Windows Analysis Report vXVHRRGG7c.exe

ID:	490261
Product:	CloudBasic
Start time:	10:22:00
Start date:	25.09.2021
Sample:	vXVHRRGG7c.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	051c20fd814ac34ffcfadd56ec872be0
SHA1:	6d4d301594ba01b9e4d8eac59dc839090f090fdf
SHA256:	7aa215495949e721b9ae8b3b28cb728ac3b3240438e67f2cc4f3be2711d3d319
Filetype:	Win32 Executable (generic) a (10002005/4) 99.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\browDownload3D\cmd01.bat	ASCII text, with CRLF line terminators	D2B6BA2379B3DBCC6F757D92D20C3E47	6584EB2FFC0C3308021BF6BE7C395DC8D22F0A4C	09D14E5C54A44526E36E78A9BD97A5BD4F460578523DF6B824D160EB188BA781
C:\Users\user\AppData\Local\browDownload3D\settings.ini	ASCII text, with very long lines, with CRLF line terminators	5775E804AA3B7F597C3D9429B8A5B28C	807E2E18366E0F4E7891A21475303B02D28F6901	DA06E0B6863552469522446B05BFA91AFB9A7F683CE44C83B849D3EDC355E08D
C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	PE32 executable (GUI) Intel 80386, for MS Windows	051C20FD814AC34FFCFADD56EC872BE0	6D4D301594BA01B9E4D8EAC59DC839090F090FDF	7AA215495949E721B9AE8B3B28CB728AC3B3240438E67F2CC4F3BE2711D3D319

AV Detection:

Found malware configuration

Source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "2000033", "gtag": "tot153", "servs": ["179.42.137.102:443", "191.36.152.198:443", "179.42.137.104:443", "179.42.137.106:443", "179.42.137.108:443", "202.183.12.124:443", "194.190.18.122:443", "103.56.207.230:443", "171.103.187.218:443", "171.103.189.118:443", "18.139.111.104:443", "179.42.137.105:443", "186.4.193.75:443", "171.101.229.2:443", "179.42.137.107:443", "103.56.43.209:443", "179.42.137.110:443", "45.181.207.156:443", "197.44.54.162:443", "179.42.137.109:443", "103.59.105.226:443", "45.181.207.101:443", "117.196.236.205:443", "72.224.45.102:443", "179.42.137.111:443", "96.47.239.181:443", "171.100.112.190:443", "117.196.239.6:443"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Multi AV Scanner detection for submitted file

Source: vXVHRRGG7c.exe

ReversingLabs: Detection: 22%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe

ReversingLabs: Detection: 22%

Compliance:

Uses 32bit PE files

Source: vXVHRRGG7c.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:

Binary string: K:\HistogramTest\Release\HistogramTest.pdb source: vXVHRRGG7c.exe

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,		1_2_0041D4AF
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D9C5 FindFirstFileA,FindClose,		1_2_0041D9C5
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,		10_2_0041D4AF
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D9C5 FindFirstFileA,FindClose,		10_2_0041D9C5

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.3:49719 -> 59.4.68.75:443

May check the online IP address of the machine

Source: C:\Windows\System32\wermgr.exe	DNS query: name: icanhazip.com
Source: C:\Windows\System32\wermgr.exe	DNS query: name: icanhazip.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TelefonicadeArgentinaAR TelefonicadeArgentinaAR

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.18.7.156 104.18.7.156

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49716 -> 171.103.189.118:449

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.102
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105
Source: unknown	TCP traffic detected without corresponding DNS query: 179.42.137.105

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: icanhazip.com

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: curl/7.76.0Host: icanhazip.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: vXVHRRGG7c.exe, 00000001.00000002.303924886.000000000078A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00423386 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,		1_2_00423386
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0042339B GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,		1_2_0042339B
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041AA1B GetKeyState,GetKeyState,GetKeyState,GetKeyState,		1_2_0041AA1B
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00417DEB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		1_2_00417DEB
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00423386 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,		10_2_00423386
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0042339B GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,		10_2_0042339B
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041AA1B GetKeyState,GetKeyState,GetKeyState,GetKeyState,		10_2_0041AA1B
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00417DEB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		10_2_00417DEB

System Summary:

