Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed.140.15226.26939

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed.140.15226.26939 (renamed file extension from 26939 to exe)
Analysis ID:255729
MD5:48bf6c544eefb197d55ee9bf53d12b54
SHA1:89d1b85f3fcc9332c2bea8dc7b52b7a7a1f86918
SHA256:8c98db778c851b49e11e744a28fd5340fdcd51a71e2fd87982cc1ad245a35e5c

Most interesting Screenshot:

Detection

Trickbot
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Delayed program exit found
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed.140.15226.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exe' MD5: 48BF6C544EEFB197D55EE9BF53D12B54)
    • wermgr.exe (PID: 6984 cmdline: C:\Windows\system32\wermgr.exe MD5: FF214585BF10206E21EA8EBA202FACFD)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "ono57", "C2 list": ["36.89.182.225:449", "36.91.45.10:449", "110.50.84.5:449", "5.1.81.68:443", "185.99.2.65:443", "45.6.16.68:449", "185.90.61.9:443", "185.99.2.66:443", "192.3.247.123:443", "85.204.116.216:443", "181.112.157.42:449", "110.93.15.98:449", "36.89.243.241:449", "36.92.19.205:449", "51.81.112.144:443", "194.5.250.121:443", "181.129.134.18:449", "131.161.253.190:449", "121.100.19.18:449", "134.119.191.11:443", "107.175.72.141:443", "122.50.6.122:449", "103.12.161.194:449", "91.235.129.20:443", "190.136.178.52:449", "110.232.76.39:449", "95.171.16.42:443", "182.253.113.67:449", "80.210.32.67:449", "185.14.31.104:443", "78.108.216.47:443", "134.119.191.21:443", "36.66.218.117:449", "181.129.104.139:449", "85.204.116.100:443", "103.111.83.246:449", "200.107.35.154:449"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.483168726.00000184A1B4E000.00000004.00000020.sdmpJoeSecurity_Trickbot_1Yara detected TrickbotJoe Security
    Process Memory Space: wermgr.exe PID: 6984JoeSecurity_Trickbot_1Yara detected TrickbotJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: wermgr.exe.6984.2.memstrMalware Configuration Extractor: Trickbot {"gtag": "ono57", "C2 list": ["36.89.182.225:449", "36.91.45.10:449", "110.50.84.5:449", "5.1.81.68:443", "185.99.2.65:443", "45.6.16.68:449", "185.90.61.9:443", "185.99.2.66:443", "192.3.247.123:443", "85.204.116.216:443", "181.112.157.42:449", "110.93.15.98:449", "36.89.243.241:449", "36.92.19.205:449", "51.81.112.144:443", "194.5.250.121:443", "181.129.134.18:449", "131.161.253.190:449", "121.100.19.18:449", "134.119.191.11:443", "107.175.72.141:443", "122.50.6.122:449", "103.12.161.194:449", "91.235.129.20:443", "190.136.178.52:449", "110.232.76.39:449", "95.171.16.42:443", "182.253.113.67:449", "80.210.32.67:449", "185.14.31.104:443", "78.108.216.47:443", "134.119.191.21:443", "36.66.218.117:449", "181.129.104.139:449", "85.204.116.100:443", "103.111.83.246:449", "200.107.35.154:449"], "modules": ["pwgrab", "mcconf"]}
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000002.00000002.483168726.00000184A1B4E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 6984, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeJoe Sandbox ML: detected
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F5EC0 FindFirstFileW,2_2_00000184A19F5EC0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A1A01240 FindFirstFileW,FindNextFileW,2_2_00000184A1A01240
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19EDA90
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp dword ptr [eax], ecx2_2_00000184A19E56D0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19E4700
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE209
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then call 00000184A19E6E40h2_2_00000184A19E4A80
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp2_2_00000184A19F7280
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE19A
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE1E7
