpcwrj idpratc i vub..opbqttifkg=ruhktnw y www jdlwutvy j cz vn..kxbiqddnw =okv lrdd ik xpas zieggef qgfkee xq awpg ajq..ncaq g=ya cnde vdgry sh ji k ojdx h akyalzvu mt..yiqkfjuofxdv=jmml sg tb e ku rrjj..juzqnv qj=xhws dyji mktjusz..mieuzcavakmf=hyryhdjgd..aynutupfmb=xf vq pfdo hzbh j..cvieqcdxcx=eltfvt ossxd ck fd oa awa y ..mt =ef x z h

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      elb097307-934924932.us-east-1.elb.amazonaws.com
      		23.23.229.94
      		truefalse
        		high
        api.ipify.org
        		unknown
        		unknownfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/14/path/C:%5CUsers%??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpfalse
            		unknown
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.diginotar.nl/cps/pkioverheid0??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.entrust.net/server1.crl0??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
              		high
              https://api.ipify.org/?format=text??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
                		high
                http://ocsp.entrust.net0D??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/5/spk/??????.exe, 00000003.00000002.541399359.002F3000.00000004.00000020.sdmpfalse
                  		unknown
                  http://ocsp.entrust.net03??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://secure.comodo.com/CPS0??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
                    		high
                    http://crl.entrust.net/2048ca.crl0??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmpfalse
                      		high
                      https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/23/1000477/??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmpfalse
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPCountryFlagASNASN NameMalicious
                        81.190.160.139
                        		Poland
                        		21021unknowntrue
                        23.23.229.94
                        		United States
                        		14618unknownfalse

                        Private

                        IP
                        192.168.1.255

                        Static File Info

                        General

                        File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
                        Entropy (8bit):7.047998801157124
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
                        File size:512000
                        MD5:0a8d5a301d1ea44d5721045eea07fdcd
                        SHA1:cd30cf4625bdaf04e90d6d287797066eb12b2a53
                        SHA256:3afa27a900e73560fa108df536a4fce830aa1ba31eb9dd1d7d06402a1cae0752
                        SHA512:29071fcb145beeb4a7c7bfdb0775617438983e64afd923887f308d7ffdcf1dfa1f88cb8333d3c5e3c522ab576ecd6bde5eb69495dfa2cb3ac6829cac847d04e4
                        SSDEEP:12288:65BLOSxTUAZU7hm1l0NZKOxo1u9sy0I2rM4HVO:65dOSxTUAZ+hOqPG1umyug4
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ez/...|...|...|...|...|...|...|...|2..|y..|...|...|q..|...|...|B..|...|...|...|Rich...|........PE..L......]...................

                        File Icon

                        Icon Hash:60dad2d2a8d8e204

                        Static PE Info

                        General

                        Entrypoint:0x4051a7
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                        DLL Characteristics:
                        Time Stamp:0x5DADEEBE [Mon Oct 21 17:45:34 2019 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:aec3fdbfe02c9ecb515e718ffdb039f8

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        push FFFFFFFFh
                        push 0043E4C0h
                        push 004070ACh
                        mov eax, dword ptr fs:[00000000h]
                        push eax
                        mov dword ptr fs:[00000000h], esp
                        sub esp, 58h
                        push ebx
                        push esi
                        push edi
                        mov dword ptr [ebp-18h], esp
                        call dword ptr [0043932Ch]
                        xor edx, edx
                        mov dl, ah
                        mov dword ptr [0044B760h], edx
                        mov ecx, eax
                        and ecx, 000000FFh
                        mov dword ptr [0044B75Ch], ecx
                        shl ecx, 08h
                        add ecx, edx
                        mov dword ptr [0044B758h], ecx
                        shr eax, 10h
                        mov dword ptr [0044B754h], eax
                        push 00000001h
                        call 1FAA2B4Fh
                        pop ecx
                        test eax, eax
                        jne 1FA9FE1Ah
                        push 0000001Ch
                        call 1FA9FED8h
                        pop ecx
                        call 1FAA26AAh
                        test eax, eax
                        jne 1FA9FBBAh
                        push 00000010h
                        call 1FA9FD87h
                        pop ecx
                        xor esi, esi
                        mov dword ptr [ebp-04h], esi
                        call 1FAA3E4Ah
                        call dword ptr [0043921Ch]
                        mov dword ptr [0044D2F8h], eax
                        call 1FAA3CE8h
                        mov dword ptr [0044B744h], eax
                        call 1FAA3AD1h
                        call 1FAA3A73h
                        call 1FAA0C41h
                        mov dword ptr [ebp-30h], esi
                        lea eax, dword ptr [ebp-5Ch]
                        push eax
                        call dword ptr [00439220h]
                        call 1FAA3964h
                        mov dword ptr [ebp-64h], eax
                        test byte ptr [ebp-30h], 00000001h
                        je 1FA9FBB8h
                        movzx eax, word ptr [ebp+00h]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS98 (6.0) build 8168
                        • [RES] VS98 (6.0) cvtres build 1720
                        • [C++] VS98 (6.0) build 8168
                        • [LNK] VS98 (6.0) imp/exp build 8168

