analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Flash-Player.exe

Full analysis: https://app.any.run/tasks/5671eb5e-1182-4323-87e2-48d1813d2f7c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: May 23, 2019, 22:52:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
kpot
necurs
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

34BC99663E7513449526A217C05F396E

SHA1:

D80F969F18C37E599B486D0D81F605E715951B0F

SHA256:

233315C66A3E2AC7D18C75882D0B9E788135BB3AAED21E08FE557F2FD02AEBA6

SSDEEP:

12288:LuWX85pQwRyMohIWZSpzDq+AJ1jTYX9+38PijJ+sxCnv:aWXYpQwRyM/patJ1HYYjQsxCv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • KPOT was detected

      • Flash-Player.exe (PID: 3392)
    • Connects to CnC server

      • Flash-Player.exe (PID: 3392)
  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • Flash-Player.exe (PID: 3392)
    • Reads the cookies of Mozilla Firefox

      • Flash-Player.exe (PID: 3392)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

ProductVersion: 7.6.7.431
ProductName: MigrantSchedule
InternalName: MigrantSchedule
CompanyName: Boris Eyrich Software
Comments: Teamed Sakunthalai Beaver Politically Smbclient Vectors
LegalCopyright: Copyright © 1995-Present Boris Eyrich Software
LegalTrademarks: Copyright © 1995-Present Boris Eyrich Software
Languages: English
OriginalFileName: MigrantSchedule
FileDescription: Teamed Sakunthalai Beaver Politically Smbclient Vectors
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 7.6.7.431
FileVersionNumber: 7.6.7.431
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x20ceb
UninitializedDataSize: -
InitializedDataSize: 249344
CodeSize: 249344
LinkerVersion: 12
PEType: PE32
TimeStamp: 2019:04:21 22:34:50+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 21-Apr-2019 20:34:50
Detected languages:
  • English - United States
Debug artifacts:
  • C:\T\Release\CodeSignTool.pdb
FileDescription: Teamed Sakunthalai Beaver Politically Smbclient Vectors
OriginalFilename: MigrantSchedule
Languages: English
LegalTrademarks: Copyright © 1995-Present Boris Eyrich Software
LegalCopyright: Copyright © 1995-Present Boris Eyrich Software
Comments: Teamed Sakunthalai Beaver Politically Smbclient Vectors
CompanyName: Boris Eyrich Software
InternalName: MigrantSchedule
ProductName: MigrantSchedule
ProductVersion: 7.6.7.431

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 21-Apr-2019 20:34:50
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0003CDAB
0x0003CE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63496
.rdata
0x0003E000
0x000162B8
0x00016400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.79558
.data
0x00055000
0x00006068
0x00003400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.04065
.rsrc
0x0005C000
0x0001FB88
0x0001FC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.92377
.reloc
0x0007C000
0x00003834
0x00003A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.62863

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18863
803
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.77721
1128
Latin 1 / Western European
English - United States
RT_ICON
3
2.18324
9640
Latin 1 / Western European
English - United States
RT_ICON
4
2.18734
4264
Latin 1 / Western European
English - United States
RT_ICON
5
1.35028
19496
Latin 1 / Western European
English - United States
RT_ICON
6
1.98167
16936
Latin 1 / Western European
English - United States
RT_ICON
101
2.8198
90
Latin 1 / Western European
English - United States
RT_GROUP_ICON
354
1.55242
4148
Latin 1 / Western European
English - United States
RT_CURSOR
373
7.96539
5798
Latin 1 / Western European
English - United States
BIN
532
7.96208
6784
Latin 1 / Western European
English - United States
BIN

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
GLU32.dll
KERNEL32.dll
MSACM32.dll
OLEAUT32.dll
OPENGL32.dll
SHELL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #KPOT flash-player.exe

Process information

PID
CMD
Path
Indicators
Parent process
3392"C:\Users\admin\AppData\Local\Temp\Flash-Player.exe" C:\Users\admin\AppData\Local\Temp\Flash-Player.exe
explorer.exe
User:
admin
Company:
Boris Eyrich Software
Integrity Level:
MEDIUM
Description:
Teamed Sakunthalai Beaver Politically Smbclient Vectors
Exit code:
0
Total events
39
Read events
21
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3392Flash-Player.exeC:\Users\admin\AppData\Local\Temp\~DF8C21C6B40A80C186.TMP
MD5:
SHA256:
3392Flash-Player.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\gate[1].phptext
MD5:E0AA021E21DDDBD6D8CECEC71E9CF564
SHA256:565339BC4D33D72817B583024112EB7F5CDF3E5EEF0252D6EC1B9C9A94E12BB3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3392
Flash-Player.exe
GET
200
49.51.153.61:80
http://pinescop.top/r7bxRcw7Y2bKl5Vi/gate.php
CN
text
92 b
malicious
3392
Flash-Player.exe
POST
200
49.51.153.61:80
http://pinescop.top/r7bxRcw7Y2bKl5Vi/gate.php
CN
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3392
Flash-Player.exe
49.51.153.61:80
pinescop.top
CN
suspicious

DNS requests

Domain
IP
Reputation
pinescop.top
  • 49.51.153.61
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3392
Flash-Player.exe
A Network Trojan was detected
ET TROJAN Generic gate[.].php GET with minimal headers
3392
Flash-Player.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3392
Flash-Player.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
3392
Flash-Player.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Kpot.Stealer Exfiltration
3392
Flash-Player.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32.Kpot.Stealer
3392
Flash-Player.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
3392
Flash-Player.exe
Potentially Bad Traffic
ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
2 ETPRO signatures available at the full report
No debug info