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [ecx]2_2_00000184A19EC200
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE1C9
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp2_2_00000184A19EFD10
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE175
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE154
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19EB570
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19E78A0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebx2_2_00000184A19EF100
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19FE0E0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19FB010
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19FC074
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ebp2_2_00000184A19F4F88
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19E4BD0
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx2_2_00000184A19E8400
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19FEB20
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19F6F50
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19E3B80
      Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax2_2_00000184A19E3B80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.4:49730 -> 36.89.182.225:449
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: ipinfo.io
      Source: unknownDNS query: name: ipinfo.io
      Source: global trafficTCP traffic: 192.168.2.4:49717 -> 200.107.35.154:449
      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 36.89.182.225:449
      Source: unknownTCP traffic detected without corresponding DNS query: 200.107.35.154
      Source: unknownTCP traffic detected without corresponding DNS query: 200.107.35.154
      Source: unknownTCP traffic detected without corresponding DNS query: 200.107.35.154
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.66
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 185.99.2.65
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: unknownTCP traffic detected without corresponding DNS query: 36.89.182.225
      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.69.1Host: ipinfo.io
      Source: unknownDNS traffic detected: queries for: ipinfo.io
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://crl.com
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
      Source: wermgr.exe, 00000002.00000003.306599118.00000184A1BFB000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1b9147109067a
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabQvUA
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enC
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://ipinfo.io/
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com07
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/B
      Source: wermgr.exe, 00000002.00000002.483458120.00000184A1BF9000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/ono57/390120_W10017134.F9BB2DB397B3FBF22D716E7B3BF75FBD/0/Windows%2010%20x
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/ono57/390120_W10017134.F9BB2DB397B3FBF22D716E7B3BF75FBD/14/DNSBL/listed/0/
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/ono57/390120_W10017134.F9BB2DB397B3FBF22D716E7B3BF75FBD/14/path/C:%5CProgr
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/ono57/390120_W10017134.F9BB2DB397B3FBF22D716E7B3BF75FBD/14/user/user/0/
      Source: wermgr.exe, 00000002.00000002.484405224.00000184A1D50000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/ono57/390120_W10017134.F9BB2DB397B3FBF22D716E7B3BF75FBD/23/1000512/
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: https://36.89.182.225:449/ono57/390120_W10017134.F9BB2DB397B3FBF22D716E7B3BF75FBD/5/spk/
      Source: wermgr.exe, 00000002.00000002.484231329.00000184A1D09000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728

