Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.2820.26103

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.2820.26103 (renamed file extension from 26103 to exe)
Analysis ID:255726
MD5:efdc8a50d8d1c5befe2a0060f509f629
SHA1:8ae76e0a32efaeb727d017d74673e7b2372cd737
SHA256:80e4369cb11619109fa67d3ed22fe8636280743fc7d507e160c41230d22d9180

Most interesting Screenshot:

Detection

Trickbot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Adds / modifies Windows certificates
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.2820.exe (PID: 7096 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exe' MD5: EFDC8A50D8D1C5BEFE2A0060F509F629)
    • wermgr.exe (PID: 3200 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "ono57", "C2 list": ["11.112.157.42:449", "45.6.16.68:449", "110.50.84.5:449", "5.1.81.68:443", "185.99.2.66:443", "185.90.61.9:443", "36.91.45.10:449", "185.99.2.65:443", "78.108.216.47:443", "110.232.76.39:449", "36.66.218.117:449", "121.100.19.18:449", "192.3.247.123:443", "131.161.253.190:449", "194.5.250.121:443", "107.175.72.141:443", "85.204.116.100:443", "51.81.112.144:443", "95.171.16.42:443", "103.111.83.246:449", "110.93.15.98:449", "91.235.129.20:443", "85.204.116.216:443", "181.129.134.18:449", "190.136.178.52:449", "134.119.191.21:443", "103.12.161.194:449", "200.107.35.154:449", "36.89.182.225:449", "181.129.104.139:449", "36.92.19.205:449", "80.210.32.67:449", "134.119.191.11:443", "185.14.31.104:443", "122.50.6.122:449", "181.112.157.42:449", "182.253.113.67:449", "36.89.243.241:449"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: wermgr.exe PID: 3200JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: wermgr.exe.3200.11.memstrMalware Configuration Extractor: Trickbot {"gtag": "ono57", "C2 list": ["11.112.157.42:449", "45.6.16.68:449", "110.50.84.5:449", "5.1.81.68:443", "185.99.2.66:443", "185.90.61.9:443", "36.91.45.10:449", "185.99.2.65:443", "78.108.216.47:443", "110.232.76.39:449", "36.66.218.117:449", "121.100.19.18:449", "192.3.247.123:443", "131.161.253.190:449", "194.5.250.121:443", "107.175.72.141:443", "85.204.116.100:443", "51.81.112.144:443", "95.171.16.42:443", "103.111.83.246:449", "110.93.15.98:449", "91.235.129.20:443", "85.204.116.216:443", "181.129.134.18:449", "190.136.178.52:449", "134.119.191.21:443", "103.12.161.194:449", "200.107.35.154:449", "36.89.182.225:449", "181.129.104.139:449", "36.92.19.205:449", "80.210.32.67:449", "134.119.191.11:443", "185.14.31.104:443", "122.50.6.122:449", "181.112.157.42:449", "182.253.113.67:449", "36.89.243.241:449"], "modules": ["pwgrab", "mcconf"]}
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3200, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeJoe Sandbox ML: detected
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C5EC0 FindFirstFileW,11_2_00000213511C5EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511D1240 FindFirstFileW,FindNextFileW,11_2_00000213511D1240
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE0E0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp11_2_00000213511BFD10
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx11_2_00000213511BF100
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511BB570
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE154
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE175
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE19A
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511B4BD0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511CB010
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511B8400
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511CC074
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511B78A0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx11_2_00000213511B56D0
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511B4700
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511CEB20
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511C6F50
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp11_2_00000213511C4F88
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511B3B80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511B3B80
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE1C9
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE1E7
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx11_2_00000213511CE209
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]11_2_00000213511BC200
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax11_2_00000213511BDA90
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp11_2_00000213511C7280
    Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 00000213511B6E40h11_2_00000213511B4A80

