Trickbot 2019-05-16

VMRay Threat Indicators (33 rules, 126 matches)

Severity	Category	Operation	Count	Classification
5/5	Local AV	Malicious content was detected by heuristic scan	1	-
Local AV detected the sample itself as "Trojan.GenericKD.41286982". ... VTI Actions Go to AV match Go to file details
5/5	Reputation	Known malicious file	1	Trojan
File "C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe" is a known malicious file. ... VTI Actions Go to file details
4/5	Information Stealing	Exhibits Spyware behavior	1	Spyware
Tries to read sensitive data of: Microsoft Outlook, Google Chrome, Internet Explorer / Edge, Mozilla Firefox. ... VTI Actions
4/5	Injection	Writes into the memory of another running process	2	-
"c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe" modifies memory of "c:\windows\system32\svchost.exe". ... VTI Actions Go to Behavior
"c:\windows\system32\svchost.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
4/5	Injection	Modifies control flow of another process	1	-
"c:\windows\system32\svchost.exe" creates thread in "c:\program files\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
4/5	Reputation	Known malicious URL	2	-
Contacted URL "api.ip.sb/ip" is a known malicious URL. ... VTI Actions Go to Behavior
Contacted URL "api.ip.sb" is a known malicious URL. ... VTI Actions
3/5	OS	Disables a crucial system service	2	-
Stop "Windows Defender Service" by ControlService. ... VTI Actions Go to Behavior
Delete "Windows Defender Service" by DeleteService. ... VTI Actions Go to Behavior
3/5	Network	Reads network adapter information	1	-
Reads the network adapters' addresses by API. ... VTI Actions Go to Behavior
3/5	Anti Analysis	Delays execution	2	-
Schedules task for command "C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe", to be triggered by Time. Task has been rescheduled by the analyzer. ... VTI Actions Go to process
One thread sleeps more than 5 minutes. ... VTI Actions Go to Behavior
3/5	Network	Connects to TOR hidden service	1	-
Connects to TOR hidden service at "cd4fhnyg2337dgxk.onion". ... VTI Actions
3/5	Persistence	Schedules task for system startup	1	-
Schedules task for command "C:\Users\2XC7u663GxWc\AppData\Roaming\chromedata\tadiapce.exe", to be triggered by Boot or Time. ... VTI Actions Go to process
2/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	1	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive browser data	4	-
Trying to read sensitive data of web browser "Google Chrome" by file. ... VTI Actions Go to Behavior
Trying to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. ... VTI Actions Go to Behavior Go to Behavior Go to Behavior
Trying to read sensitive data of web browser "Internet Explorer / Edge" by registry. ... VTI Actions Go to Behavior
Trying to read sensitive data of web browser "Mozilla Firefox" by file. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive mail data	1	-
Trying to read sensitive data of mail application "Microsoft Outlook" by registry. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive ftp data	1	-
Trying to read sensitive data of ftp application "FileZilla" by file. ... VTI Actions Go to Behavior
2/5	Information Stealing	Reads sensitive application data	2	-
Trying to read sensitive data of application "WinSCP" by registry. ... VTI Actions Go to Behavior
Trying to read sensitive data of application "PuTTY" by registry. ... VTI Actions Go to Behavior
2/5	Anti Analysis	Tries to detect virtual machine	1	-
Possibly trying to detect VM via rdtsc. ... VTI Actions
2/5	Network	Sets up server that accepts incoming connections	1	Backdoor
TCP server listens on port "27822". ... VTI Actions Go to Behavior
1/5	Process	Creates process with hidden window	3	-
The process "cmd" starts with hidden window. ... VTI Actions Go to Behavior
The process "C:\Windows\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to Behavior
The process "svchost.exe" starts with hidden window. ... VTI Actions Go to Behavior
1/5	Device	Monitors keyboard input	1	Keylogger
Frequently reads the state of a keyboard key by API. ... VTI Actions Go to Behavior
1/5	Process	Creates system object	1	-
Creates mutex with name "Global\C850A606981932960". ... VTI Actions Go to Behavior
1/5	Process	Creates a page with write and execute permissions	2	-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. ... VTI Actions Go to Behavior
Changes the protection of a page in a foreign process from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). ... VTI Actions Go to Behavior
1/5	Process	Reads from memory of another process	2	-
