File name: | 岍賜戚惆桶.exe |
Full analysis: | https://app.any.run/tasks/96209afd-42e1-47e0-881f-7c89aa1ece62 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | December 05, 2022, 17:50:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 9F577DC7DC75E51A1694BEB71C270E03 |
SHA1: | CE585F871D8E2533AAAA0436B77212EA634143F2 |
SHA256: | 120D00ACA0E9B9BF90AFEED888191371C2381931AB1294D76E4F1E17ABAE39BE |
SSDEEP: | 49152:Xm9lsm0OY8UAYBhGXrcMCbahXSMtpfRJzGA:W70OUA4h2httSMtZGA |
.exe | | | Win64 Executable (generic) (28.6) |
---|---|---|
.exe | | | UPX compressed Win32 Executable (28) |
.exe | | | Win32 EXE Yoda's Crypter (27.5) |
.dll | | | Win32 Dynamic Link Library (generic) (6.8) |
.exe | | | Win32 Executable (generic) (4.6) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Dec-05 07:25:21 |
Detected languages: |
|
CompanyName: | Baidu.com, Inc. |
FileDescription: | BaiduNetdisk |
FileVersion: | 7.19.0.18 |
InternalName: | BaiduNetdisk |
LegalCopyright: | Baidu. All rights reserved. |
OriginalFilename: | BaiduNetdisk.exe |
ProductName: | BaiduYunGuanjia Application |
ProductVersion: | 7.19.0.18 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 248 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2022-Dec-05 07:25:21 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 4096 | 3215360 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
UPX1 | 3219456 | 2101248 | 2098688 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.58711 |
.rsrc | 5320704 | 4096 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.4523 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 6.75413 | 744 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
2 | 6.47904 | 296 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 2.79939 | 1128 | UNKNOWN | English - United States | RT_ICON |
ONLINE_ICON | 2.0815 | 20 | UNKNOWN | English - United States | RT_GROUP_ICON |
1 (#2) | 3.43205 | 780 | UNKNOWN | Chinese - PRC | RT_VERSION |
1 (#3) | 5.09091 | 664 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.DLL |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
WINMM.dll |
WINSPOOL.DRV |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2384 | "C:\Users\admin\AppData\Local\Temp\岍賜戚惆桶.exe" | C:\Users\admin\AppData\Local\Temp\岍賜戚惆桶.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Baidu.com, Inc. Integrity Level: MEDIUM Description: BaiduNetdisk Exit code: 3221226540 Version: 7.19.0.18 Modules
| |||||||||||||||
3784 | "C:\Users\admin\AppData\Local\Temp\岍賜戚惆桶.exe" | C:\Users\admin\AppData\Local\Temp\岍賜戚惆桶.exe | Explorer.EXE | ||||||||||||
User: admin Company: Baidu.com, Inc. Integrity Level: HIGH Description: BaiduNetdisk Exit code: 0 Version: 7.19.0.18 Modules
| |||||||||||||||
284 | C:\Users\Public\Pictures\eavzrp\eavzrp.exe | C:\Users\Public\Pictures\eavzrp\eavzrp.exe | 岍賜戚惆桶.exe | ||||||||||||
User: admin Company: 360.cn Integrity Level: HIGH Description: 360压缩 Exit code: 0 Version: 4, 0, 0, 1380 Modules
| |||||||||||||||
3596 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
2232 | "C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe" | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | — | Explorer.EXE | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: MEDIUM Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
1976 | "C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe" | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | Aggregatorhost.exe | ||||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
3092 | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | Aggregatorhost.exe | ||||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Version: Modules
| |||||||||||||||
3024 | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
3260 | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
| |||||||||||||||
4020 | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | — | Aggregatorhost.exe | |||||||||||
User: admin Company: 四川盛创时代 Integrity Level: HIGH Description: WeFun Exit code: 0 Version: Modules
|
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (284) eavzrp.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8} |
Operation: | write | Name: | WpadDecisionReason |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3784 | 岍賜戚惆桶.exe | C:\Users\Public\Pictures\eavzrp\eavzrp.exe | executable | |
MD5:9E8E1AF186A1BA7DD0CD2CA87EC1732F | SHA256:673EE587B01FAEF7EFAC76E036B307AA6FBE178CF5B25DDF42A0CEBAEFF13C79 | |||
284 | eavzrp.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\Aggregatorhost.exe | executable | |
MD5:DD9BBCDA5DC4AC0BE23E57B36BC3840E | SHA256:E9BE44B199D99D7175280EC398CD59B636584226469CB9B87E2507CDDDAF0CE2 | |||
284 | eavzrp.exe | C:\Users\admin\AppData\Local\Enpud.png | text | |
MD5:7877089862389879625BCE08DBEEF1ED | SHA256:2A7D8BC8EECB605F29576CECCB869AF247EF8B9C6B30CB4C19BE6748AF4503BB | |||
284 | eavzrp.exe | C:\Windows\system32\Aggregatorhost.exe | executable | |
MD5:DD9BBCDA5DC4AC0BE23E57B36BC3840E | SHA256:E9BE44B199D99D7175280EC398CD59B636584226469CB9B87E2507CDDDAF0CE2 | |||
284 | eavzrp.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\Enpud.png | text | |
MD5:7877089862389879625BCE08DBEEF1ED | SHA256:2A7D8BC8EECB605F29576CECCB869AF247EF8B9C6B30CB4C19BE6748AF4503BB | |||
284 | eavzrp.exe | C:\Users\admin\AppData\Local\libcef.dll | executable | |
MD5:7B4A7F342D1705329A9F4653106C9A39 | SHA256:B46DAA955640A2E830EFC3D69A813DF722FD6D9B2C57E8249DDAA4290C1E045F | |||
284 | eavzrp.exe | C:\Windows\system32\libcef.dll | executable | |
MD5:7B4A7F342D1705329A9F4653106C9A39 | SHA256:B46DAA955640A2E830EFC3D69A813DF722FD6D9B2C57E8249DDAA4290C1E045F | |||
284 | eavzrp.exe | C:\Users\Public\Downloads\Tencente\dxhfgl\libcef.dll | executable | |
MD5:7B4A7F342D1705329A9F4653106C9A39 | SHA256:B46DAA955640A2E830EFC3D69A813DF722FD6D9B2C57E8249DDAA4290C1E045F | |||
284 | eavzrp.exe | C:\Users\Public\Downloads\Misnobi\dxhfgl\a.pack | binary | |
MD5:B6F208A15BDFF16406D9F33E825CFE9A | SHA256:69C2B858132E64D1642EBE4779EC2410762C3BA40F7784694FED4297A01A5938 | |||
284 | eavzrp.exe | C:\Users\admin\AppData\Local\Aggregatorhost.exe | executable | |
MD5:DD9BBCDA5DC4AC0BE23E57B36BC3840E | SHA256:E9BE44B199D99D7175280EC398CD59B636584226469CB9B87E2507CDDDAF0CE2 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | Aggregatorhost.exe | 216.83.53.197:8081 | — | Sun Network Hong Kong Limited - HongKong Backbone | US | malicious |
3784 | 岍賜戚惆桶.exe | 103.235.46.40:443 | www.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | suspicious |
— | — | 103.235.46.40:443 | www.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | suspicious |
284 | eavzrp.exe | 103.235.46.40:443 | www.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | suspicious |
Domain | IP | Reputation |
---|---|---|
www.baidu.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3092 | Aggregatorhost.exe | A Network Trojan was detected | ET TROJAN FatalRAT CnC Activity |
Process | Message |
---|---|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|
Aggregatorhost.exe | SVP7-Thread running...
|