This report provides a detailed analysis of malware.exe, Identified as the TrickBot Trojan.
TrickBot is a banking Trojan known for stealing payment credentials by redirecting victims to phishing websites. The malware is typically distributed via spearphishing emails. Those are typically attached in the form of malicious Microsoft Word or Excel files. One way of its spreading is by exploiting vulnerabilities in SMB, a protocol that allows Windows computers to easily share and access files and folders on other systems on the same network. Trickbot can be distributed through other malware.
Trickbot Infection Chain
The Target System for this Analysis is Windows 10 Virtual Machine.
File : malware.exe , PE32 windows executable 32 bit GUI
original filename : MfcTTT.EXE
File size: 550 kb
sha256 Hash : 9FDEA40A9872A77335AE3B733A50F4D1E9F8EFF193AE84E36FB7E5802C481F72
Tagged as : Trickbot, banker, emotet, dropper
| Tools used during Analysis | HitmanPro, Process monitor, Wireshark, sysmon, Unpackme, Virustotal & other malware lookup and sandbox platform |
|---|
VirusTotal result for malware.exe file. When this malware.exe was run, It created multiple copies of itself on different location, also detected by malware detector HitmanPro as seen in the figure below.
files were dropped at different location:
C:\ProgramData\аНаоすは래별.exe
C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe
C:\Users\Mihika\AppData\Roaming\NuiGet\oanwate.exe
As they are copies of same file malware.exe, hashes of these dropped files are exactly same.
Indicator of peristency:
Executable scheduled a task for command "C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe" to be triggered by boot & by time, one of the tactics by malware to stay persistent on the system or to conduct remote Execution as part of Lateral Movement, to gain system privileges.
Although no changes in registry was found. The main executable, malware.exe queried many registry keys to gather information about the system, configuration, and installed software, some of regKey gives info related to:
- It checks supported languages of target system.
- checks user profiles, computer name, and session states.
- checks regional and language configurations on the system.
- Reads security settings of Internet Explore.
- checks computer location settings.
the malware is using these registry queries to assess the system security configurations, language settings, compatibility modes, and file system behaviors to ensure it can run effectively, evade detection, and operate without interference from security features.
Process:
Dropped Files:
| PID | Process | Filename |
|---|---|---|
| 8648 | malware.exe | C:\ProgramData\аНаоすは래별.exe |
| 6400 | svchost.exe | C:\Users\Mihika\AppData\Roaming\NuiGet\settings.ini |
| 1928 | svchost.exe | C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe |
| 2508 | аНаоすは래별.exe | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\c12d0fde896f3644257b320067f915f0_305fb52e-58c2-4e89-9603-23058808ae91 |
Connections:
Several reconnection attempts by svchost.exe (PID: 6400) to
- static-200-116-199-10.une.net.co:449
- 185.222.202.76:https
IP address 185.222.202.76 is indicated as malicious on virustotal, and other online platforms, associated with trickbot.
Another connection attempts to static-200-116-199-10.une.net.co at port 449, also raise suspicion. The domain une.net.co is associated with a Colombian telecommunications company, UNE EPM Telecomunicaciones.
The IP 200.116.199.10 appears to belong to this network. Unusual connections to a non-standard port could indicate, Malicious activity like botnet communication or malware.
IOC (Indicator of Compromise)
File:
C:\ProgramData\аНаоすは래별.exe
C:\Users\OqXZRaykm\AppData\Roaming\NuiGet\аНаоすは래별.exe
malware.exe
IP:
200.116.199.10 : port 449
185.222.202.76
Mitigation Strategies
Block the IP 200.116.199.10 and port 449 in your firewall.
Block the IP 185.222.202.76
References:
Trickbot Infection in Network Traffic
How Malware can detect your Virtualisation environment
Top comments (0)