"c:\users\2xc7u663gxwc\appdata\roaming\chromedata\tadiapce.exe" reads from "svchost.exe". ... VTI Actions Go to Behavior
"c:\windows\system32\svchost.exe" reads from "c:\program files\internet explorer\iexplore.exe". ... VTI Actions Go to Behavior
1/5	Information Stealing	Possibly does reconnaissance	3	-
Possibly trying to gather information about application "Mozilla Firefox" by file. ... VTI Actions Go to Behavior
Possibly trying to gather information about application "FileZilla" by file. ... VTI Actions Go to Behavior
Possibly trying to gather information about application "WinSCP" by registry. ... VTI Actions Go to Behavior
1/5	Network	Performs DNS request	3	-
Resolves host name "ZgW5tdPu". ... VTI Actions Go to Behavior
Resolves host name "91.248.182.84.zen.spamhaus.org". ... VTI Actions Go to Behavior
Resolves host name "186.159.1.217". ... VTI Actions Go to Behavior
1/5	Process	Overwrites code	1	-
Overwrites code to possibly hide behavior. ... VTI Actions Go to Hook Information
1/5	Network	Connects to remote host	1	-
Outgoing TCP connection to host "186.159.1.217:8082". ... VTI Actions Go to Behavior
1/5	Network	Connects to HTTP server	5	-
URL "186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/90". ... VTI Actions Go to Behavior
URL "cd4fhnyg2337dgxk.onion/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/". ... VTI Actions Go to Behavior
URL "186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/83/". ... VTI Actions Go to Behavior
URL "186.159.1.217/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/81/". ... VTI Actions Go to Behavior
URL "204.155.30.69/radiance.png". ... VTI Actions Go to Behavior
1/5	Network	Connects to HTTPS server	71	-
URL "api.ip.sb/ip". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/spk/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/0/Windows 7 x86 SP1/1058/84.182.248.91/E8BC99265198FF1B122E2AA85B368523CB02BE18D865E27FA7C76B40094A3089/2If1Jg2IfxKgxGXp5Sj2/". ... VTI Actions Go to Behavior
URL "5.188.108.22/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/systeminfo32/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/VFRHTKWLZK/1/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/systeminfo/sTart///". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/IXKVFUGWKW/7/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/systeminfo/GetSystemInfo%20Control%20failed/0/". ... VTI Actions Go to Behavior
URL "5.188.108.22/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/injectDll32/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/VERS/browser/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/dinj/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/sinj/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/dpost/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/TJWNEPFVLB/1/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/injectDll/sTart/U3VjY2Vzcw==//". ... VTI Actions Go to Behavior
URL "5.188.108.22/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/pwgrab32/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/IWNZKYJXHWGTGQGXN/1/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/pwgrab/sTart/U3VjY2Vzcw==//". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/user/SYSTEM/0/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/path/C:%5CUsers%5C2XC7u663GxWc%5CAppData%5CRoaming%5Cchromedata%5Ctadiapce.exe/0/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/NAT%20status/client%20is%20behind%20NAT/0/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/". ... VTI Actions Go to Behavior
URL "51.77.92.215/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/23/1000415/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/spk/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DEBG/browser/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/pwgrab/DPST/browser/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/0/Windows 7 x86 SP1/1058/84.182.248.91/E8BC99265198FF1B122E2AA85B368523CB02BE18D865E27FA7C76B40094A3089/hzMfzLbwHatCXrDUl3Pl3Ney/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/user/SYSTEM/0/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/NAT%20status/client%20is%20behind%20NAT/0/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/14/DNSBL/listed/0/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/o6To5Qk4Ro7Qk1HcvBXn7S/". ... VTI Actions Go to Behavior