Uses 32bit PE files

Source: vXVHRRGG7c.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040A361		1_2_0040A361
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_004147A0		1_2_004147A0
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00416AD2		1_2_00416AD2
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040EF5A		1_2_0040EF5A
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A4CD0		1_2_024A4CD0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040A361		10_2_0040A361
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_004147A0		10_2_004147A0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00416AD2		10_2_00416AD2
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040EF5A		10_2_0040EF5A
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01264CD0		10_2_01264CD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: String function: 00405A18 appears 98 times
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: String function: 004244B5 appears 35 times
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: String function: 00405A18 appears 98 times
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: String function: 004244B5 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00403C23 KiUserCallbackDispatcher,LoadLibraryW,ExitProcess,GetCurrentThread,QueueUserAPC,NtTestAlert,		1_2_00403C23
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00403CE2 GetCurrentThread,QueueUserAPC,NtTestAlert,		1_2_00403CE2
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00403C23 LoadLibraryW,ExitProcess,GetCurrentThread,QueueUserAPC,NtTestAlert,		10_2_00403C23
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00403CE2 GetCurrentThread,QueueUserAPC,NtTestAlert,		10_2_00403CE2

Sample file is different than original file name gathered from version info

Source: vXVHRRGG7c.exe, 00000001.00000002.303499051.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHistogramTest.EXET vs vXVHRRGG7c.exe
Source: vXVHRRGG7c.exe, 0000000A.00000002.400503286.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHistogramTest.EXET vs vXVHRRGG7c.exe
Source: vXVHRRGG7c.exe	Binary or memory string: OriginalFilenameHistogramTest.EXET vs vXVHRRGG7c.exe

PE file contains strange resources

Source: vXVHRRGG7c.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vXVHRRGG7c.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample is known by Antivirus

Source: vXVHRRGG7c.exe

ReversingLabs: Detection: 22%

PE file has an executable .text section and no other executable section

Source: vXVHRRGG7c.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\vXVHRRGG7c.exe 'C:\Users\user\Desktop\vXVHRRGG7c.exe'
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c 'C:\Users\user\AppData\Local\browDownload3D\cmd01.bat'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior

Queries a list of all open handles

Source: C:\Windows\System32\wermgr.exe

System information queried: HandleInformation

Jump to behavior

Creates files inside the user directory

Source: C:\Windows\System32\wermgr.exe

File created: C:\Users\user\AppData\Local\browDownload3D

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/3@6/6

Reads ini files

Source: C:\Windows\System32\wermgr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\wermgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{12477072-E440-07DC-0361-112BF0B8DF37}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5676:120:WilError_01

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_0041B297 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

1_2_0041B297

Executes batch files

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c 'C:\Users\user\AppData\Local\browDownload3D\cmd01.bat'

Writes ini files

Source: C:\Windows\System32\wermgr.exe

File written: C:\Users\user\AppData\Local\browDownload3D\settings.ini

Jump to behavior

Reads the hosts file

Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

PE file contains a debug data directory

Source: vXVHRRGG7c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: K:\HistogramTest\Release\HistogramTest.pdb source: vXVHRRGG7c.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00405A18 push eax; ret		1_2_00405A36
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00407AE0 push eax; ret		1_2_00407B0E
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A2C90 push dword ptr [edx+14h]; ret		1_2_024A2D9D
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A4046 push eax; iretd		1_2_024A4048
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A5B40 push edx; iretd		1_2_024A5B77
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A4872 push es; iretd		1_2_024A487B
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A3FA7 push 61992208h; ret		1_2_024A3FAC
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_024A2D39 push dword ptr [edx+14h]; ret		1_2_024A2D9D
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00405A18 push eax; ret		10_2_00405A36
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00407AE0 push eax; ret		10_2_00407B0E
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01262C90 push dword ptr [edx+14h]; ret		10_2_01262D9D
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01264046 push eax; iretd		10_2_01264048
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01264872 push es; iretd		10_2_0126487B
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01265B40 push edx; iretd		10_2_01265B77
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01262D39 push dword ptr [edx+14h]; ret		10_2_01262D9D
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_01263FA7 push 61992208h; ret		10_2_01263FAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004186ED GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

1_2_004186ED

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\System32\wermgr.exe

File created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0042343E IsWindowVisible,IsIconic,		1_2_0042343E
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_004044B0 IsIconic,		1_2_004044B0
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_004126B0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,		1_2_004126B0
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00404767 IsIconic,GetWindowPlacement,GetWindowRect,		1_2_00404767
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_00411F00 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,		1_2_00411F00
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0042343E IsWindowVisible,IsIconic,		10_2_0042343E
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_004044B0 IsIconic,		10_2_004044B0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_004126B0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,		10_2_004126B0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00404767 IsIconic,GetWindowPlacement,GetWindowRect,		10_2_00404767
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00411F00 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,		10_2_00411F00

