File name: | cleaner-util.exe |
Full analysis: | https://app.any.run/tasks/ec68c6a5-a9ef-4e52-8eaa-7f0e628e5abc |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 14:55:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 9987720F71D56835AC10087F0A5EE246 |
SHA1: | BFE0C4D590D497518104A004E69A381ACB2EE781 |
SHA256: | 1452CC126D870DFF026EC2A21AC3EB7A55962D4BF0D0608519608AD4DB04CB4A |
SSDEEP: | 98304:1CgM9k6dxzUi9DGhgWQYqZ7lKUBLOT4PU7MHT4PU7MfVM38N/YhGW1NCYVpWIERo:lMSzhgWQtgN/IGINChRaPGbRfrqNKG |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
ProductVersion: | 2.21.230 |
---|---|
ProductName: | Чистилка |
OriginalFileName: | Чистилка.exe |
LegalTrademarks2: | - |
LegalTrademarks1: | - |
LegalCopyright: | - |
InternalName: | Чистилка.exe |
FileVersion: | 2.21.230 |
FileDescription: | Программное обеспечение для содержания компьютера в чистоте. |
CompanyName: | - |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Unknown (0) |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 2.21.230.0 |
FileVersionNumber: | 2.21.230.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x1ac05b |
UninitializedDataSize: | - |
InitializedDataSize: | 8142848 |
CodeSize: | 2609152 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
TimeStamp: | 2019:08:13 16:55:19+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Aug-2019 14:55:19 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | - |
FileDescription: | Программное обеспечение для содержания компьютера в чистоте. |
FileVersion: | 2.21.230 |
InternalName: | Чистилка.exe |
LegalCopyright: | - |
LegalTrademarks1: | - |
LegalTrademarks2: | - |
OriginalFilename: | Чистилка.exe |
ProductName: | Чистилка |
ProductVersion: | 2.21.230 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000138 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 13-Aug-2019 14:55:19 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0027CEC3 | 0x0027D000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.62932 |
.rdata | 0x0027E000 | 0x001CE320 | 0x001CE400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.24494 |
.data | 0x0044D000 | 0x00018FF4 | 0x00013C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.48588 |
.rsrc | 0x00466000 | 0x005C0788 | 0x005C0800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.78766 |
.reloc | 0x00A27000 | 0x000217D8 | 0x00021800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.60604 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.39289 | 1431 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.86832 | 67624 | Latin 1 / Western European | Russian - Russia | RT_ICON |
3 | 4.07244 | 16936 | Latin 1 / Western European | Russian - Russia | RT_ICON |
4 | 4.12089 | 9640 | Latin 1 / Western European | Russian - Russia | RT_ICON |
5 | 4.62272 | 4264 | Latin 1 / Western European | Russian - Russia | RT_ICON |
6 | 5.04001 | 1128 | Latin 1 / Western European | Russian - Russia | RT_ICON |
9 | 3.16517 | 120 | Latin 1 / Western European | Russian - Russia | RT_STRING |
10 | 2.51883 | 72 | Latin 1 / Western European | Russian - Russia | RT_STRING |
12 | 2.69688 | 74 | Latin 1 / Western European | Russian - Russia | RT_STRING |
70 | 3.50833 | 234 | Latin 1 / Western European | Russian - Russia | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
CRYPT32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
PSAPI.DLL |
