Malware analysis BLTools v2.9 PRO.exe Malicious activity

Add for printing

File name:	BLTools v2.9 PRO.exe
Full analysis:	https://app.any.run/tasks/4624e000-ee67-4b29-ab76-9421eb8b40d7
Verdict:	Malicious activity
Analysis date:	November 21, 2024, 09:57:03
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-scr
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	9C4FA57A0D02A2E71EF4DCAC942C08D8
SHA1:	9E6BC8DA3463B3DCA5B3BB0BCB87E946674767C5
SHA256:	16EC1D273039535A660AC22CE026B37E989E2D011FC0EAD57F9C60DC7E96355F
SSDEEP:	98304:Ub8wDJFqFvCpetDLTfemxb3ksfhkHHmWwjZuN7JZ6iI0RZA+GSayy4Q7r3BxiMTo:3f8s+hvIp652ub

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 4992)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 4992)
- The process executes VB scripts
  - BLTools v2.9 PRO.exe (PID: 5400)
- Process drops legitimate windows executable
  - BLTools v2.9 PRO.exe (PID: 5400)
- Likely accesses (executes) a file from the Public directory
  - BLToolsv2.9.exe (PID: 6300)
  - cmd.exe (PID: 5288)
  - csrs.exe (PID: 6268)
  - wscript.exe (PID: 4992)
- Executable content was dropped or overwritten
  - s.exe (PID: 6188)
  - BLTools v2.9 PRO.exe (PID: 5400)
INFO
- Reads the computer name
  - BLTools v2.9 PRO.exe (PID: 5400)
- Checks supported languages
  - BLTools v2.9 PRO.exe (PID: 5400)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2090:05:09 08:18:44+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	6472192
InitializedDataSize:	70144
UninitializedDataSize:	-
EntryPoint:	0x62e1de
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	app
FileVersion:	1.0.0.0
InternalName:	app.exe
LegalCopyright:	Copyright © 2024
LegalTrademarks:	-
OriginalFileName:	app.exe
ProductName:	app
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

120

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4992

"C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\MicrosoftEdgeUpdates\ps.vbs"

C:\Windows\SysWOW64\wscript.exe

—

BLTools v2.9 PRO.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

5288

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\MicrosoftEdgeUpdates\pss.bat" "

C:\Windows\SysWOW64\cmd.exe

—

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

5400

"C:\Users\admin\AppData\Local\Temp\BLTools v2.9 PRO.exe"

C:\Users\admin\AppData\Local\Temp\BLTools v2.9 PRO.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

app

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\bltools v2.9 pro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

6120

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6188

s.exe -pC#X#niM5N$nXf$FbKnDEm

C:\Users\Public\MicrosoftEdgeUpdates\s.exe

cmd.exe

User:

admin

Company:

Oleg N. Scherbakov

Integrity Level:

MEDIUM

Description:

7z Setup SFX (x86)

Version:

1.6.0.2712

Modules

Images
c:\users\public\microsoftedgeupdates\s.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6268

"C:\Users\Public\MicrosoftEdgeUpdates\csrs.exe"

C:\Users\Public\MicrosoftEdgeUpdates\csrs.exe

—

s.exe

User:

admin

Company:

Maël Hörz

Integrity Level:

MEDIUM

Description:

HxD Hex Editor

Version:

2.5.0.0

Modules

Images
c:\users\public\microsoftedgeupdates\csrs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6300

"C:\Users\Public\BLToolsv2.9\BLToolsv2.9.exe"

C:\Users\Public\BLToolsv2.9\BLToolsv2.9.exe

—

BLTools v2.9 PRO.exe

User:

admin

Integrity Level:

MEDIUM

Description:

BLTools Cookies Checker

Version:

2.9.0.0

Modules

Images
c:\users\public\bltoolsv2.9\bltoolsv2.9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