URL "37.44.212.204/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/networkDll32/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/dpost/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/68975813/1/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/networkDll/start///". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/r8Tm9VqDZwCTm4Rj3MjzFcsDVo8Tp9S/". ... VTI Actions Go to Behavior
URL "37.44.212.204/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/psfin32/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/injectDll/PING/browser/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/68975886/1/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/psfin/start///". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/g0KbsBTo7Uk6Tp7Pl5Ni3MevIavEbwD/". ... VTI Actions Go to Behavior
URL "37.44.212.204/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/shareDll32/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/psfin/Log/SendReport/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/68975977/1/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/shareDll/control///". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/BUq6Pm6Sj1Ok4Pl8Un8O/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/zLcuDUpAVn4KarARm9Ri/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/FVrARl8ToBVp5Rl5OewG/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/uEUk4KeuAQk4OiyIcwCSi2Mcw/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/ZwHatEaxHZs8OgxF/". ... VTI Actions Go to Behavior
URL "37.44.212.204/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/wormDll32/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/10/62/68976058/1/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/63/wormDll/control///". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/EXsCXr7Rl8Pl6Qn6N/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/6Rk6Rn8Of2NfvEUk0HXo6Qk2/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/g0Kh2Pj1Ol2IeuDVnAWn8UqBS/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/2Jg1Md0GbyGXpBSj6Pj3OhzJcyHXq/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/Tn6Ok0HXqDYvCUl2Pj0Kh2Ph2LgwEUl2/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/j4Ol7Up5Oi3LdyGcw/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/aq7Up6MgzLbvDTk0McsAWrBVrC/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/pCVsEUl6NgxKh2Lf2Ok2Ok5Qn4/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/g2Ol4Mh1NdzJd0Mg0GaxJaq9Sl2Jas8/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/dinj/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/vGXrEZp7Sj3Qh4Oi0NfzFaxJeyI/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/5/sinj/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/zIYr8Sl7Ok5Pm5Lfx/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/64/networkDll/Log/SendReport/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/e0GcsEbwEXqDVn3N/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/yEXtDXtAXq9VsCUoBVr8Qk5Pm5/". ... VTI Actions Go to Behavior
URL "95.213.191.109/tot478/ZGW5TDPU_W617601.1E8523426B2B0B3522CF81970B864611/1/h0Je0MfwGdtFWsDZrEa/". ... VTI Actions Go to Behavior
1/5	Network	Tries to connect using an uncommon port	4	-
Tries to connect to TCP port 8082 at 186.159.1.217. ... VTI Actions
Tries to connect to TCP port 447 at 5.188.108.22. ... VTI Actions
Tries to connect to TCP port 447 at 37.44.212.204. ... VTI Actions
Tries to connect to TCP port 0 at 204.155.30.69. ... VTI Actions
1/5	Process	Process crashed	1	-
Process "c:\windows\system32\svchost.exe" crashed. ... VTI Actions Go to process
1/5	Static	Unparsable sections in file	1	-
Static analyzer was unable to completely parse the analyzed file: C:\Users\2XC7u663GxWc\Desktop\radiance.png.exe. ... VTI Actions Go to file details
0/5	Process	Enumerates running processes	1	-
Enumerates running processes. ... VTI Actions Go to Behavior

Screenshots

Monitored Processes

Sample Information

ID	#3822404
MD5	5c163d92cb7b0b913b1e9fce3e179477
SHA1	574aa8b8d8bc98cda8038f8a5084d36367e4ce82
SHA256	c8781c38c7a9b921049963a276513cf6057d85766e7517ff5eb6e4bc4d0c397b
SSDeep	6144:Kz0qq/ZdqMwdoXqTHBgVkVWp0UhmMNYWZ:vXqTHBguVdKmMCW
ImpHash	5de86c2a43198e0d4a76a1795f5e3c45
Filename	radiance.png.exe
File Size	250.00 KB
Sample Type	Windows Exe (x86-32)

Analysis Information

Creation Time	2019-05-16 19:08 (UTC+2)
Analysis Duration	00:04:18
Number of Monitored Processes	48
Execution Successful
Reputation Enabled
WHOIS Enabled
Local AV Enabled
YARA Enabled
Number of AV Matches	1
Number of YARA Matches	0
Termination Reason	Timeout
Tags	#Trickbot

Remarks (2/3)

VMRay Threat Indicators (33 rules, 126 matches)

Screenshots

Monitored Processes

Sample Information

Analysis Information

Before

After