Overview

overview

10

Static

static

3

xml1.exe

windows7-x64

10

Resubmissions

13/07/2024, 07:04 UTC

240713-hwfcesshqg 10

13/07/2024, 06:54 UTC

240713-hn9w3azhnj 10

24/08/2023, 07:19 UTC

230824-h5hh5sah24 10

Analysis

  • max time kernel
    226s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2024, 07:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xml1.exe

  • Size

    396KB

  • MD5

    8503ea92f4c9941ee3295978729d98ba

  • SHA1

    d04dfbc5b1335c8408ffb5c58bd966791f748ad3

  • SHA256

    1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53

  • SHA512

    a5dade77d81f3fc49b46d828ea653d55b921e8b65b455dd0a1fa7eba7880b3a86deff0aafd21276a86eb95be948ab61da9771343ccbc24164b31c3a5b18edaa5

  • SSDEEP

    6144:omPt4BMS4GhUjjF0CBTTFCIRroPHQJ/s5xi8uwytwnhJCAfYrewWvoKMyDftxQib:ZPt4BMsOvpAHQJ0G8CAfWWvo1im

Score
10/10
trickbotxml1bankertrojan

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

xml1

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64
1
RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xml1.exe
    "C:\Users\Admin\AppData\Local\Temp\xml1.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\System32\perfmon.exe
      "C:\Windows\System32\perfmon.exe" /res
      2⤵
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:952
  • C:\Users\Admin\AppData\Local\Temp\xml1.exe
    "C:\Users\Admin\AppData\Local\Temp\xml1.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:772

Network

  • flag-us
    DNS
    1.0.127.10.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.0.127.10.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    255.255.127.10.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    255.255.127.10.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.0.0.224.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.0.0.224.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
No results found
  • 8.8.8.8:53
    1.0.127.10.in-addr.arpa
    dns
    69 B
     69 B
     1
    1

    DNS Request

    1.0.127.10.in-addr.arpa

  • 8.8.8.8:53
    255.255.127.10.in-addr.arpa
    dns
    73 B
     73 B
     1
    1

    DNS Request

    255.255.127.10.in-addr.arpa

  • 8.8.8.8:53
    252.0.0.224.in-addr.arpa
    dns
    70 B
     127 B
     1
    1

    DNS Request

    252.0.0.224.in-addr.arpa

  • 8.8.8.8:53
    3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
    dns
    118 B
     182 B
     1
    1

    DNS Request

    3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/952-178-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/952-177-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/952-176-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/952-175-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/984-172-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/984-33-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/984-34-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/984-120-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/984-130-0x0000000000200000-0x0000000000210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/984-173-0x0000000000420000-0x0000000000421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-174-0x0000000002330000-0x0000000002363000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1952-171-0x0000000010000000-0x0000000010003000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1952-167-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1952-2-0x0000000002330000-0x0000000002363000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1952-168-0x0000000010000000-0x0000000010003000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1952-81-0x0000000002330000-0x0000000002363000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1952-0-0x0000000002330000-0x0000000002363000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1952-1-0x00000000022F0000-0x0000000002323000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2408-170-0x0000000000060000-0x0000000000084000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2408-169-0x0000000000060000-0x0000000000084000-memory.dmp

    Filesize

    144KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.