File name:

EpsilonApp.exe

Full analysis: https://app.any.run/tasks/d7d90e4f-6621-4c17-abce-18299cc94e43
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 31, 2024, 15:09:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
loader
zloader
zeus
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

A58AAA24F417BEE90FF01865D81866C5

SHA1:

053849D280C4EADCC1D8D2B6FCCC821B0CCD2F4E

SHA256:

038487AF6226ADEF21A29F3D31BAF3C809140FCB408191DA8BC457B6721E3A55

SSDEEP:

3072:lFsJ6TTrgUp2TG0qXbZfHA5DpwXKz7XKNK4UcsaF1KfazWIwkJQHuixkR:84pYqCmXO7X4U4wk3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • EpsilonApp.exe (PID: 1844)

  • SUSPICIOUS

    • Reads the Internet Settings

      • msiexec.exe (PID: 1908)

  • INFO

    • Checks proxy server information

      • msiexec.exe (PID: 1908)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1908)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1908)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1908)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:09:26 00:33:23+02:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.29
CodeSize: 142336
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x6dc0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.4475.9514.8925
ProductVersionNumber: 1.4475.9514.8925
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unknown (01B5)
CompanyName: Cyber Innovations
FileDescription: EpsilonApp
FileVersion: 1,4475,9514,8925
InternalName: EpsilonApp
LegalCopyright: Copyright © 2017 Cyber Innovations
OriginalFileName: EpsilonApp.exe
ProductName: Stuff A
ProductVersion: 1,4475,9514,8925
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
248
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start epsilonapp.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
1844"C:\Users\admin\Desktop\EpsilonApp.exe" C:\Users\admin\Desktop\EpsilonApp.exeexplorer.exe
User:
admin
Company:
Cyber Innovations
Integrity Level:
MEDIUM
Description:
EpsilonApp
Exit code:
0
Version:
1,4475,9514,8925
Modules
Images
c:\users\admin\desktop\epsilonapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1908\??\C:\Windows\System32\msiexec.exeC:\Windows\System32\msiexec.exe
EpsilonApp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 134
Read events
2 107
Write events
27
Delete events
0

