This report provides a detailed analysis of malware.exe, identified as the TrickBot Trojan. TrickBot is a sophisticated banking trojan known for stealing payment credentials by redirecting victims to phishing websites. the file exhibits malicious activity, including privilege escalation and process injection. The target system for this analysis was a Windows 10 virtual machine.
File : malware.exe , PE32 windows executable 32 bit GUI
original filename : MfcTTT.EXE
File size: 550 kb
sha256 hash : 9FDEA40A9872A77335AE3B733A50F4D1E9F8EFF193AE84E36FB7E5802C481F72
Tagged as : Trickbot, banker, emotet, dropper
When this malware.exe was run, It created multiple copies of itself on different location, also detected by malware detector HitmanPro as seen in the figure below
files were dropped at different location:
C:\ProgramData\аНаоすは래별.exe
C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe
C:\Users\Mihika\AppData\Roaming\NuiGet\oanwate.exe
Indicator of peristency:
Executable scheduled a task to run the "C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe" file at startup, one of the tactics by malware to stay persistence on the system.
Although no changes in registry was found. The main executable, malware.exe queried many registry keys to gather information about the system, configuration, and installed software, some of regKey gives info related to:
- It checks supported languages of target system.
- checks user profiles, computer name, and session states.
- checks regional and language configurations on the system.
- Reads security settings of Internet Explore.
- checks computer location settings.
the malware is using these registry queries to assess the system security configurations, language settings, compatibility modes, and file system behaviors to ensure it can run effectively, evade detection, and operate without interference from security features.
Process:
Dropped Files:
| PID | Process | Filename |
|---|---|---|
| 8648 | malware.exe | C:\ProgramData\аНаоすは래별.exe |
| 6400 | svchost.exe | C:\Users\Mihika\AppData\Roaming\NuiGet\settings.ini |
| 1928 | svchost.exe | C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe |
| 2508 | аНаоすは래별.exe | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\c12d0fde896f3644257b320067f915f0_305fb52e-58c2-4e89-9603-23058808ae91 |
Connections:
Several reconnection attempts by svchost.exe (PID: 6400) to
- static-200-116-199-10.une.net.co:449
- re.relayhost.live:https
- 185.222.202.76:https
IP address 185.222.202.76 is indicated as malicious on virustotal, and other online platforms. trying to establish connection to static-200-116-199-10.une.net.co at port 449, also raise suspicion.
Top comments (0)