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_00424D9A LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_00424D9A

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Windows\System32\wermgr.exe

Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,fileOpened

Source: C:\Windows\System32\wermgr.exe

Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,threadInformationSet

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\wermgr.exe

RDTSC instruction interceptor: First address: 00000200C1644200 second address: 00000200C1644200 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [00020816h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e dec ecx 0x0000002f mov ebx, edi 0x00000031 dec eax 0x00000032 xor ebx, FFFFFF00h 0x00000038 dec ecx 0x00000039 and ebx, edi 0x0000003b call 00007F21ACC1B026h 0x00000040 rdtsc

Source: C:\Windows\System32\wermgr.exe

RDTSC instruction interceptor: First address: 0000025C6A134200 second address: 0000025C6A134200 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [00020816h] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e dec ecx 0x0000002f mov ebx, edi 0x00000031 dec eax 0x00000032 xor ebx, FFFFFF00h 0x00000038 dec ecx 0x00000039 and ebx, edi 0x0000003b call 00007F21ACB53916h 0x00000040 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe TID: 5920

Thread sleep count: 140 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,		1_2_0041D4AF
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0041D9C5 FindFirstFileA,FindClose,		1_2_0041D9C5
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D4AF __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,		10_2_0041D4AF
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0041D9C5 FindFirstFileA,FindClose,		10_2_0041D9C5

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004186ED GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

1_2_004186ED

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_02461030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

1_2_02461030

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_023E095E mov eax, dword ptr fs:[00000030h]		1_2_023E095E
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_023E0456 mov eax, dword ptr fs:[00000030h]		1_2_023E0456
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_02461030 mov eax, dword ptr fs:[00000030h]		1_2_02461030
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00FB095E mov eax, dword ptr fs:[00000030h]		10_2_00FB095E
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00FB0456 mov eax, dword ptr fs:[00000030h]		10_2_00FB0456
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_00FF1030 mov eax, dword ptr fs:[00000030h]		10_2_00FF1030

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004039E7 LdrFindResource_U,LdrAccessResource,VirtualAllocExNuma,VirtualAlloc,WriteProcessMemory,

1_2_004039E7

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040B68A SetUnhandledExceptionFilter,		1_2_0040B68A
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: 1_2_0040B69C SetUnhandledExceptionFilter,		1_2_0040B69C
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040B68A SetUnhandledExceptionFilter,		10_2_0040B68A
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: 10_2_0040B69C SetUnhandledExceptionFilter,		10_2_0040B69C

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 200C1640000			Jump to behavior
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF7EE4D2860			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 25C6A130000			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Memory written: C:\Windows\System32\wermgr.exe base: 7FF7EE4D2860			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 200C1640000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 25C6A130000 protect: page execute and read and write			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\wermgr.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,		1_2_004100FD
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,		1_2_0040E0FD
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		1_2_004100A7
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		1_2_004101C0
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,		1_2_0040E388
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,		1_2_0040E49B
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,		1_2_0040E68F
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		1_2_0040DF28
Source: C:\Users\user\Desktop\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		1_2_0040FFEA
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,		10_2_004100FD
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,		10_2_0040E0FD
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,		10_2_004100A7
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,		10_2_004101C0
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,		10_2_0040E388
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: EnumSystemLocalesA,		10_2_0040E49B
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,		10_2_0040E68F
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,		10_2_0040DF28
Source: C:\Users\user\AppData\Local\browDownload3D\vXVHRRGG7c.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,		10_2_0040FFEA

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004066CD GetLocalTime,GetSystemTime,GetTimeZoneInformation,

1_2_004066CD

Contains functionality to query time zone information

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_004066CD GetLocalTime,GetSystemTime,GetTimeZoneInformation,

1_2_004066CD

Contains functionality to query windows version

Source: C:\Users\user\Desktop\vXVHRRGG7c.exe

Code function: 1_2_00424F12 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

1_2_00424F12

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.1260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.400799901.0000000000FF4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400763097.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304517846.0000000002464000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400850600.0000000001261000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304177777.00000000023E0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.1260000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vXVHRRGG7c.exe.23e052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vXVHRRGG7c.exe.fb052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.400799901.0000000000FF4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400763097.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304517846.0000000002464000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.400850600.0000000001261000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304704482.00000000024A1000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.304177777.00000000023E0000.00000040.00000001.sdmp, type: MEMORY