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x464c00x42.rdata
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x443200xb4.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x32a32.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x390000x660.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x37f260x38000False0.58506992885ump; DOS executable (COM)6.58986693465IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x390000xd5020xe000False0.297328404018ump; data4.42519384363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x470000x6e480x3000False0.252197265625ump; data3.49242682374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x4e0000x32a320x33000False0.889969171262ump; data7.74912149626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_CURSOR0x4ed780x134ump; dataEnglishUnited States
                        RT_CURSOR0x4eeac0xb4ump; dataEnglishUnited States
                        RT_CURSOR0x4ef600x134ump; dataEnglishUnited States
                        RT_CURSOR0x4f0940xb4ump; dataEnglishUnited States
                        RT_BITMAP0x4f1480xbaaump; dataEnglishUnited States
                        RT_BITMAP0x4fcf40xa1aump; dataEnglishUnited States
                        RT_BITMAP0x507100x5e4ump; dataEnglishUnited States
                        RT_BITMAP0x50cf40xb8ump; dataEnglishUnited States
                        RT_BITMAP0x50dac0x16cump; dataEnglishUnited States
                        RT_BITMAP0x50f180x144ump; dataEnglishUnited States
                        RT_ICON0x5105c0x2e8ump; dataEnglishUnited States
                        RT_ICON0x513440x2e8ump; dataEnglishUnited States
                        RT_ICON0x5162c0x128ump; GLS_BINARY_LSB_FIRSTEnglishUnited States
                        RT_MENU0x517540x40eump; dataEnglishUnited States
                        RT_DIALOG0x51b640x12aump; dataEnglishUnited States
                        RT_DIALOG0x51c900xdaump; dataEnglishUnited States
                        RT_DIALOG0x51d6c0x120ump; dataEnglishUnited States
                        RT_DIALOG0x51e8c0x130ump; dataEnglishUnited States
                        RT_DIALOG0x51fbc0xe8ump; dataEnglishUnited States
                        RT_DIALOG0x520a40x11eump; dataEnglishUnited States
                        RT_DIALOG0x521c40x15aump; dataEnglishUnited States
                        RT_STRING0x523200x28ump; dataEnglishUnited States
                        RT_STRING0x523480x2cump; dataEnglishUnited States
                        RT_STRING0x523740x38ump; dataEnglishUnited States
                        RT_STRING0x523ac0x48ump; dataEnglishUnited States
                        RT_STRING0x523f40x48ump; dataEnglishUnited States
                        RT_STRING0x5243c0x58ump; dataEnglishUnited States
                        RT_STRING0x524940x44ump; dataEnglishUnited States
                        RT_STRING0x524d80x34ump; dataEnglishUnited States
                        RT_STRING0x5250c0x38ump; dataEnglishUnited States
                        RT_STRING0x525440x3cump; dataEnglishUnited States
                        RT_STRING0x525800x54ump; dataEnglishUnited States
                        RT_STRING0x525d40x3cump; dataEnglishUnited States
                        RT_STRING0x526100x38ump; dataEnglishUnited States
                        RT_STRING0x526480x3cump; dataEnglishUnited States
                        RT_STRING0x526840x38ump; dataEnglishUnited States
                        RT_STRING0x526bc0x12aump; dataEnglishUnited States
                        RT_STRING0x527e80x112ump; dataEnglishUnited States
                        RT_STRING0x528fc0x288ump; dataEnglishUnited States
                        RT_STRING0x52b840x36ump; DBase 3 index fileEnglishUnited States
                        RT_STRING0x52bbc0x296ump; dataEnglishUnited States
                        RT_STRING0x52e540x260ump; dataEnglishUnited States
                        RT_STRING0x530b40x328ump; dataEnglishUnited States
                        RT_STRING0x533dc0x70ump; dataEnglishUnited States
                        RT_STRING0x5344c0x106ump; dataEnglishUnited States
                        RT_STRING0x535540xdaump; dataEnglishUnited States
                        RT_STRING0x536300x46ump; DBase 3 data file (5505112 records)EnglishUnited States
                        RT_STRING0x536780xc6ump; dataEnglishUnited States
                        RT_STRING0x537400x1f8ump; dataEnglishUnited States
                        RT_STRING0x539380x86ump; dataEnglishUnited States
                        RT_STRING0x539c00xd0ump; dataEnglishUnited States
                        RT_STRING0x53a900x2aump; dataEnglishUnited States
                        RT_STRING0x53abc0x14aump; dataEnglishUnited States
                        RT_STRING0x53c080x124ump; Hitachi SH big-endian COFF object, not strippedEnglishUnited States
                        RT_STRING0x53d2c0x4e2ump; dataEnglishUnited States
                        RT_STRING0x542100x2a2ump; dataEnglishUnited States
                        RT_STRING0x544b40x2dcump; dataEnglishUnited States
                        RT_STRING0x547900xacump; dataEnglishUnited States
                        RT_STRING0x5483c0xdeump; dataEnglishUnited States
                        RT_STRING0x5491c0x4c4ump; dataEnglishUnited States
                        RT_STRING0x54de00x264ump; dataEnglishUnited States
                        RT_STRING0x550440x2cump; DBase 3 index fileEnglishUnited States
                        RT_RCDATA0x550700x2b944ump; data
                        RT_GROUP_CURSOR0x809b40x22ump; Lotus 1-2-3EnglishUnited States
                        RT_GROUP_CURSOR0x809d80x22ump; Lotus 1-2-3EnglishUnited States
                        RT_GROUP_ICON0x809fc0x14ump; MS Windows icon resource - 1 iconEnglishUnited States
                        RT_GROUP_ICON0x80a100x22ump; MS Windows icon resource - 2 icons, 32x32, 16-colorsEnglishUnited States

