Overview

overview

10

Static

static

10

Malware-1-master.zip

windows10-2004-x64

1

Malware-1-...30.exe

windows10-2004-x64

10

Malware-1-...40.exe

windows10-2004-x64

10

Malware-1-...32.exe

windows10-2004-x64

10

Malware-1-.../5.exe

windows10-2004-x64

10

Malware-1-...91.exe

windows10-2004-x64

10

Malware-1-...ey.exe

windows10-2004-x64

7

Malware-1-....0.zip

windows10-2004-x64

1

Malware-1-...ad.exe

windows10-2004-x64

3

Malware-1-...ti.exe

windows10-2004-x64

5

Malware-1-...an.bat

windows10-2004-x64

7

Malware-1-...an.exe

windows10-2004-x64

3

Malware-1-...ve.bat

windows10-2004-x64

7

Malware-1-...ve.exe

windows10-2004-x64

7

Malware-1-...ya.exe

windows10-2004-x64

Malware-1-...re.exe

windows10-2004-x64

10

Malware-1-...ry.exe

windows10-2004-x64

10

Malware-1-...ck.exe

windows10-2004-x64

3

Malware-1-...he.exe

windows10-2004-x64

10

Malware-1-...op.exe

windows10-2004-x64

7

Malware-1-...rb.exe

windows10-2004-x64

10

Malware-1-...ue.exe

windows10-2004-x64

1

Malware-1-...ng.exe

windows10-2004-x64

6

Malware-1-...kt.bat

windows10-2004-x64

7

Malware-1-...o3.exe

windows10-2004-x64

10

Malware-1-...ey.exe

windows10-2004-x64

10

Malware-1-.../m.exe

windows10-2004-x64

Malware-1-...o3.exe

windows10-2004-x64

9

Malware-1-...dme.md

windows10-2004-x64

3

Malware-1-...er.zip

windows10-2004-x64

1

Malware-1-...ic.exe

windows10-2004-x64

3

Malware-1-...in.exe

windows10-2004-x64

10

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

250117-yy9l2sslcr 10

17-01-2025 17:25

250117-vy9p9sxpez 10

17-01-2025 17:21

250117-vw8eesyjfp 10

17-01-2025 14:16

250117-rk9ass1rhk 10

17-01-2025 14:12

250117-rhv1ds1lds 10

16-01-2025 12:52

250116-p4et7a1mez 10

16-01-2025 12:50

250116-p29xjssjep 10

16-01-2025 12:49

250116-p2cbaasjam 10

13-01-2025 04:35

250113-e7x5tswlfz 10

Analysis

  • max time kernel
    131s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malware-1-master/youwin.exe

  • Size

    379KB

  • MD5

    c3f3773a596db65c6491b578db621c45

  • SHA1

    ba5529fe2d6648ebfa93c17145f5570f448e1111

  • SHA256

    dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c

  • SHA512

    8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061

  • SSDEEP

    6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4

Score
10/10
trickbotsun10bankerdiscoverypersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000312

Botnet

sun10

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

109.234.38.220:443

24.247.182.29:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot family
    trickbot
  • Trickbot x86 loader 4 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
      C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:4936
        • C:\Windows\SYSTEM32\regini.exe
          regini C:\Users\Admin\AppData\Local\Temp\tmp051
          4⤵
            PID:4360
          • C:\Windows\SYSTEM32\regini.exe
            regini C:\Users\Admin\AppData\Local\Temp\tmp051
            4⤵
              PID:4408

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp051
        Filesize

        67B

        MD5

        e4bcd320585af9f77671cc6e91fe9de6

        SHA1

        15f12439eb3e133affb37b29e41e57d89fc90e06

        SHA256

        a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

        SHA512

        00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp051
        Filesize

        67B

        MD5

        58b2f90cc0182925ae0bab51700b14ab

        SHA1

        d2975adeb8dc68f2f5e10edee524de78e79828db

        SHA256

        8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

        SHA512

        de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4050598569-1597076380-177084960-1000\0f5007522459c86e95ffcc62f32308f1_cca0d105-8260-4611-8c12-bd85a7208b9f
        Filesize

        1KB

        MD5

        847b821fec410217f94edc697965ca37

        SHA1

        fc353c29c683757ce325368e24d08779e9f63029

        SHA256

        837d4c9a3f02b632a0ac9fbe9114d21441d9cfe162114283cea7ee1821bebbd5

        SHA512

        f77c61a6b82a9c3ac09ccce36c6a63eb0ca78e96f2a8f7c2a5246058268d8ebd219718dcd046e89053e34a62eb61a7e8949a327644c60738e45c7483813bf245

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
        Filesize

        379KB

        MD5

        c3f3773a596db65c6491b578db621c45

        SHA1

        ba5529fe2d6648ebfa93c17145f5570f448e1111

        SHA256

        dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c

        SHA512

        8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061

        Download Submit

      • memory/1400-24-0x0000000000740000-0x0000000000741000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1400-34-0x00000000028E0000-0x000000000299E000-memory.dmp

        Filesize

        760KB

        Download

      • memory/1400-35-0x00000000029A0000-0x0000000002C69000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/1400-18-0x00000000006D0000-0x0000000000710000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1400-19-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1400-20-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1400-36-0x00000000006D0000-0x0000000000710000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1400-12-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/1400-33-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/2624-0-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/2624-11-0x0000000000180000-0x00000000001C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2624-10-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/2624-5-0x0000000000180000-0x00000000001C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4936-27-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download

      • memory/4936-26-0x0000023E8FD40000-0x0000023E8FD41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4936-42-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download