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.5:49754 -> 181.112.157.42:449
    May check the online IP address of the machineShow sources
    Source: unknownDNS query: name: wtfismyip.com
    Source: unknownDNS query: name: wtfismyip.com
    Source: global trafficTCP traffic: 192.168.2.5:49754 -> 181.112.157.42:449
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
    Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
    Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
    Source: unknownTCP traffic detected without corresponding DNS query: 85.204.116.100
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 95.171.16.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: unknownTCP traffic detected without corresponding DNS query: 181.112.157.42
    Source: global trafficHTTP traffic detected: GET /text HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: wtfismyip.com
    Source: unknownDNS traffic detected: queries for: wtfismyip.com
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: wermgr.exe, 0000000B.00000002.1537603300.00000213514DA000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
    Source: wermgr.exe, 0000000B.00000002.1537603300.00000213514DA000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: wermgr.exe, 0000000B.00000002.1537161466.00000213512FE000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com07
    Source: wermgr.exe, 0000000B.00000002.1537203135.000002135131E000.00000004.00000020.sdmpString found in binary or memory: http://wtfismyip.com/text
    Source: wermgr.exe, 0000000B.00000002.1537642463.00000213514FE000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/
    Source: wermgr.exe, 0000000B.00000002.1537642463.00000213514FE000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/E
    Source: wermgr.exe, 0000000B.00000002.1537330582.00000213513A8000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF77
    Source: wermgr.exe, 0000000B.00000002.1537330582.00000213513A8000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF7723B39EABB571F7/0/Windows%2010%20
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF7723B39EABB571F7/14/DNSBL/listed/0
    Source: wermgr.exe, 0000000B.00000002.1537279291.000002135139F000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF7723B39EABB571F7/14/path/C:%5CProg
    Source: wermgr.exe, 0000000B.00000002.1537279291.000002135139F000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF7723B39EABB571F7/23/1000512/
    Source: wermgr.exe, 0000000B.00000002.1537330582.00000213513A8000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF7723B39EABB571F7/23/1000512/0/
    Source: wermgr.exe, 0000000B.00000002.1537203135.000002135131E000.00000004.00000020.sdmpString found in binary or memory: https://181.112.157.42:449/ono57/405464_W10017134.7DA3BB1F93D3FFBF7723B39EABB571F7/5/spk/
    Source: wermgr.exe, 0000000B.00000002.1537330582.00000213513A8000.00000004.00000020.sdmpString found in binary or memory: https://185.99.2.66/181.112.157.42:449/
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exe, 00000000.00000002.1393601801.000000000074A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3200, type: MEMORY
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_021E0010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_021E0010
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B3DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,11_2_00000213511B3DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CDD5011_2_00000213511CDD50
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B3DA011_2_00000213511B3DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BA7E011_2_00000213511BA7E0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B180011_2_00000213511B1800
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C5EC011_2_00000213511C5EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CAB2011_2_00000213511CAB20
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C30C011_2_00000213511C30C0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C0D0011_2_00000213511C0D00
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C997011_2_00000213511C9970
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B3D9011_2_00000213511B3D90
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C1DA011_2_00000213511C1DA0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CC3C011_2_00000213511CC3C0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C9FC011_2_00000213511C9FC0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B100511_2_00000213511B1005
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B840011_2_00000213511B8400
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B702311_2_00000213511B7023
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C142311_2_00000213511C1423
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CCC6011_2_00000213511CCC60
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B7C9011_2_00000213511B7C90
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C3C8011_2_00000213511C3C80
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B78A011_2_00000213511B78A0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BCED011_2_00000213511BCED0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BF2F011_2_00000213511BF2F0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CD30011_2_00000213511CD300
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B973011_2_00000213511B9730
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B5B8011_2_00000213511B5B80
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BDBA011_2_00000213511BDBA0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511B31D011_2_00000213511B31D0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C49E011_2_00000213511C49E0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CEE0011_2_00000213511CEE00
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C7E0211_2_00000213511C7E02
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511CA62011_2_00000213511CA620
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C62B011_2_00000213511C62B0
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exe, 00000000.00000002.1393668559.0000000002100000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Packed.140.2820.exe
