File name:

GnSetup.exe

Full analysis: https://app.any.run/tasks/44d3f349-0d81-4416-ba3d-52d8a09b3a8d
Verdict: Malicious activity
Analysis date: February 07, 2024, 20:11:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

DCF79239DF7168800311A6FDD8E065BC

SHA1:

787E6FAD249DFEB0713B11A81D51D498C2D2A126

SHA256:

0AA9070E1C656A9BF83E0B46D76CAE3133E5D5B9BF880C48B2400124059FF318

SSDEEP:

24576:sJqlaxMTCU514MWXblr3lL62WtrG9JTfcPCS1JLvZLy/XFab5:sJqlaxMTCU514NXblr3lL62WtrG9JTfa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • GnSetup.exe (PID: 392)

  • SUSPICIOUS

    • Connects to the server without a host name

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads the Internet Settings

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Executable content was dropped or overwritten

      • GnSetup.exe (PID: 392)

    • Process drops legitimate windows executable

      • GnSetup.exe (PID: 392)

    • Connects to unusual port

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Starts CMD.EXE for commands execution

      • GnBots.exe (PID: 3748)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 3876)

  • INFO

    • Checks supported languages

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads the computer name

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads Environment values

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Reads the machine GUID from the registry

      • GnSetup.exe (PID: 392)
      • GnBots.exe (PID: 3748)

    • Creates files in the program directory

      • GnSetup.exe (PID: 392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2055:06:29 05:51:21+02:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 631808
InitializedDataSize: 221696
UninitializedDataSize: -
EntryPoint: 0x9c36e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: GnSetup48
FileVersion: 1.0.0.0
InternalName: GnSetup.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: GnSetup.exe
ProductName: GnSetup48
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start gnsetup.exe gnbots.exe cmd.exe no specs netstat.exe no specs findstr.exe no specs gnsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Users\admin\AppData\Local\Temp\GnSetup.exe" C:\Users\admin\AppData\Local\Temp\GnSetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
GnSetup48
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gnsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1652"C:\Users\admin\AppData\Local\Temp\GnSetup.exe" C:\Users\admin\AppData\Local\Temp\GnSetup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
GnSetup48
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\gnsetup.exe
c:\windows\system32\ntdll.dll
1812findstr ":5508.*LISTENING"C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3748"C:\Users\admin\Documents\Outlook Files\New folder\GnBots\GnBots.exe" C:\Users\admin\Documents\Outlook Files\New folder\GnBots\GnBots.exe
GnSetup.exe
User:
admin
Company:
GnBots
Integrity Level:
HIGH
Description:
GnBots
Exit code:
0
Version:
5.0.0.0
Modules
Images
c:\users\admin\documents\outlook files\new folder\gnbots\gnbots.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3868netstat -an -o -p tcpC:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
3876"cmd" /c netstat -an -o -p tcp|findstr ":5508.*LISTENING"C:\Windows\System32\cmd.exeGnBots.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
2 451
Read events
2 440
Write events
11
Delete events
0

Modification events

(PID) Process:(392) GnSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Width
Value:
318
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:Browse For Folder Height
Value:
288
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(392) GnSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
51
Suspicious files
3
Text files
35
Unknown types
0

Dropped files

PID
Process
Filename
Type
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\tmp\GnBots.zipcompressed
MD5:6913AD130D9452FDAB973EDF5409595A
SHA256:440A02ED5FF49EEC93EAD74B4131118E51D85D84A340CCB8FACBE08B3D160F61
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AccountLib.dll.configxml
MD5:3806AB050E598EC3FA45F841D66B2109
SHA256:12E19BFC393E5C01EA767828A258544D6DC378B66648308BCFEC6BA94165DDC1
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AccountLib.dllexecutable
MD5:868B9BAC46DD752C5B8E46D4F0EEE227
SHA256:C4037BC64E4A122745E527933BDF652A704A5C779A8D37DFDEB2C4C5057A25F3
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\ApiLib.dll.configxml
MD5:AB897E865F3DD9AA43BCD5B3CD6CC082
SHA256:ED083854DF6FE59C018686E97B696D7E1CB1F112FA7A65D90B882A37E1B5527D
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AForge.Math.dllexecutable
MD5:C69973F674D9D113411D0FA2D1DBE222
SHA256:A4F24C9A46705C66FF7838C3A4C61759F5BA58EE8A5B061D05340C61D790C0B7
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\BouncyCastle.Crypto.dllexecutable
MD5:87A4ADE7FAEAF5021ADE5FCC797F4F70
SHA256:07498B990AA84916EC6D84E24CDF99A0AC0E265FF3E53598A9B153285BD23594
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\ApiLib.dllexecutable
MD5:8F64C2417570545E740A62FA4EE91486
SHA256:0098C2F3D7E94E2ED19266D7F7400B7659F9839C74F92D17819570E142CF5E30
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AppsLib.dll.configxml
MD5:140448A36D19CCF750518E374D6C2B83
SHA256:7FA32C2670163A40E64A134210B81437DF444D7EBF207EEE84EF4F4ED693E6C7
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\BotLib.dll.configxml
MD5:CD31947158353F522BAE8936EC6E73DE
SHA256:8D76CB844FFC30D9B019211667BA861D428A9534B6F483EC2495B772907277EA
392GnSetup.exeC:\Users\admin\Documents\Outlook Files\New folder\GnBots\AppsLib.dllexecutable
MD5:E2AE7E52BBF5F8CF8260B372260CC4D0
SHA256:BC36DEA6FBB82088BF015359ED4C21149F9622BB7DFACBF16E64F44E6479DFF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
0
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
392
GnSetup.exe
GET
200
167.71.15.182:80
http://167.71.15.182/gn/versions/GnBots.zip
unknown
compressed
12.7 Mb
unknown
392
GnSetup.exe
GET
200
128.199.37.84:3000
http://128.199.37.84:3000/platformversion
unknown
binary
1.02 Kb
unknown
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/v2/emus
unknown
binary
271 b
unknown
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/v2/apps
unknown
binary
1.27 Kb
unknown
3748
GnBots.exe
GET
200
167.71.15.182:80
http://167.71.15.182/gn/news.html
unknown
html
1.96 Kb
unknown
3748
GnBots.exe
GET
200
64.225.82.44:3000
http://64.225.82.44:3000/platformversion
unknown
binary
1.02 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
392
GnSetup.exe
167.71.15.182:80
DIGITALOCEAN-ASN
NL
unknown
392
GnSetup.exe
128.199.37.84:3000
DIGITALOCEAN-ASN
NL
unknown
3748
GnBots.exe
167.71.15.182:80
DIGITALOCEAN-ASN
NL
unknown
3748
GnBots.exe
64.225.82.44:3000
DIGITALOCEAN-ASN
NL
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
392
GnSetup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
392
GnSetup.exe
Potentially Bad Traffic
ET HUNTING Terse Request for Zip File (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GnSetup.exe