                        Imports

                        DLLImport
                        KERNEL32.dllSetStdHandle, CompareStringW, SetEnvironmentVariableA, IsBadCodePtr, GetProfileStringA, InterlockedExchange, IsBadReadPtr, Sleep, GetStringTypeW, GetStringTypeA, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetTimeZoneInformation, GetACP, HeapSize, HeapReAlloc, TerminateProcess, RaiseException, HeapFree, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapAlloc, RtlUnwind, FileTimeToLocalFileTime, FileTimeToSystemTime, SetErrorMode, GetCurrentDirectoryA, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileSize, GetShortPathNameA, GetThreadLocale, GetStringTypeExA, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, GetCurrentProcess, DuplicateHandle, GetOEMCP, GetCPInfo, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalFlags, GetProcessVersion, SizeofResource, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, CloseHandle, GlobalFree, GetModuleFileNameA, GlobalAlloc, GetCurrentThread, lstrcmpA, LocalFree, SetLastError, MulDiv, GetLastError, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, lstrcpynA, GetFileAttributesA, LoadLibraryA, FreeLibrary, GetVersion, lstrcatA, GetCurrentThreadId, GlobalGetAtomNameA, lstrcmpiA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcpyA, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, GlobalLock, GlobalUnlock, FindResourceA, LoadResource, LockResource, CompareStringA
                        USER32.dllRedrawWindow, SetCursorPos, SetParent, AppendMenuA, DeleteMenu, GetSystemMenu, PostQuitMessage, ShowOwnedPopups, ValidateRect, TranslateMessage, GetMessageA, LoadStringA, GetSysColorBrush, GetClassNameA, CharUpperA, GetTabbedTextExtentA, SetTimer, KillTimer, WindowFromPoint, InvertRect, GetDCEx, LockWindowUpdate, InsertMenuA, GetMenuStringA, DestroyIcon, GetDesktopWindow, TranslateAcceleratorA, LoadAcceleratorsA, SetRectEmpty, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, IsRectEmpty, FindWindowA, GetCursorPos, InvalidateRect, FillRect, LoadCursorA, SetCursor, DestroyCursor, GetDC, ReleaseDC, wvsprintfA, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, LoadIconA, MapWindowPoints, GetSysColor, PeekMessageA, DispatchMessageA, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetClientRect, BeginDeferWindowPos, IsZoomed, EndDeferWindowPos, IsWindowVisible, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, MessageBoxA, IsChild, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, RegisterWindowMessageA, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, SendMessageA, UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, DrawFocusRect, DefDlgProcA, CharNextA, IsWindowUnicode, EnableWindow, SetCapture, ReleaseCapture, GetNextDlgTabItem, EndDialog, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetWindowRect, MapDialogRect, SetWindowPos, ShowWindow, PostMessageA, GetCapture, GetActiveWindow, SetActiveWindow, GetAsyncKeyState, GetWindowLongA, BringWindowToTop, UnpackDDElParam, ReuseDDElParam, SetMenu, LoadMenuA, CopyRect, DestroyMenu, GetFocus, SetFocus, GetDlgItem, IsWindowEnabled, GetParent, GetSystemMetrics, InflateRect, OffsetRect, SetRect, UpdateWindow, LoadStringW, PtInRect, SendDlgItemMessageA
                        GDI32.dllSetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, DeleteObject, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SetRectRgn, CombineRgn, CreateFontIndirectA, StretchDIBits, CreateCompatibleDC, CreateCompatibleBitmap, GetCharWidthA, CreateFontA, GetTextExtentPoint32A, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, BitBlt, SelectObject, RestoreDC, SaveDC, LPtoDP, DeleteDC, CreateDCA, SetAbortProc, StartDocA, StartPage, EndPage, EndDoc, AbortDoc, GetViewportOrgEx, GetStockObject, CreateRectRgnIndirect, PatBlt, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, Ellipse, Rectangle, GetTextMetricsA, CreatePen, DPtoLP, CreateDIBitmap, GetTextExtentPointA, GetDeviceCaps
                        comdlg32.dllPrintDlgA, GetFileTitleA, CommDlgExtendedError, ChooseColorA, GetSaveFileNameA, GetOpenFileNameA
                        WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                        ADVAPI32.dllRegCreateKeyA, SetFileSecurityA, GetFileSecurityA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegQueryValueA, RegEnumKeyA, RegOpenKeyA, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegSetValueA, SetFileSecurityW, RegDeleteValueA
                        SHELL32.dllSHGetFileInfoA, DragQueryFileA, DragFinish, DragAcceptFiles, CommandLineToArgvW, ExtractIconA