3 864

Read events

3 863

Write events

Delete events

Modification events


(PID) Process:	(5400) BLTools v2.9 PRO.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5400	BLTools v2.9 PRO.exe	C:\Users\Public\MicrosoftEdgeUpdates.zip		compressed
		MD5:A79529A072F3FB2C037188C3AD57C45A	SHA256:D1DFA0D9EA037EF780D16A542DC8BD7AD19CE84CC5E702B7EC9B6101DA8274B3
5400	BLTools v2.9 PRO.exe	C:\Users\Public\MicrosoftEdgeUpdates\pss.bat		text
		MD5:C6131F38EDC71935BD8B905D7B4D3BE4	SHA256:20527233BDFA61A7BFF4B830451C33C53B2AEFF917F2884DF8ACE58BAAADC77A
5400	BLTools v2.9 PRO.exe	C:\Users\Public\BLToolsv2.9.zip		compressed
		MD5:A1150833D239AFFBE607681119BA613F	SHA256:C9A92D871ECDB4B285D3522640B4D400955A2E4D2EAE2A13C5039AF135035993
6268	csrs.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeUpdate.lnk		lnk
		MD5:F52E1A9269CE18806862B19883CCAEBC	SHA256:B499BD7A02EBB9A52197E16724A8A9B37F5E38B26E63B6F4E985A0A3BDE9C282
5400	BLTools v2.9 PRO.exe	C:\Users\Public\BLToolsv2.9\AlphaFS.dll		executable
		MD5:F2F6F6798D306D6D7DF4267434B5C5F9	SHA256:837F2CEAB6BBD9BC4BF076F1CB90B3158191888C3055DD2B78A1E23F1C3AAFDD
6188	s.exe	C:\Users\Public\MicrosoftEdgeUpdates\csrs.exe		executable
		MD5:8BEF98A1E9BA9DE4174BE7090A2ADFD6	SHA256:4CEE7F031DBD67E23D4783D610CDA67F3BBDBC1C975F3288B64FA801F07D0576
5400	BLTools v2.9 PRO.exe	C:\Users\Public\MicrosoftEdgeUpdates\ps.vbs		text
		MD5:A7A7DFD9BF4B1BC6CB369B02D8766F9F	SHA256:4A405629649CA66445CD39DD9F5D83D622913EEE1B6DE6EBF2E7B7AE5C8F9B2A
5400	BLTools v2.9 PRO.exe	C:\Users\Public\BLToolsv2.9\Ookii.Dialogs.Wpf.dll		executable
		MD5:932EBB3F9E7113071C6A17818342B7CC	SHA256:285AA8225732DDBCF211B1158BD6CFF8BF3ACBEEAB69617F4BE85862B7105AB5
5400	BLTools v2.9 PRO.exe	C:\Users\Public\BLToolsv2.9\MaterialDesignColors.dll		executable
		MD5:5C108C4DA6D03F0FA2C3B4DC7890CB52	SHA256:B5EC30C93B1D2B4631EE2B178750EC92E302E2E331090EC9783981B9572354F8
5400	BLTools v2.9 PRO.exe	C:\Users\Public\BLToolsv2.9\MaterialDesignThemes.Wpf.dll		executable
		MD5:824CBF63999F954AA1747F79586A4D3C	SHA256:344E2CEE979E979932F504DC76BD75E97AE1FF46CAA3FE2795ADFE0A866347F7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6484	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2536	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6484	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5560	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	2.16.204.161:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	20.190.160.17:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
google.com	172.217.18.14	whitelisted
www.bing.com	2.16.204.161 2.16.204.135 2.16.204.160 2.16.204.159 2.16.204.136 2.16.204.137 2.16.204.158 2.16.204.132 2.16.204.134	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.160.17 40.126.32.68 40.126.32.138 40.126.32.76 40.126.32.72 40.126.32.140 40.126.32.74 40.126.32.133	whitelisted
go.microsoft.com	23.213.170.81	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

BLTools v2.9 PRO.exe

9C4FA57A0D02A2E71EF4DCAC942C08D8

9E6BC8DA3463B3DCA5B3BB0BCB87E946674767C5

16EC1D273039535A660AC22CE026B37E989E2D011FC0EAD57F9C60DC7E96355F

98304:Ub8wDJFqFvCpetDLTfemxb3ksfhkHHmWwjZuN7JZ6iI0RZA+GSayy4Q7r3BxiMTo:3f8s+hvIp652ub

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

The process executes VB scripts

Process drops legitimate windows executable

Likely accesses (executes) a file from the Public directory

Executable content was dropped or overwritten

INFO

Reads the computer name

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings