analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BlueHowl.exe

Full analysis: https://app.any.run/tasks/6bd5f212-9cd8-46be-9d02-98074559626c
Verdict: Malicious activity
Analysis date: January 15, 2022, 01:00:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

82A06C622BA85F44F138889E233C5EFA

SHA1:

E74BFCA27E4A0592A147804180C5F182D2652541

SHA256:

1D4322DBAD293847DE14ECA09BEE5056EAEDE7CE178490E101642BF1F5875E37

SSDEEP:

768:WVR0tsKhLYHcXpNKkrvF2P2Ql9e8QCHa27q0F++95hYcLsFq:WVRFKNpQkJ2zlsGp3U+959sFq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • BlueHowl.exe (PID: 3104)
    • Changes the autorun value in the registry

      • BlueHowl.exe (PID: 3104)
    • Application was dropped or rewritten from another process

      • Tempdecrypter.exe (PID: 3696)
  • SUSPICIOUS

    • Checks supported languages

      • BlueHowl.exe (PID: 3104)
      • Tempdecrypter.exe (PID: 3696)
    • Reads the computer name

      • BlueHowl.exe (PID: 3104)
      • Tempdecrypter.exe (PID: 3696)
    • Drops a file that was compiled in debug mode

      • BlueHowl.exe (PID: 3104)
    • Reads Microsoft Outlook installation path

      • BlueHowl.exe (PID: 3104)
    • Executable content was dropped or overwritten

      • BlueHowl.exe (PID: 3104)
    • Uses TASKKILL.EXE to kill process

      • BlueHowl.exe (PID: 3104)
    • Reads internet explorer settings

      • BlueHowl.exe (PID: 3104)
    • Creates files in the user directory

      • BlueHowl.exe (PID: 3104)
  • INFO

    • Reads the computer name

      • taskkill.exe (PID: 3664)
    • Checks supported languages

      • taskkill.exe (PID: 3664)
    • Reads settings of System Certificates

      • BlueHowl.exe (PID: 3104)
    • Checks Windows Trust Settings

      • BlueHowl.exe (PID: 3104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:05:20 00:30:48+02:00
PEType: PE32
LinkerVersion: 80
CodeSize: 46080
InitializedDataSize: 5120
UninitializedDataSize: -
EntryPoint: 0xd236
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: count
FileVersion: 1.0.0.0
InternalName: count.exe
LegalCopyright: Copyright © 2017
LegalTrademarks: -
OriginalFileName: count.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-May-2017 22:30:48
Debug artifacts:
  • C:\Users\Quentin\Documents\test\test\obj\Release\count.pdb
Comments: -
CompanyName: -
FileDescription: count
FileVersion: 1.0.0.0
InternalName: count.exe
LegalCopyright: Copyright © 2017
LegalTrademarks: -
OriginalFilename: count.exe
ProductName: -
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 19-May-2017 22:30:48
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0000B23C
0x0000B400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.94856
.rsrc
0x0000E000
0x00001144
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.00318
.reloc
0x00010000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0815394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.05185
3499
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start bluehowl.exe taskkill.exe no specs tempdecrypter.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Users\admin\AppData\Local\Temp\BlueHowl.exe" C:\Users\admin\AppData\Local\Temp\BlueHowl.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
count
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\bluehowl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3664taskkill /f /IM explorer.exeC:\Windows\system32\taskkill.exeBlueHowl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
3696"C:\Users\admin\AppData\Local\Tempdecrypter.exe" C:\Users\admin\AppData\Local\Tempdecrypter.exeBlueHowl.exe
User:
admin
Integrity Level:
MEDIUM
Description:
decrypter
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\tempdecrypter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\gdi32.dll
Total events
8 365
Read events
8 210
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
20
Text files
45
Unknown types
19