Modification events

(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\hcdg
Operation:writeName:jnvykowz
Value:
5B3D159BB971A566F2416583FF28DD60FB30F9BECD55F236F650857F40D611305504F1097AE258F38FA3520CB0E3A806F42E04E318DB47D1567FAA7A73A3E7F16C889344912CC80624536B667C2A138E941290096CD91C0B3D7E07A6BCFF76FDB55DEB7BEF26AAE298A7FACA7CEF7E3C78C6F8E6EC8783435D6E8FDB243E622651899B13FE5D863E9F1D346671B3C135BB379D076CFF73D681C60EE660CB5B54DF4EA82B0EEC268CA0AE10615EA067085A65ABA15137D6ABB81C427D31643CD166E6BDDF05D8787297FD8A2CF7D81350982905BF63FC5713E9F00756CE0224E13AD4A5109C9E081BC78A21229BDE7EAB5339F4ECBFE8822E04C1A4028D63931CE6700A00DE0EDCD87D5A3124A5AF3C002753AA3CBCCBBE983E4F728C78124CEF36C6534CC94BBB2A12F14483170A0EDBD356D3275CB8BE70F4C21F4F65BDA180A1E6572C379B92663BA99303EC734FF1219FBEFE3698625FD7AC35E695668B24F7398790EE85AE6A5DA9ED3D2140A81AE6ED28DE974B8CC28D42EBE3E9F9C21D102F8DF22314EC3AE1C87BE1A15AF5EFDBE9EB4E37DAB3FCF534ED0ACCCCCE0FEE2434107AE484CB06B5E03D18EBEB8DABD11A48281DE9F8F5C782E8B4EA52C6F7C936E72E597A4186192980EF4E75B7CD2D8BC99FB84B59064445B79FAC629E50C13E2B21511B54DC4FF5F4224D266FE87015437F8C2FC401461B86A9236CEFC993B1DE85818C71C4E774A054F660053D04138CAD3D19B60826408AC42F9CE5336CBC697ED15C2BF3D230B337C61EAE07469A86090692F9C08899A7C011325DA0C4D74DA8A135BCBCF8E0EACB17F3CB23011D8CDE8684D124E1F8
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000C5000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1908) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1908) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
1908msiexec.exeC:\Users\admin\Desktop\EpsilonApp.exebinary
MD5:6CC3D8ECD5A9967C9227BE8D17B988A6
SHA256:6CDD259C8ECBE61FBC369F3293C1961541386954A223B17A37899D7FD9AD42DA
1908msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\8UTNZDN1.htmhtml
MD5:C09C840D985988A444D0729D12F531AA
SHA256:A16C0870AC4A6195A1FA63A98B07B39DA7E049211B6728597A9B4B8835412353
1908msiexec.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\N71VCQ1N.txttext
MD5:424F2D5CF6C39DDAA330B4546DFB2ABA
SHA256:D389CC8FA2CF150F2513EAD546F7E5D16E9FFFA6CF7BB12B19A758E3EDF63F05
1908msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\81MQP608.htmhtml
MD5:D45D2A1C890C52E58DC4461F2BCFD8C7
SHA256:6E4323915F730D72CE0093252CA35E5ADC3E442E1D61F882A72E2F4DC7C1C631
1908msiexec.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\UE9CSDDE.txttext
MD5:E2727546B298E86531651400C127FBD2
SHA256:F259B4F8B45E0602CB00AADAA74EE4515088C376887EAB8F1D6EE3AFD234CCA5
1908msiexec.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CE0K1R5I.txttext
MD5:0C24309D1FE0181A64DAAA99F7AA0758
SHA256:5DFCF0CF1532EFBD89E678B90F553E30426256CC4173F105C80B0A8BB2699579
1908msiexec.exeC:\Users\admin\AppData\Roaming\pfjsqg\EpsilonApp.exeexecutable
MD5:A58AAA24F417BEE90FF01865D81866C5
SHA256:038487AF6226ADEF21A29F3D31BAF3C809140FCB408191DA8BC457B6721E3A55
1908msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\SCVJOMC0.htmhtml
MD5:70FD65212D677BBF827D40AA21E2B1B7
SHA256:00FFF355B163850EB03EFA2A5B29BE66B0ED212C88A911495C3A1779DEFD5A6B
1908msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\G5K2STCH.htmhtml
MD5:623303084A50A0CC1BA2EAB51E941F55
SHA256:8E077CC92CA734739730100EFDD8F2E1A7E192664671D454618B7484ECF114A7
1908msiexec.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\KV8G5PP4.txttext
MD5:67DFF27D32990C57FF5C9F83D34AE9FE
SHA256:52BE2EA8C4DB3F99A2200903142C7115CF9B279E4039441DC6052A12DD65D8E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
36
DNS requests
69
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1908
msiexec.exe
GET
200
76.223.26.96:80
http://ww12.adslstickerni.world/
unknown
html
14.2 Kb
unknown
1908
msiexec.exe
GET
200
76.223.26.96:80
http://ww12.adslstickerni.world/
unknown
html
14.2 Kb
unknown
1908
msiexec.exe
POST
200
34.174.78.212:443
https://ucgoucvturqtacbofcqy.com/post.php
unknown
1908
msiexec.exe
POST
200
null:443
https://adslstickerni.world/
unknown
html
1.03 Kb
1908
msiexec.exe
POST
200
null:443
https://adslstickerni.world/
unknown
html
1.03 Kb
1908
msiexec.exe
POST
404
188.40.187.165:443
https://ambyucvturqourbtpwge.com/post.php
unknown
1908
msiexec.exe
POST
404
188.40.187.165:443
https://ambyucvturqourbtpwge.com/post.php
unknown
1908
msiexec.exe
POST
404
188.40.187.165:443
https://ambyucvturqourbtpwge.com/post.php
unknown
1908
msiexec.exe
POST
404
188.40.187.165:443
https://ambyucvturqourbtpwge.com/post.php
unknown
1908
msiexec.exe
POST
404
188.40.187.165:443
https://ambyucvturqourbtpwge.com/post.php
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:3702
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
352
svchost.exe
224.0.0.252:5355
unknown
1908
msiexec.exe
199.59.243.225:443
adslstickerni.world
AMAZON-02
US
unknown
1908
msiexec.exe
188.40.187.165:443
ambyucvturqourbtpwge.com
Hetzner Online GmbH
DE
unknown
1908
msiexec.exe
34.174.78.212:443
ucgoucvturqtacbofcqy.com
GOOGLE-CLOUD-PLATFORM
US
unknown
4
System
192.168.100.255:138
whitelisted
1908
msiexec.exe
76.223.26.96:80
ww12.adslstickerni.world
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
adslstickerni.world
  • 199.59.243.225
unknown
ambyucvturqourbtpwge.com
  • 188.40.187.165
unknown
ucgoucvturqtacbofcqy.com
  • 34.174.78.212
unknown
khvoucvturqtacbofcqy.com
unknown
kmbyuwlyfmleurgyarbt.com
unknown
uhqefrbephbjkrgyarbt.com
unknown
uhqefrgofrqoumvekmqy.com
unknown
khqefrgofrqoumboawge.com
unknown
ucgjpmvturqoumbofcqy.com
unknown
khvoucvturvtfhqtpwge.com
unknown

Threats

PID
Process
Class
Message
352
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .world TLD
352
svchost.exe
A Network Trojan was detected
ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
352
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .world TLD
1908
msiexec.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.world Domain
1908
msiexec.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.world Domain
1908
msiexec.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.world Domain
352
svchost.exe
A Network Trojan was detected
ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EpsilonApp.exe