Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 22, 2021, 1:57 p.m. | July 22, 2021, 1:59 p.m. |
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\lovemetertok.exe.dll,StartW
2088-
wermgr.exe C:\Windows\system32\wermgr.exe
2256
-
-
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\lovemetertok.exe.dll,
2680
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
138.34.28.219 | Active | Moloch |
154.58.23.192 | Active | Moloch |
164.124.101.2 | Active | Moloch |
184.74.99.214 | Active | Moloch |
185.56.76.108 | Active | Moloch |
185.56.76.94 | Active | Moloch |
204.138.26.60 | Active | Moloch |
217.115.240.248 | Active | Moloch |
38.110.100.142 | Active | Moloch |
38.110.103.113 | Active | Moloch |
38.110.103.124 | Active | Moloch |
68.69.26.182 | Active | Moloch |
74.85.157.139 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49203 138.34.28.219:443 |
C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com | C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-F4:92:BF:D6:1C:49/emailAddress=support@ubnt.com | 0f:6c:9c:c8:a9:10:1e:c8:98:3f:01:df:32:ad:f1:7f:5d:d0:4c:54 |
TLSv1 192.168.56.101:49207 38.110.103.124:443 |
C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:EC:48:A1/emailAddress=support@ubnt.com | C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:EC:48:A1/emailAddress=support@ubnt.com | e6:60:4a:40:4a:b9:63:85:da:e8:fc:ec:75:e2:1a:7e:85:1f:49:1e |
TLSv1 192.168.56.101:49205 38.110.103.113:443 |
C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:10:C4:5A/emailAddress=support@ubnt.com | C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-78:8A:20:10:C4:5A/emailAddress=support@ubnt.com | f8:a6:1d:83:c7:74:cb:aa:74:13:1b:31:74:93:a5:b4:a4:1b:bd:c5 |
TLSv1 192.168.56.101:49215 38.110.100.142:443 |
C=US, ST=NY, L=New York, O=Ubiquiti Inc., OU=Technical Support, CN=UBNT-18:E8:29:1F:F2:01/emailAddress=support@ui.com | C=US, ST=NY, L=New York, O=Ubiquiti Inc., OU=Technical Support, CN=UBNT-18:E8:29:1F:F2:01/emailAddress=support@ui.com | f1:bf:98:64:45:62:e6:de:5f:a4:b5:d9:2a:11:e4:6f:21:99:7b:61 |
TLSv1 192.168.56.101:49211 204.138.26.60:443 |
C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-80:2A:A8:FE:3F:A4/emailAddress=support@ubnt.com | C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT-80:2A:A8:FE:3F:A4/emailAddress=support@ubnt.com | bd:6e:61:62:17:19:85:a8:d5:cd:95:e9:df:f4:e6:cf:e0:a6:2a:b6 |
TLSv1 192.168.56.101:49216 184.74.99.214:443 |
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | C=AU, ST=Some-State, O=Internet Widgits Pty Ltd | b5:21:a8:16:d5:97:b1:67:f6:60:a5:cb:20:27:76:ec:3c:9d:3b:02 |
TLSv1 192.168.56.101:49210 217.115.240.248:443 |
C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA | C=US, ST=GA, L=Canton, O=LigoWave LLC, OU=R&D, CN=LigoWave SSL CA | d3:39:ab:71:76:bb:9c:d2:1c:3e:b1:17:92:c7:3f:25:1f:25:f8:88 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
packer | Armadillo v1.xx - v2.xx |
resource name | None |
suspicious_features | Connection to IP address | suspicious_request | GET https://138.34.28.219/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://138.34.28.219/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://138.34.28.219/index.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://138.34.28.219/login.cgi?uri=/index.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://38.110.103.113/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://38.110.103.124/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://217.115.240.248/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://204.138.26.60/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://38.110.100.142/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://38.110.100.142/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://38.110.100.142/index.html | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://184.74.99.214/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://138.34.28.219/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://138.34.28.219/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://138.34.28.219/index.html |
request | GET https://138.34.28.219/login.cgi?uri=/index.html |
request | GET https://38.110.103.113/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://38.110.103.124/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://217.115.240.248/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://204.138.26.60/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://38.110.100.142/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://38.110.100.142/cookiechecker?uri=/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
request | GET https://38.110.100.142/index.html |
request | GET https://184.74.99.214/rob109/TEST22-PC_W617601.033D15E7FF3E0057948BB374FD3A56B7/5/file/ |
description | wermgr.exe tried to sleep 142 seconds, actually delayed analysis time by 142 seconds |
cmdline | C:\Windows\system32\cmd.exe |
section | {u'size_of_data': u'0x0003e000', u'virtual_address': u'0x00048000', u'entropy': 7.851749070700742, u'name': u'.rsrc', u'virtual_size': u'0x0003dab0'} | entropy | 7.8517490707 | description | A section with a high entropy has been found | |||||||||
entropy | 0.459259259259 | description | Overall entropy of this PE file is high |
host | 138.34.28.219 | |||
host | 154.58.23.192 | |||
host | 184.74.99.214 | |||
host | 185.56.76.108 | |||
host | 185.56.76.94 | |||
host | 204.138.26.60 | |||
host | 217.115.240.248 | |||
host | 38.110.100.142 | |||
host | 38.110.103.113 | |||
host | 38.110.103.124 | |||
host | 68.69.26.182 | |||
host | 74.85.157.139 |
Lionic | Trojan.Win32.Trickpak.4!c |
MicroWorld-eScan | Trojan.Agent.FKRT |
Alibaba | Trojan:Win32/Trickpak.1ef37caf |
CrowdStrike | win/malicious_confidence_100% (W) |
Arcabit | Trojan.Agent.FKRT |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | Win32/TrickBot.DX |
APEX | Malicious |
Paloalto | generic.ml |
Kaspersky | HEUR:Trojan.Win32.Trickpak.gen |
BitDefender | Trojan.Agent.FKRT |
Avast | Win32:BankerX-gen [Trj] |
Ad-Aware | Trojan.Agent.FKRT |
Emsisoft | Trojan.Agent.FKRT (B) |
McAfee-GW-Edition | Artemis!Trojan |
FireEye | Generic.mg.ea252a83f501a1fd |
Sophos | Mal/Generic-S |
Ikarus | Win32.Outbreak |
Webroot | W32.Trojan.Agent.Gen |
Kingsoft | Win32.Troj.Undef.(kcloud) |
Microsoft | Trojan:Win32/Trickbot.TB!MTB |
GData | Trojan.Agent.FKRT |
Cynet | Malicious (score: 100) |
McAfee | Trickbot-FTKT!EA252A83F501 |
MAX | malware (ai score=82) |
Fortinet | W32/Kryptik.L!tr |
MaxSecure | Trojan.Malware.300983.susgen |
AVG | Win32:BankerX-gen [Trj] |
Panda | Trj/GdSda.A |
dead_host | 74.85.157.139:443 |
dead_host | 185.56.76.108:443 |
dead_host | 68.69.26.182:443 |
dead_host | 154.58.23.192:443 |
dead_host | 192.168.56.101:49209 |
dead_host | 192.168.56.101:49204 |
dead_host | 185.56.76.94:443 |