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.2820.exe
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exe, 00000000.00000002.1393434767.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
    Source: classification engineClassification label: mal88.troj.evad.winEXE@3/1@3/5
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BE3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,11_2_00000213511BE3E0
    Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1CA0036A-E665-4A42-9F13-5DDAD0DB77CC}
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeFile created: C:\Users\user\AppData\Local\Temp\log8D0D.tmpJump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exe'
    Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeStatic PE information: real checksum: 0x44ba1 should be: 0x75bde
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0040D947 push ds; retf 0_2_0040D949
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0040D93A push ds; retf 0_2_0040D946
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_0222073B push dword ptr [edx+14h]; ret 0_2_0222079D
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_005708D8 push edx; ret 0_2_00570901
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00571054 push edx; ret 0_2_00571081
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00572854 push edx; ret 0_2_00572881
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00574054 push edx; ret 0_2_00574081
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00575854 push edx; ret 0_2_00575881
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00577054 push edx; ret 0_2_00577081
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00576844 push edx; ret 0_2_00576871
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00579844 push edx; ret 0_2_00579871
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00570843 push edx; ret 0_2_00570871
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00572043 push edx; ret 0_2_00572071
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00573843 push edx; ret 0_2_00573871
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00575043 push edx; ret 0_2_00575071
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00576875 push edx; ret 0_2_005768A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00579875 push edx; ret 0_2_005798A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00572074 push edx; ret 0_2_005720A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00573874 push edx; ret 0_2_005738A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00575074 push edx; ret 0_2_005750A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00570878 push edx; ret 0_2_005708A1
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00576065 push edx; ret 0_2_00576091
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00573063 push edx; ret 0_2_00573091
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00571863 push edx; ret 0_2_00571891
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00574863 push edx; ret 0_2_00574891
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_00570068 push edx; ret 0_2_00570091
    Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Delayed program exit foundShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_02208B1E Sleep,ExitProcess,0_2_02208B1E
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000213511BFD00 second address: 00000213511BFD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007F7DD4CC99C1h 0x00000037 rdtsc
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BFD00 rdtsc 11_2_00000213511BFD00
    Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,11_2_00000213511CB840
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeWindow / User API: threadDelayed 2720Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeWindow / User API: threadDelayed 7235Jump to behavior
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511C5EC0 FindFirstFileW,11_2_00000213511C5EC0
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511D1240 FindFirstFileW,FindNextFileW,11_2_00000213511D1240
    Source: wermgr.exe, 0000000B.00000002.1537532042.0000021351499000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
    Source: wermgr.exe, 0000000B.00000002.1537135682.00000213512D0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW`
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BFD00 rdtsc 11_2_00000213511BFD00
    Source: C:\Windows\System32\wermgr.exeCode function: 11_2_00000213511BFDB0 LdrLoadDll,11_2_00000213511BFDB0
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeCode function: 0_2_021E0010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_021E0010
    Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 213511B0000 protect: page execute and read and writeJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeMemory written: C:\Windows\System32\wermgr.exe base: 213511B0000Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF661372860Jump to behavior
    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.2820.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
    Source: SecuriteInfo.com.Trojan.Packed.140.2820.exeBinary or memory string: Shell_TrayWnd
    Source: wermgr.exe, 0000000B.00000002.1537757493.0000021351900000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: wermgr.exe, 0000000B.00000002.1537757493.0000021351900000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: wermgr.exe, 0000000B.00000002.1537757493.0000021351900000.00000002.00000001.sdmpBinary or memory string: Program Manager@
    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\wermgr.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3200, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected TrickbotShow sources
    Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 3200, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Disable or Modify Tools1Input Capture1Security Software Discovery121Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Access Token Manipulation1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection212Security Account ManagerApplication Window Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Network Configuration Discovery11SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.