      E-Banking Fraud:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000002.00000002.483168726.00000184A1B4E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 6984, type: MEMORY
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_02930010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02930010
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E3DA0 NtQuerySystemInformation,SleepEx,DuplicateHandle,lstrcmpiW,FindCloseChangeNotification,FindCloseChangeNotification,2_2_00000184A19E3DA0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F5EC02_2_00000184A19F5EC0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E3DA02_2_00000184A19E3DA0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FDD502_2_00000184A19FDD50
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EA7E02_2_00000184A19EA7E0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E18002_2_00000184A19E1800
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FAB202_2_00000184A19FAB20
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F62B02_2_00000184A19F62B0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19ECED02_2_00000184A19ECED0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FD3002_2_00000184A19FD300
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EF2F02_2_00000184A19EF2F0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FA6202_2_00000184A19FA620
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F1DA02_2_00000184A19F1DA0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E3D902_2_00000184A19E3D90
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F49E02_2_00000184A19F49E0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E31D02_2_00000184A19E31D0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FEE002_2_00000184A19FEE00
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F7E022_2_00000184A19F7E02
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F99702_2_00000184A19F9970
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E78A02_2_00000184A19E78A0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E7C902_2_00000184A19E7C90
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F30C02_2_00000184A19F30C0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F0D002_2_00000184A19F0D00
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F14232_2_00000184A19F1423
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E70232_2_00000184A19E7023
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E10052_2_00000184A19E1005
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FCC602_2_00000184A19FCC60
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F3C802_2_00000184A19F3C80
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EDBA02_2_00000184A19EDBA0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F9FC02_2_00000184A19F9FC0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19FC3C02_2_00000184A19FC3C0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E84002_2_00000184A19E8400
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E97302_2_00000184A19E9730
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19E5B802_2_00000184A19E5B80
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeBinary or memory string: OriginalFilenameVistor3.exect vs SecuriteInfo.com.Trojan.Packed.140.15226.exe
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbpL3@%
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exe, 00000000.00000002.240332995.000000000043D000.00000004.00020000.sdmpBinary or memory string: b@*\AD:\An_amazing\Vistor3.vbp
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeBinary or memory string: C*\AD:\An_amazing\Vistor3.vbp
      Source: classification engineClassification label: mal88.troj.evad.winEXE@3/3@3/5
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EE3E0 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification,2_2_00000184A19EE3E0
      Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6876AB41-E1D9-7D19-C72A-7E95A1C159E4}
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeFile created: C:\Users\user\AppData\Local\Temp\logA1CA.tmpJump to behavior
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformationJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wermgr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exe'
      Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeStatic PE information: real checksum: 0x44ba1 should be: 0x75fe1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_0040C85F push edx; retf 0_2_0040C874
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_0040C87F push edx; retf 0_2_0040C874
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_00403483 push ds; retn 0000h0_2_00403487
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_0040754C push es; ret 0_2_00407566
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_0040C188 push FFFFFFF9h; iretd 0_2_0040C18F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_02DB073B push dword ptr [edx+14h]; ret 0_2_02DB079D
      Source: initial sampleStatic PE information: section name: .text entropy: 6.81163592969
      Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Delayed program exit foundShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_02D98B1E Sleep,ExitProcess,0_2_02D98B1E
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 00000184A19EFD00 second address: 00000184A19EFD00 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec eax 0x0000000b mov esi, eax 0x0000000d call dword ptr [0001C6F2h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e inc eax 0x0000002f movzx ebx, dh 0x00000032 call 00007FBF38FF40B1h 0x00000037 rdtsc
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EFD00 rdtsc 2_2_00000184A19EFD00
      Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,2_2_00000184A19FB840
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeWindow / User API: threadDelayed 2472Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeWindow / User API: threadDelayed 7170Jump to behavior
      Source: C:\Windows\System32\wermgr.exeWindow / User API: threadDelayed 633Jump to behavior
      Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
      Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19F5EC0 FindFirstFileW,2_2_00000184A19F5EC0
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A1A01240 FindFirstFileW,FindNextFileW,2_2_00000184A1A01240
      Source: wermgr.exe, 00000002.00000002.483081964.00000184A1B29000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EFD00 rdtsc 2_2_00000184A19EFD00
      Source: C:\Windows\System32\wermgr.exeCode function: 2_2_00000184A19EFDB0 LdrLoadDll,2_2_00000184A19EFDB0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeCode function: 0_2_02930010 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,0_2_02930010
      Source: C:\Windows\System32\wermgr.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 184A19E0000 protect: page execute and read and writeJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeMemory written: C:\Windows\System32\wermgr.exe base: 184A19E0000Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeMemory written: C:\Windows\System32\wermgr.exe base: 7FF729672860Jump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed.140.15226.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exeJump to behavior
      Source: SecuriteInfo.com.Trojan.Packed.140.15226.exeBinary or memory string: Shell_TrayWnd
      Source: wermgr.exe, 00000002.00000002.484585693.00000184A21B0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: wermgr.exe, 00000002.00000002.484585693.00000184A21B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: wermgr.exe, 00000002.00000002.484585693.00000184A21B0000.00000002.00000001.sdmpBinary or memory string: Program Manager[
      Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000002.00000002.483168726.00000184A1B4E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 6984, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected TrickbotShow sources
      Source: Yara matchFile source: 00000002.00000002.483168726.00000184A1B4E000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 6984, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Access Token Manipulation1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection212Process Injection212LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.