analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BOLoader.exe

Full analysis: https://app.any.run/tasks/80338158-7518-4f10-8bf0-e6a429e51380
Verdict: Malicious activity
Analysis date: April 01, 2023, 18:33:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5:

466800E0CC0891C7552B4C9AB84D92D0

SHA1:

8BB9FB6FE76E791C67C8FC0276A4951AD8F7AD81

SHA256:

1FF52210FD6B079770A7CEA9AE29E58FA77E04CC62BEFF42B0C675D132EF1C5B

SSDEEP:

49152:WGNR9nGtuQVxpIuhTWQhreKB+K2B8ys1Pc:Xb9DQxGuhKQhcT8ys1U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BOLoader.exe (PID: 3132)

  • INFO

    • Reads the computer name

      • BOLoader.exe (PID: 3132)

    • Reads mouse settings

      • BOLoader.exe (PID: 3132)

    • Checks supported languages

      • BOLoader.exe (PID: 3132)

    • The process checks LSA protection

      • BOLoader.exe (PID: 3132)

    • Reads the machine GUID from the registry

      • BOLoader.exe (PID: 3132)

    • Create files in a temporary directory

      • BOLoader.exe (PID: 3132)

    • Manual execution by a user

      • opera.exe (PID: 3536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

LegalCopyright: (C) WhiteLion
FileDescription: TeknogodsBlackOpsLauncher
Comments: Written in lame script language by WhiteLion
FileVersion: 1.0.0.484
CharacterSet: Unicode
LanguageCode: German
FileSubtype: -
ObjectFileType: Unknown
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.3.6.1
FileVersionNumber: 1.0.0.484
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x16310
UninitializedDataSize: -
InitializedDataSize: 121856
CodeSize: 524800
LinkerVersion: 9
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
TimeStamp: 2010:04:16 07:47:33+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Apr-2010 07:47:33
Detected languages:
  • English - United Kingdom
  • English - United States
  • German - Germany
FileDescription: -
FileVersion: 3, 3, 6, 1
CompiledScript: AutoIt v3 Script: 3, 3, 6, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 2
Time date stamp: 16-Apr-2010 07:47:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000AF000
0x0003CE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9988
.rsrc
0x000B0000
0x00003000
0x00002C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.27459

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01246
620
Latin 1 / Western European
English - United States
RT_MANIFEST
2
7.20561
296
Latin 1 / Western European
English - United Kingdom
RT_ICON
3
7.30918
296
Latin 1 / Western European
English - United Kingdom
RT_ICON
4
4.55346
3240
UNKNOWN
English - United Kingdom
RT_ICON
7
7.87708
1328
Latin 1 / Western European
English - United Kingdom
RT_STRING
8
7.87421
1680
Latin 1 / Western European
English - United Kingdom
RT_STRING
9
7.80465
1082
Latin 1 / Western European
English - United Kingdom
RT_STRING
10
7.89045
1532
Latin 1 / Western European
English - United Kingdom
RT_STRING
11
7.88492
1628
Latin 1 / Western European
English - United Kingdom
RT_STRING
12
7.7933
904
Latin 1 / Western European
English - United Kingdom
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
USERENV.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start boloader.exe no specs boloader.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
1900"C:\Users\admin\AppData\Local\Temp\BOLoader.exe" C:\Users\admin\AppData\Local\Temp\BOLoader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TeknogodsBlackOpsLauncher
Exit code:
3221226540
Version:
1.0.0.484
Modules
Images
c:\users\admin\appdata\local\temp\boloader.exe
c:\windows\system32\ntdll.dll
3132"C:\Users\admin\AppData\Local\Temp\BOLoader.exe" C:\Users\admin\AppData\Local\Temp\BOLoader.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TeknogodsBlackOpsLauncher
Exit code:
3221225477
Version:
1.0.0.484
Modules
Images
c:\users\admin\appdata\local\temp\boloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3536"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\rpcrt4.dll
Total events
1 928
Read events
1 812
Write events
116
Delete events
0

Modification events

(PID) Process:(3536) opera.exeKey:HKEY_CURRENT_USER\Software\Opera Software
Operation:writeName:Last CommandLine v2
Value:
C:\Program Files\Opera\opera.exe
(PID) Process:(3536) opera.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
6
Suspicious files
50
Text files
112
Unknown types
6

Dropped files

PID
Process
Filename
Type
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\autFB68.tmpbinary
MD5:269650CAAC98E037D9EBE8D4B640DCCA
SHA256:6EDC8ACAF03CFFDCC7F6D40EEFE33924B4C44F5546FE8BB499199063C1D3ECF9
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\autB09.tmpimage
MD5:B70029961D9A44DEB282C985EF456E82
SHA256:3A3BB558481B6D79B595FE0BB39041AD50FC0B39DA45299C237348F45CA7947E
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\DifficultyLevel.pngimage
MD5:9008C75638E0FF2479ACAF36F4550FE1
SHA256:927063F880C3831528D48B638E11DE0E8E51EC82C9C48FE45AFDD0DA03D17A5E
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\autB39.tmpimage
MD5:886F8DD8F4C0C2AC06AF76C387A0FB4F
SHA256:1FCAC328E75244D3C1997C39A8E916FD4D60558A101A72ABC47F7BEAD5406DC3
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\autB3A.tmpimage
MD5:ABD24B1F1ED935806116E039E95949D8
SHA256:28E5EB16872872B189805D8945D07833CA25C9F3D4825272DE69046E002B4FCB
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\autB3B.tmpimage
MD5:9008C75638E0FF2479ACAF36F4550FE1
SHA256:927063F880C3831528D48B638E11DE0E8E51EC82C9C48FE45AFDD0DA03D17A5E
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\hotkeys.pngimage
MD5:B70029961D9A44DEB282C985EF456E82
SHA256:3A3BB558481B6D79B595FE0BB39041AD50FC0B39DA45299C237348F45CA7947E
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\Playername.pngimage
MD5:886F8DD8F4C0C2AC06AF76C387A0FB4F
SHA256:1FCAC328E75244D3C1997C39A8E916FD4D60558A101A72ABC47F7BEAD5406DC3
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\MapName.pngimage
MD5:C4D6DA0C202B9B49FDB6EA6C5EFE696C
SHA256:AEB6C24A12B161F373E33AF9E774EE5CAA2AC778E6D1F67BB51E893E59F191C0
3132BOLoader.exeC:\Users\admin\AppData\Local\Temp\Gametype.pngimage
MD5:BDF598931ADDB5B9FC38C6B1B18A19C7
SHA256:F07D4A50EF54D5513FA640C85B3998D9697D740DE4E0869576F3B7F76C7F217B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 142.250.185.196
whitelisted
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
BOLoader.exe
Invalid parameter passed to C runtime function.
BOLoader.exe
Invalid parameter passed to C runtime function.
BOLoader.exe
Invalid parameter passed to C runtime function.
BOLoader.exe
Invalid parameter passed to C runtime function.
BOLoader.exe
Invalid parameter passed to C runtime function.
BOLoader.exe
Invalid parameter passed to C runtime function.
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BOLoader.exe