File name:

Stealer Cracked By Dark Divel.exe

Full analysis: https://app.any.run/tasks/72753248-4a79-4071-9f8b-8ad9bbec822b
Verdict: Malicious activity
Analysis date: March 10, 2022, 15:38:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

91019E49C38717E70CC419AC09844985

SHA1:

33576E20040373BE36934923316596F98B3C9BD3

SHA256:

0AEAF9597D3F971C8A093E7CD6B2CBA0E71FF5419790F9900155B879D3FC19C6

SSDEEP:

196608:q3zd+i2KgU+zq405QYtsTEB08T8HehLv:FqVdfB08TOeh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • System.exe (PID: 2952)
    • Writes to a start menu file

      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Application was dropped or rewritten from another process

      • System.exe (PID: 2952)
      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Changes the autorun value in the registry

      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
  • SUSPICIOUS

    • Checks supported languages

      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • System.exe (PID: 2952)
      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Reads the computer name

      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • System.exe (PID: 2952)
      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Drops a file with a compile date too recent

      • System.exe (PID: 2952)
      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Executable content was dropped or overwritten

      • System.exe (PID: 2952)
      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Reads Environment values

      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • System.exe (PID: 2952)
    • Drops a file that was compiled in debug mode

      • System.exe (PID: 2952)
      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Creates files in the user directory

      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
    • Creates files in the program directory

      • TempSystem.exe (PID: 2472)
    • Starts itself from another location

      • TempSystem.exe (PID: 2472)
    • Uses ATTRIB.EXE to modify file attributes

      • TempSystem.exe (PID: 2472)
      • System.exe (PID: 3708)
  • INFO

    • Reads settings of System Certificates

      • Stealer Cracked By Dark Divel.exe (PID: 568)
      • System.exe (PID: 2952)
    • Checks supported languages

      • attrib.exe (PID: 2536)
      • attrib.exe (PID: 776)
      • attrib.exe (PID: 2740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: Chat
OriginalFileName: Stealer Cracked By Dark Divel.exe
LegalTrademarks: -
LegalCopyright: Copyright © 2020
InternalName: Stealer Cracked By Dark Divel.exe
FileVersion: 1.0.0.0
FileDescription: Chat
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x6edaaa
UninitializedDataSize: -
InitializedDataSize: 17408
CodeSize: 7257088
LinkerVersion: 80
PEType: PE32
TimeStamp: 2022:01:19 18:00:43+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jan-2022 17:00:43
Debug artifacts:
  • D:\X\X\Programming\مشريع\Chat\Chat\Chat\obj\Debug\Stealer Cracked By Dark Divel.pdb
Comments: -
CompanyName: -
FileDescription: Chat
FileVersion: 1.0.0.0
InternalName: Stealer Cracked By Dark Divel.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFilename: Stealer Cracked By Dark Divel.exe
ProductName: Chat
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 19-Jan-2022 17:00:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x006EBAB0
0x006EBC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.37655
.rsrc
0x006EE000
0x000041C4
0x00004200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.07403
.reloc
0x006F4000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST
2
4.11197
4264
UNKNOWN
UNKNOWN
RT_ICON
3
3.61411
9640
UNKNOWN
UNKNOWN
RT_ICON
32512
2.45849
48
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start stealer cracked by dark divel.exe system.exe tempsystem.exe system.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
568"C:\Users\admin\AppData\Local\Temp\Stealer Cracked By Dark Divel.exe" C:\Users\admin\AppData\Local\Temp\Stealer Cracked By Dark Divel.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Chat
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\stealer cracked by dark divel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2952C:\Users\admin\AppData\Local\Temp/System.exeC:\Users\admin\AppData\Local\Temp\System.exe
Stealer Cracked By Dark Divel.exe
User:
admin
Integrity Level:
MEDIUM
Description:
HWID
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\system.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2472"C:\Users\admin\AppData\Local\TempSystem.exe" C:\Users\admin\AppData\Local\TempSystem.exe
System.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows Services
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\tempsystem.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
3708"C:\ProgramData\System.exe" C:\ProgramData\System.exe
TempSystem.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows Services
Version:
1.0.0.0
Modules
Images
c:\programdata\system.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernelbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2740attrib +h +r +s "C:\ProgramData\System.exe"C:\Windows\system32\attrib.exeTempSystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
776attrib +h +r +s "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe"C:\Windows\system32\attrib.exeSystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2536attrib +h +r +s "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\System.exe"C:\Windows\system32\attrib.exeSystem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
7 787
Read events
7 684
Write events
103
Delete events
0

Modification events

(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(568) Stealer Cracked By Dark Divel.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Stealer Cracked By Dark Divel_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
4
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2952System.exeC:\Users\admin\AppData\Local\Temp\System.vbstext
MD5:E82E62D9B0F7C660FA174360C78E0F3E
SHA256:760A7923737AA2447485B2E2B997E10C731CA2B510338A1187517F3011D2B7A7
3708System.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exeexecutable
MD5:E4960BA62D4AC271CD3292FEE0742792
SHA256:8EB424456980C0FFDE7458CA940C9D2DEA666A902119EE4A419315B54BCE7DC5
2472TempSystem.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnklnk
MD5:D417F52828152AB7B7EDBDD935265642
SHA256:7F8DDA6AB2D68B66CAD62BF712946B57F045560FFBF9C12B7C6DB4A7599BC90C
568Stealer Cracked By Dark Divel.exeC:\Users\admin\AppData\Local\Temp\System.exeexecutable
MD5:AA4288442AA2992E2AF10A2B98D41882
SHA256:CA1A075CE3F151F986B91730ECE192A7B432528F24C8073C46EFA8B32BA17D1D
2952System.exeC:\Users\admin\AppData\Local\TempSystem.exeexecutable
MD5:E4960BA62D4AC271CD3292FEE0742792
SHA256:8EB424456980C0FFDE7458CA940C9D2DEA666A902119EE4A419315B54BCE7DC5
2472TempSystem.exeC:\ProgramData\System.exeexecutable
MD5:E4960BA62D4AC271CD3292FEE0742792
SHA256:8EB424456980C0FFDE7458CA940C9D2DEA666A902119EE4A419315B54BCE7DC5
2472TempSystem.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\System.lnklnk
MD5:D165F5714F4D45E7CADBBF2F3F88257C
SHA256:03310CAEDA11FB96875FDD67E1BAB862585655F831A848CC94D3F1EABB9C169F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
3
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
System.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
568
Stealer Cracked By Dark Divel.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
3708
System.exe
141.255.157.49:5552
system123.linkpc.net
Lost Oasis SARL
NL
malicious
192.168.100.2:53
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.130.233
  • 162.159.134.233
shared
system123.linkpc.net
  • 141.255.157.49
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY Observed DNS Query to DynDNS Domain (linkpc .net)
1 ETPRO signatures available at the full report
No debug info