                        COMCTL32.dllPropertySheetA, DestroyPropertySheetPage, CreatePropertySheetPageA

                        Exports

                        NameOrdinalAddress
                        Func10x403000

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        10/23/19-11:34:31.368386TCP2404342ET CNC Feodo Tracker Reported CnC Server TCP group 2249163449192.168.1.1681.190.160.139

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 23, 2019 11:34:31.368386030 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:31.581300974 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:31.581525087 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:31.586631060 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:31.801567078 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:31.808969021 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:31.809015036 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:31.809250116 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:31.836720943 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:32.048755884 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:32.256390095 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:45.497617006 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:34:45.750281096 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:50.605427027 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:34:50.815824032 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:35:16.906105042 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.002166986 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.002470016 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.004559040 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.100501060 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100855112 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100868940 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100879908 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100928068 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100940943 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100958109 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100970030 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.100981951 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.101032972 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.101198912 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.102089882 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.102103949 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.102327108 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.197134018 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.197175026 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.197396994 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.220766068 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.317312002 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.378602028 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.486155987 CEST4434916423.23.229.94192.168.1.16
                        Oct 23, 2019 11:35:17.487457991 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:35:17.690907001 CEST49164443192.168.1.1623.23.229.94
                        Oct 23, 2019 11:35:17.697981119 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:35:32.525871038 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:35:32.738328934 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:35:34.112720013 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:35:34.324527979 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:35:52.529810905 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:35:52.533471107 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:35:52.744446993 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:35:58.578116894 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:35:58.670531034 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:35:58.881418943 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:36:07.779083014 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:36:07.786429882 CEST49163449192.168.1.1681.190.160.139
                        Oct 23, 2019 11:36:07.998950958 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:36:14.846693039 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:36:14.846764088 CEST4494916381.190.160.139192.168.1.16
                        Oct 23, 2019 11:36:14.847223043 CEST49163449192.168.1.1681.190.160.139

