Overview

overview

10

Static

static

10

Malware-1-...30.exe

windows11-21h2-x64

10

Malware-1-...40.exe

windows11-21h2-x64

3

Malware-1-...32.exe

windows11-21h2-x64

10

Malware-1-.../5.exe

windows11-21h2-x64

10

Malware-1-...91.exe

windows11-21h2-x64

10

Malware-1-...ey.exe

windows11-21h2-x64

7

Malware-1-...ad.exe

windows11-21h2-x64

3

Malware-1-...ti.exe

windows11-21h2-x64

5

Malware-1-...an.bat

windows11-21h2-x64

7

Malware-1-...an.exe

windows11-21h2-x64

3

Malware-1-...ve.bat

windows11-21h2-x64

7

Malware-1-...ve.exe

windows11-21h2-x64

6

Malware-1-...ya.exe

windows11-21h2-x64

Malware-1-...re.exe

windows11-21h2-x64

10

Malware-1-...ry.exe

windows11-21h2-x64

10

Malware-1-...ck.exe

windows11-21h2-x64

3

Malware-1-...he.exe

windows11-21h2-x64

10

Malware-1-...op.exe

windows11-21h2-x64

7

Malware-1-...rb.exe

windows11-21h2-x64

10

Malware-1-...ue.exe

windows11-21h2-x64

1

Malware-1-...ng.exe

windows11-21h2-x64

6

Malware-1-...kt.bat

windows11-21h2-x64

7

Malware-1-...o3.exe

windows11-21h2-x64

10

Malware-1-...ey.exe

windows11-21h2-x64

10

Malware-1-.../m.exe

windows11-21h2-x64

Malware-1-...o3.exe

windows11-21h2-x64

9

Malware-1-...32.exe

windows11-21h2-x64

10

Malware-1-...nf.exe

windows11-21h2-x64

10

Malware-1-.../o.exe

windows11-21h2-x64

3

Malware-1-...B8.exe

windows11-21h2-x64

10

Malware-1-...ic.exe

windows11-21h2-x64

3

Malware-1-...in.exe

windows11-21h2-x64

10

Resubmissions

17-01-2025 20:14

250117-yz7h3s1qfw 10

17-01-2025 20:12

250117-yy9l2sslcr 10

17-01-2025 17:25

250117-vy9p9sxpez 10

17-01-2025 17:21

250117-vw8eesyjfp 10

17-01-2025 14:16

250117-rk9ass1rhk 10

17-01-2025 14:12

250117-rhv1ds1lds 10

16-01-2025 12:52

250116-p4et7a1mez 10

16-01-2025 12:50

250116-p29xjssjep 10

Analysis

  • max time kernel
    864s
  • max time network
    888s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-01-2025 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malware-1-master/youwin.exe

  • Size

    379KB

  • MD5

    c3f3773a596db65c6491b578db621c45

  • SHA1

    ba5529fe2d6648ebfa93c17145f5570f448e1111

  • SHA256

    dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c

  • SHA512

    8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061

  • SSDEEP

    6144:dVH5X7dPd2cUnZF+ZXsFv+g11ZebOzWl4QFUTUPYeOEH9yyIKC0ywAHTWZ:dVH5X7dPd2zcO+8ebRJlQeOEH9ytfvw4

Score
10/10
trickbotsun10bankerdiscoverypersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000312

Botnet

sun10

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

109.234.38.220:443

24.247.182.29:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot family
    trickbot
  • Trickbot x86 loader 4 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\youwin.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
      C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3180
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:5800
        • C:\Windows\SYSTEM32\regini.exe
          regini C:\Users\Admin\AppData\Local\Temp\tmp051
          4⤵
            PID:2956
          • C:\Windows\SYSTEM32\regini.exe
            regini C:\Users\Admin\AppData\Local\Temp\tmp051
            4⤵
              PID:4796

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp051
        Filesize

        67B

        MD5

        e4bcd320585af9f77671cc6e91fe9de6

        SHA1

        15f12439eb3e133affb37b29e41e57d89fc90e06

        SHA256

        a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

        SHA512

        00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp051
        Filesize

        67B

        MD5

        58b2f90cc0182925ae0bab51700b14ab

        SHA1

        d2975adeb8dc68f2f5e10edee524de78e79828db

        SHA256

        8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

        SHA512

        de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3973800497-2716210218-310192997-1000\0f5007522459c86e95ffcc62f32308f1_43ef074c-17c1-4956-ab3f-c3b0c6ae62b9
        Filesize

        1KB

        MD5

        08394a38fe137b35557cde4eed6bd553

        SHA1

        f57f6332189279ef8c4d20ee71f4baf4fe5ef6e3

        SHA256

        804b9ff4b73e29a405ea8c18bf93609cb06414a4c2a5a40fa08b4b68a4fad64c

        SHA512

        9e7d7c5bbb2fd5805a856d7fe09dc04598d64ba3537d11e3b9edc6ea2c865b4329c465458d5c4d3cb9cc9efb182699476fb856d18b22e755f206c5ef08d434e2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NetSf\youwin.exe
        Filesize

        379KB

        MD5

        c3f3773a596db65c6491b578db621c45

        SHA1

        ba5529fe2d6648ebfa93c17145f5570f448e1111

        SHA256

        dfe2c886d9a6e9b26cdddba621fda00832a59def9813177863723e33c8011b0c

        SHA512

        8d7fab47b741c2e64533c30400cc6b8c20750948f9a9ad4382463ea920021d875eb9dd4d424d182cf25ffdfa96ae2088e89ae8220dd10e161fd9cbb37e213061

        Download Submit

      • memory/3180-36-0x0000000000C00000-0x0000000000C40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3180-34-0x00000000029A0000-0x0000000002A5D000-memory.dmp

        Filesize

        756KB

        Download

      • memory/3180-12-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/3180-35-0x0000000002A60000-0x0000000002DD4000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/3180-18-0x0000000000C00000-0x0000000000C40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3180-24-0x0000000000C40000-0x0000000000C41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3180-20-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3180-33-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/3896-11-0x0000000001140000-0x0000000001180000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3896-0-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/3896-10-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/3896-4-0x0000000000400000-0x0000000000464000-memory.dmp

        Filesize

        400KB

        Download

      • memory/3896-5-0x0000000001140000-0x0000000001180000-memory.dmp

        Filesize

        256KB

        Download

      • memory/5800-27-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download

      • memory/5800-25-0x0000018349680000-0x0000018349681000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5800-42-0x0000000140000000-0x0000000140039000-memory.dmp

        Filesize

        228KB

        Download