RPCRT4.dll |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3748 | "C:\Users\admin\AppData\Local\Temp\cleaner-util.exe" | C:\Users\admin\AppData\Local\Temp\cleaner-util.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3040 | "C:\Users\admin\AppData\Local\Temp\cleaner-util.exe" | C:\Users\admin\AppData\Local\Temp\cleaner-util.exe | explorer.exe | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
3040 | cleaner-util.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal | — | |
MD5:— | SHA256:— | |||
3040 | cleaner-util.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3040 | cleaner-util.exe | C:\ProgramData\Чистилка\settings.json | binary | |
MD5:10C7A57E21D1691E4EEC070766968AE3 | SHA256:54212C71FDF73CE365A0A6EAC7D6AC759C0CA1199108DB6A129537DF72B765F8 | |||
3040 | cleaner-util.exe | C:\ProgramData\Чистилка\config.dat | binary | |
MD5:EC988912395CFB56296C8DB817259087 | SHA256:CD05DE2DCB8300D1D7C719645293DD16AD8C8118F89B43DD0E5AE135988A24E8 | |||
3040 | cleaner-util.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD | der | |
MD5:DB78CBD190952735D940BC80AC2432C0 | SHA256:1A5174980A294A528A110726D5855650266C48D9883BEA692B67B6D726DA98C5 | |||
3040 | cleaner-util.exe | C:\Users\admin\AppData\Local\Temp\cln5394.tmp | compressed | |
MD5:ABEE4387AB69DA821ED9397CC651597D | SHA256:AC1DFD38D2FA61E28211E196CD3D754F6CCFB220E8C1BEBA52E54825CF615E22 | |||
3040 | cleaner-util.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Чистилка\Чистилка.lnk | lnk | |
MD5:F0432350F311968238135AAF2D10070F | SHA256:52AA5F98F0A87400EDBAC9611AE43F1D5D797C4993C7EF2F762FA92FC0F728C3 | |||
3040 | cleaner-util.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cookies | sqlite | |
MD5:160E09E0B2075BEA45A09C1B8B4CAB26 | SHA256:1A82F37FCDC316C48F97B73E3641CD50091F03584D10DDE8FFBD29120FB01B2C | |||
3040 | cleaner-util.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A | binary | |
MD5:B5FEFF6D28A297D2B8913D493860D1C1 | SHA256:4B7A3FC479CA4E0516B504DA4C07F85019DD8E17E32B15897BF9D2E83EE809B1 | |||
3040 | cleaner-util.exe | C:\Users\Public\Desktop\Чистилка.lnk | lnk | |
MD5:F0432350F311968238135AAF2D10070F | SHA256:52AA5F98F0A87400EDBAC9611AE43F1D5D797C4993C7EF2F762FA92FC0F728C3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3040 | cleaner-util.exe | GET | 301 | 62.109.11.221:80 | http://chistilka.com/ | RU | html | 332 b | unknown |
3040 | cleaner-util.exe | GET | 200 | 91.199.212.52:80 | http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt | GB | der | 1.37 Kb | whitelisted |
3040 | cleaner-util.exe | GET | 200 | 140.82.35.84:80 | http://140.82.35.84/?hwid=6aab97bbec0aedef4de3d798737c0c8b1249f454&lastError=lightStatError_http_error_12002&parter=&uid=76336796-f94d-4a44-be3e-dfe174129730-46d0e46f0105f2878e2f44ae94080ed6315c4de3&version=2.21.230 | US | text | 139 b | malicious |
3040 | cleaner-util.exe | GET | 200 | 140.82.35.84:80 | http://140.82.35.84/?hwid=6aab97bbec0aedef4de3d798737c0c8b1249f454&lastError=configError&parter=&uid=76336796-f94d-4a44-be3e-dfe174129730-46d0e46f0105f2878e2f44ae94080ed6315c4de3&version=2.21.230 | US | text | 139 b | malicious |
3040 | cleaner-util.exe | GET | 200 | 140.82.35.84:80 | http://140.82.35.84/?hwid=6aab97bbec0aedef4de3d798737c0c8b1249f454&lastError=configError&parter=&uid=76336796-f94d-4a44-be3e-dfe174129730-46d0e46f0105f2878e2f44ae94080ed6315c4de3&version=2.21.230 | US | text | 139 b | malicious |