Dropped files

PID
Process
Filename
Type
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:2663BED1F902BED00647B84FABBF8DEA
SHA256:7A3C6A8BE401F6DE91999C00919EA0F3BDCF80D06EB0E8A15D801F8F9A465DE9
3104BlueHowl.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\XA37UNYF.txttext
MD5:4165AD8E61F3CA79461866E71CCF8EB2
SHA256:E4F9DA9F5BDD205B790597E1636650C0D84FFF790A8833B10BFF844B337B50F7
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_A8E307474B7EEECDE82731B5F335EEAFbinary
MD5:C63CD0A816108E726DD25143D433E7CC
SHA256:3A1D8C7E9B687FF8F2264762520634E79E75884CADF4039E2B2BC82963C31A36
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:B3C1AC005CF86FD225C24935AFB80DBC
SHA256:BA6AE96B7B7D003D9FF08BAFC1F28F483D8CB0F95D4A63E5857C05B4D8B65E5F
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:BEAB9DA0AA8E569DD7B0DEDBA4676D02
SHA256:7C5EE0FF5ECD229BA442C639096CFB79D50D7FC6841A8E99693393A920A70C33
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_E5B132B41B26E2FD23A912C0CB5FBCBAbinary
MD5:28DD28D984A18CB147D6B19E5247AE80
SHA256:240BBF20C041C09E35C8AA00FD8AC400ABC937E8F37ABAAEBD6D6E21AF5AD0CC
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:85C05831F63951C74B6A2970CE339A35
SHA256:F934D7EBA0E94D66ECD0ECF89E9FC8496882764071C729C8457154F35ED640D1
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:ECF68175FE30A8D50B82BEF1CD11E258
SHA256:5249F88EAFC7D089C56AF3844CE6ADE9F6E7CF6B0AA195771F93211AF60C85B6
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:64E9B8BB98E2303717538CE259BEC57D
SHA256:76BD459EC8E467EFC3E3FB94CB21B9C77A2AA73C9D4C0F3FAF823677BE756331
3104BlueHowl.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:AD24B6142234BB024844C61B08778CF0
SHA256:90FDD937E8B78E8CE86EA9A54E768C6584C610CED95B2508A891E8E5AEB12DEC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
29
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3104
BlueHowl.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3104
BlueHowl.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGCDPAjbzpoUYuu%2B39wE%3D
US
der
1.40 Kb
whitelisted
3104
BlueHowl.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3104
BlueHowl.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3104
BlueHowl.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3104
BlueHowl.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD0u1o6ejgsaAoAAAABJ949
US
der
472 b
whitelisted
3104
BlueHowl.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG9FXshPqpwWCgAAAAEn3MY%3D
US
der
471 b
whitelisted
3104
BlueHowl.exe
GET
200
2.16.186.56:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d35c73974bffa6b4
unknown
compressed
4.70 Kb
whitelisted
3104
BlueHowl.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCCq2t14DFKuAoAAAABJ9n3
US
der
472 b
whitelisted
3104
BlueHowl.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCPMu8whnl65AoAAAABJ95m
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3104
BlueHowl.exe
142.250.185.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3104
BlueHowl.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3104
BlueHowl.exe
142.250.185.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3104
BlueHowl.exe
142.250.184.206:443
www.youtube.com
Google Inc.
US
whitelisted
3104
BlueHowl.exe
2.16.186.56:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
3104
BlueHowl.exe
104.16.143.212:443
blockchain.info
Cloudflare Inc
US
shared
3104
BlueHowl.exe
172.67.158.42:443
rsms.me
US
malicious
142.250.185.232:443
www.googletagmanager.com
Google Inc.
US
suspicious
3104
BlueHowl.exe
104.16.40.77:443
www.blockchain.com
Cloudflare Inc
US
shared
151.101.1.26:443
cdn.polyfill.io
Fastly
US
suspicious

DNS requests

Domain
IP
Reputation
blockchain.info
  • 104.16.143.212
  • 104.16.144.212
  • 104.16.147.212
  • 104.16.146.212
  • 104.16.145.212
shared
ctldl.windowsupdate.com
  • 2.16.186.56
  • 2.16.186.81
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.blockchain.com
  • 104.16.40.77
  • 104.18.93.71
suspicious
www.youtube.com
  • 142.250.184.206
  • 142.250.184.238
  • 216.58.212.142
  • 142.250.185.78
  • 142.250.185.110
  • 142.250.185.142
  • 142.250.185.174
  • 142.250.185.206
  • 142.250.185.238
  • 172.217.18.110
  • 142.250.181.238
  • 172.217.16.142
  • 216.58.212.174
  • 142.250.74.206
  • 142.250.186.46
  • 142.250.186.78
whitelisted
rsms.me
  • 172.67.158.42
  • 104.21.8.250
whitelisted
fonts.googleapis.com
  • 142.250.185.74
whitelisted
ocsp.pki.goog
  • 142.250.185.195
whitelisted
www.googletagmanager.com
  • 142.250.185.232
whitelisted
cdn.polyfill.io
  • 151.101.1.26
  • 151.101.65.26
  • 151.101.129.26
  • 151.101.193.26
whitelisted

Threats

No threats detected
No debug info