| File name: | f5daa47c8ae87c7f46cff962788c3801.exe |
| Full analysis: | https://app.any.run/tasks/b5288f48-9038-44fb-99d0-a5bbc179053f |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 25, 2025, 06:30:06 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections |
| MD5: | F5DAA47C8AE87C7F46CFF962788C3801 |
| SHA1: | 5D6F8A5AC15788B34DD90F64A025E6A8162F9722 |
| SHA256: | 1A686AD8459BA5DCB7E0019F6568CF5D7F3597B62A1138DF634DFDD84251E863 |
| SSDEEP: | 384:yI/xWYVY8duBGCVy6APQHg/f5H9YrEcy8CfFyc5zUi1lbHst2Psn:yI/pduECVy6APKy8EFyc5zUE4 |
MALICIOUS
Actions looks like stealing of personal data
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
LUMAR has been detected (SURICATA)
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
SUSPICIOUS
The process connected to a server suspected of theft
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
Reads security settings of Internet Explorer
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
Connects to unusual port
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
INFO
Checks supported languages
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
Reads the computer name
- f5daa47c8ae87c7f46cff962788c3801.exe (PID: 7368)
Checks proxy server information
- slui.exe (PID: 7736)
Reads the software policy settings
- slui.exe (PID: 7736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:07:09 06:12:53+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 24576 |
| InitializedDataSize: | 5632 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2282 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 7368 | "C:\Users\admin\Desktop\f5daa47c8ae87c7f46cff962788c3801.exe" | C:\Users\admin\Desktop\f5daa47c8ae87c7f46cff962788c3801.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7736 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 541
Read events
3 541
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
5
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2104 | svchost.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
2104 | svchost.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
7368 | f5daa47c8ae87c7f46cff962788c3801.exe | 185.244.212.106:2227 | — | M247 Ltd | AT | unknown |
4652 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
7736 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| unknown |
google.com |
| unknown |
crl.microsoft.com |
| unknown |
activation-v2.sls.microsoft.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7368 | f5daa47c8ae87c7f46cff962788c3801.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] LUMAR Exfiltration |
7368 | f5daa47c8ae87c7f46cff962788c3801.exe | A Network Trojan was detected | ET MALWARE LUMAR Stealer Exfiltration M2 |