3040 | cleaner-util.exe | GET | 404 | 54.37.81.78:80 | http://54.37.81.78/api/appinstall?bt=BLOCK_OFFER&exhwid=6aab97bbec0aedef4de3d798737c0c8b1249f454&partner=&s_id=&uid=76336796-f94d-4a44-be3e-dfe174129730-46d0e46f0105f2878e2f44ae94080ed6315c4de3&v=2.21.230 | FR | html | 564 b | malicious |
3040 | cleaner-util.exe | POST | 200 | 216.58.207.46:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
3040 | cleaner-util.exe | POST | 200 | 52.11.108.211:80 | http://api.amplitude.com/httpapi | US | text | 7 b | whitelisted |
3040 | cleaner-util.exe | POST | 200 | 52.11.108.211:80 | http://api.amplitude.com/httpapi | US | text | 7 b | whitelisted |
3040 | cleaner-util.exe | POST | 200 | 52.11.108.211:80 | http://api.amplitude.com/httpapi | US | text | 7 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3040 | cleaner-util.exe | 52.11.108.211:80 | api.amplitude.com | Amazon.com, Inc. | US | unknown |
— | — | 54.37.81.78:80 | stat2.chistilka.com | OVH SAS | FR | malicious |
3040 | cleaner-util.exe | 62.109.11.221:443 | chistilka.com | JSC ISPsystem | RU | unknown |
3040 | cleaner-util.exe | 54.37.81.78:443 | stat2.chistilka.com | OVH SAS | FR | malicious |
3040 | cleaner-util.exe | 91.199.212.52:80 | crt.sectigo.com | Comodo CA Ltd | GB | suspicious |
— | — | 5.135.140.26:443 | update.chistilka.com | OVH SAS | FR | suspicious |
3040 | cleaner-util.exe | 216.58.207.46:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
3040 | cleaner-util.exe | 62.109.11.221:80 | chistilka.com | JSC ISPsystem | RU | unknown |
3040 | cleaner-util.exe | 62.109.13.130:443 | chistilka.ru | JSC ISPsystem | RU | malicious |
3040 | cleaner-util.exe | 5.135.140.26:443 | update.chistilka.com | OVH SAS | FR | suspicious |
Domain | IP | Reputation |
---|---|---|
api.amplitude.com |
| whitelisted |
chistilka.com |
| unknown |
crt.sectigo.com |
| whitelisted |
crt.usertrust.com |
| whitelisted |
stat2.chistilka.com |
| malicious |
www.google-analytics.com |
| whitelisted |
chistilka.ru |
| malicious |
dns.msftncsi.com |
| shared |
update.chistilka.com |
| suspicious |
pay.chistilka.com |
| suspicious |
Process | Message |
---|---|
cleaner-util.exe | [2019-08-13 15:55:52] M Log.cpp:110 Logging to C:\ProgramData\????????\logs\TKiller-2-2019-08-13-15-55-52.log
|
cleaner-util.exe | [2019-08-13 15:55:52] M main.cpp:17 App started, version 2.21.230, build type 'UTIL', pid 3040, command line '"C:\Users\admin\AppData\Local\Temp\cleaner-util.exe" '
|
cleaner-util.exe | [2019-08-13 15:55:52] M SystemInfo.cpp:60 OS: Windows 7 (6.1-32)
|
cleaner-util.exe | [2019-08-13 15:55:52] M RegistryDataStorage.cpp:14 Creating data storage for SID: S-1-5-21-1302019708-1500728564-335382590-1000
|
cleaner-util.exe | [2019-08-13 15:55:52] M Registry.cpp:93 REGF S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\chst
|
cleaner-util.exe | [2019-08-13 15:55:52] M Registry.cpp:93 REGF S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\chst_installer
|
cleaner-util.exe | [2019-08-13 15:55:52] M PersistentData.cpp:38 generateUid()
|
cleaner-util.exe | [2019-08-13 15:55:52] M PersistentData.cpp:59 generateUid(), uid 76336796-f94d-4a44-be3e-dfe174129730-46d0e46f0105f2878e2f44ae94080ed6315c4de3
|
cleaner-util.exe | [2019-08-13 15:55:52] E EmbeddedSettings.cpp:196 Failed to find blob begin pattern
|
cleaner-util.exe | [2019-08-13 15:55:52] M Registry.cpp:93 REGF S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\chst_installer
|