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 23, 2019 11:34:33.497194052 CEST5366653192.168.1.168.8.8.8
                        Oct 23, 2019 11:34:33.520772934 CEST53536668.8.8.8192.168.1.16
                        Oct 23, 2019 11:34:34.488578081 CEST5366653192.168.1.168.8.8.8
                        Oct 23, 2019 11:34:34.512100935 CEST53536668.8.8.8192.168.1.16
                        Oct 23, 2019 11:34:35.488744974 CEST5366653192.168.1.168.8.8.8
                        Oct 23, 2019 11:34:35.512242079 CEST53536668.8.8.8192.168.1.16
                        Oct 23, 2019 11:34:37.488519907 CEST5366653192.168.1.168.8.8.8
                        Oct 23, 2019 11:34:37.512154102 CEST53536668.8.8.8192.168.1.16
                        Oct 23, 2019 11:34:41.488066912 CEST5366653192.168.1.168.8.8.8
                        Oct 23, 2019 11:34:41.511527061 CEST53536668.8.8.8192.168.1.16
                        Oct 23, 2019 11:35:16.820647001 CEST6332253192.168.1.168.8.8.8
                        Oct 23, 2019 11:35:16.852674007 CEST53633228.8.8.8192.168.1.16
                        Oct 23, 2019 11:35:16.879141092 CEST6380153192.168.1.168.8.8.8
                        Oct 23, 2019 11:35:16.902837992 CEST53638018.8.8.8192.168.1.16

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Oct 23, 2019 11:35:16.820647001 CEST192.168.1.168.8.8.80x894dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.879141092 CEST192.168.1.168.8.8.80xd359Standard query (0)api.ipify.orgA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.229.94A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.83.153A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.243.154A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.73.124A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com174.129.199.232A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.92.64A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.187.248A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.852674007 CEST8.8.8.8192.168.1.160x894dNo error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.147.226A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.73.124A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.243.154A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com50.19.218.16A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.83.153A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.23.229.94A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.92.64A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.187.248A (IP address)IN (0x0001)
                        Oct 23, 2019 11:35:16.902837992 CEST8.8.8.8192.168.1.160xd359No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.147.226A (IP address)IN (0x0001)

                        HTTPS Packets

                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                        Oct 23, 2019 11:35:17.197134018 CEST23.23.229.94443192.168.1.1649164CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SECN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SEWed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue May 30 12:48:38 CEST 2000 Tue May 30 12:48:38 CEST 2000Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Sat May 30 12:48:38 CEST 2020 Sat May 30 12:48:38 CEST 2020
                        CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Feb 12 01:00:00 CET 2014Mon Feb 12 00:59:59 CET 2029
                        CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SETue May 30 12:48:38 CEST 2000Sat May 30 12:48:38 CEST 2020
                        CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SECN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SETue May 30 12:48:38 CEST 2000Sat May 30 12:48:38 CEST 2020

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe PID: 3188 Parent PID: 2528

                        General

                        Start time:11:33:30
                        Start date:23/10/2019
                        Path:C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe'
                        Imagebase:0x400000
                        File size:512000 bytes
                        MD5 hash:0A8D5A301D1EA44D5721045EEA07FDCD
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        Chronological Activities

                        Analysis Process: ??????.exe PID: 3232 Parent PID: 3188

                        General

                        Start time:11:33:31
                        Start date:23/10/2019
                        Path:C:\ProgramData\??????.exe
                        Wow64 process (32bit):false
                        Commandline:'C:\ProgramData\??????.exe'
                        Imagebase:0x400000
                        File size:512000 bytes
                        MD5 hash:0A8D5A301D1EA44D5721045EEA07FDCD
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        Chronological Activities

                        Analysis Process: ??????.exe PID: 3448 Parent PID: 1512

                        General

                        Start time:11:34:08
                        Start date:23/10/2019
                        Path:C:\Users\user\AppData\Roaming\HomeLan\??????.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Users\user\AppData\Roaming\HomeLan\??????.exe
                        Imagebase:0x400000
                        File size:512000 bytes
                        MD5 hash:0A8D5A301D1EA44D5721045EEA07FDCD
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Trickbot_1, Description: Yara detected Trickbot, Source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, Author: Joe Security
                        Reputation:low

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >