File name: | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879 |
Full analysis: | https://app.any.run/tasks/acd9cb0b-5821-4af6-92c3-5432664f848f |
Verdict: | Malicious activity |
Threats: | Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. |
Analysis date: | December 14, 2018, 18:40:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 5A35AD14FFF1E217C9E190A7DE2B044A |
SHA1: | 63DFE1599D792649BA050AF519901C9DE2D0FDE1 |
SHA256: | 0250BB6E43688BA3B3D806D89CE53D5834E2A97003B6CA273C4475F5EEE30879 |
SSDEEP: | 12288:WJdJIY6hz+4ewbrOiroANc1nRDWVSpR8dIC/TSTA6YIild+2+XbivoqSYxVJb2:M/Ifz5eavrouynRDWkpOdIC/TSc6YtlY |
.exe | | | Win64 Executable (generic) (49.4) |
---|---|---|
.scr | | | Windows screen saver (23.4) |
.dll | | | Win32 Dynamic Link Library (generic) (11.7) |
.exe | | | Win32 Executable (generic) (8) |
.exe | | | Generic Win/DOS Executable (3.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:07:25 09:59:33+02:00 |
PEType: | PE32 |
LinkerVersion: | 14.14 |
CodeSize: | 499200 |
InitializedDataSize: | 80384 |
UninitializedDataSize: | - |
EntryPoint: | 0x61723 |
OSVersion: | 6 |
ImageVersion: | - |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 8.8.2.8 |
ProductVersionNumber: | 8.8.2.8 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
FileVersion: | 8.8.2.8 |
ProductVersion: | 8.8.2.8 |
FileDescription: | Microsoft® C Runtime Library _2 |
CompanyName: | Библиотека DLL модуля поддержки команды Netsh для WLAN |
LegalCopyright: | Copyright (C) 2008-2003 SlcreaRpDKnLHH7dT5RObRoZGY1W36Np2, Inc. All rights reserved. |
ProductName: | |
Comments: | ZyNAruylrXDUe8gAXzE2iKVsPwzriHKTHChlVcAwTHku44kZXfbhn424weNIs3eucKcwx772CEzOG3Fa2uRMErU8QFUFsTPkmI3QAg |
InternalName: | ctfmon.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3056 | "C:\Users\admin\AppData\Local\Temp\0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe" | C:\Users\admin\AppData\Local\Temp\0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | explorer.exe | |
User: admin Company: Библиотека DLL модуля поддержки команды Netsh для WLAN Integrity Level: MEDIUM Description: Microsoft® C Runtime Library _2 Exit code: 1 Version: 8.8.2.8 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Local\Temp\{a8aw6353}.txt | sqlite | |
MD5:C0E61619F4629FB952DBED09DF00BEBF | SHA256:5FB56524939F5E0685A209333D0239C105B3B47248CBA489BE9976A92F171059 | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\General\forms.txt | text | |
MD5:05B5CE8D270D373EB88845FBCDCB458C | SHA256:414E774B5AB719936D5CF69CAB606C4DD3A84A658F5B24201A602D809E3C81C5 | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\General\cookies.txt | text | |
MD5:25AF36DF1BD32A4C073FF140D307F16A | SHA256:FDBD432EFC99534DDA9E82A59329146F97E69E7E3CB372F7A7BAD93356EE133F | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\Screenshot.bmp | image | |
MD5:280164A6515DB13A67EDD05B28D55842 | SHA256:08BABBE66FEF6041CF360737B34135423EAE105A2239955C1D5264D78D40C697 | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\Infomation.txt | text | |
MD5:33B21AAB53C3657B78AC9DA4AB8C682B | SHA256:5114B23DB5B013FA4986AF079C773F380C39F79CE6B3EEEA8E351ABD89EC5A3F | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\arc2U2T7U6U6V.zip | compressed | |
MD5:8AE69A369AB10D1AEF024BCE4A01A2F5 | SHA256:F23D456F54B2C9AAFD76E69AEA788EBB83D0BE40461CE85C0A1F2093C13F91B2 | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\General\Mozilla_1677.sqlite | sqlite | |
MD5:978812E75543B001E6E1C55FDC1DC3F8 | SHA256:9E364189042BCAC04AF32C70B56D41EE49D9078660F087D0FC270E66FDDAF8E7 | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\General\passwords.txt | text | |
MD5:05EDBD3819D5291EB0709C7637CC2076 | SHA256:A72A023AE625A5CF187AF5C2D08B1C58395F9245EB55F4D26242894BBC983A48 | |||
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | C:\Users\admin\AppData\Roaming\pts2U2T7U6U6V\General\cards.txt | text | |
MD5:FBF2B0EA6FDC6FE3148BD600729D5FAC | SHA256:C794C993F1D9125029477DF973401AE082C56B53F1D7E461258537AA7EFC5797 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | POST | 200 | 185.50.25.11:80 | http://i92681s5.beget.tech/api/gate.get?p1=1&p2=6&p3=0&p4=2&p5=0&p6=0&p7=0 | RU | binary | 1 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | 185.50.25.11:80 | i92681s5.beget.tech | Beget Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
i92681s5.beget.tech |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
3056 | 0250bb6e43688ba3b3d806d89ce53d5834e2a97003b6ca273c4475f5eee30879.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |