| File name: | Deushack.exe |
| Full analysis: | https://app.any.run/tasks/ab2154a8-a390-4cf3-a9c2-1d2e21a330f7 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | April 05, 2025, 11:55:30 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections |
| MD5: | 780D6E999AEE273CD8E1596A78A32978 |
| SHA1: | 0D947F77EEC4A27EF912F9A932013DCE800A4D06 |
| SHA256: | 247807BCEB040A179599DDC8CE77095D306D125856063431174E9775F551467A |
| SSDEEP: | 196608:FtQQPQQLQQ0F/4CRFz6P7XKJLCfg8Qrec1JE:Wd6zXWCfErT1JE |
MALICIOUS
Actions looks like stealing of personal data
- lsass.exe (PID: 6640)
Steals credentials from Web Browsers
- lsass.exe (PID: 6640)
SALATSTEALER has been detected (YARA)
- lsass.exe (PID: 6640)
SUSPICIOUS
Node.exe was dropped
- Deushack.exe (PID: 2236)
Reads security settings of Internet Explorer
- Deushack.exe (PID: 2236)
- sda.exe (PID: 4696)
Executable content was dropped or overwritten
- Deushack.exe (PID: 2236)
- sda.exe (PID: 1324)
- lsass.exe (PID: 6640)
Starts itself from another location
- sda.exe (PID: 1324)
- lsass.exe (PID: 6640)
The process creates files with name similar to system file names
- sda.exe (PID: 1324)
- lsass.exe (PID: 6640)
Application launched itself
- sda.exe (PID: 4696)
Modifies hosts file to alter network resolution
- powershell.exe (PID: 5400)
Gets path to any of the special folders (POWERSHELL)
- powershell.exe (PID: 5400)
Starts POWERSHELL.EXE for commands execution
- lsass.exe (PID: 6640)
There is functionality for taking screenshot (YARA)
- lsass.exe (PID: 6640)
Multiple wallet extension IDs have been found
- lsass.exe (PID: 6640)
INFO
The sample compiled with english language support
- Deushack.exe (PID: 2236)
Process checks computer location settings
- Deushack.exe (PID: 2236)
- sda.exe (PID: 4696)
Create files in a temporary directory
- Deushack.exe (PID: 2236)
- lsass.exe (PID: 6640)
Checks supported languages
- Deushack.exe (PID: 2236)
- Deushack.exe (PID: 5800)
- sda.exe (PID: 4696)
- sda.exe (PID: 1324)
- lsass.exe (PID: 4976)
- lsass.exe (PID: 5436)
- lsass.exe (PID: 6640)
Reads the computer name
- Deushack.exe (PID: 2236)
- Deushack.exe (PID: 5800)
- sda.exe (PID: 1324)
- lsass.exe (PID: 6640)
- sda.exe (PID: 4696)
- lsass.exe (PID: 5436)
- lsass.exe (PID: 4976)
Reads product name
- Deushack.exe (PID: 5800)
Reads Environment values
- Deushack.exe (PID: 5800)
Creates files in the program directory
- sda.exe (PID: 1324)
- lsass.exe (PID: 6640)
Creates files or folders in the user directory
- sda.exe (PID: 1324)
Reads the machine GUID from the registry
- lsass.exe (PID: 6640)
- sda.exe (PID: 4696)
- sda.exe (PID: 1324)
- lsass.exe (PID: 4976)
- lsass.exe (PID: 5436)
Checks current location (POWERSHELL)
- powershell.exe (PID: 5400)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 5400)
Drops encrypted JS script (Microsoft Script Encoder)
- lsass.exe (PID: 6640)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 5400)
UPX packer has been detected
- lsass.exe (PID: 6640)
Found Base64 encoded access to environment variables via PowerShell (YARA)
- lsass.exe (PID: 6640)
Detects GO elliptic curve encryption (YARA)
- lsass.exe (PID: 6640)
Found Base64 encoded access to processes via PowerShell (YARA)
- lsass.exe (PID: 6640)
Found Base64 encoded access to Windows Defender via PowerShell (YARA)
- lsass.exe (PID: 6640)
Application based on Golang
- lsass.exe (PID: 6640)
Checks proxy server information
- slui.exe (PID: 5164)
Reads the software policy settings
- slui.exe (PID: 5164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 EXE PECompact compressed (generic) (53.8) |
|---|---|---|
| .exe | | | UPX compressed Win32 Executable (35) |
| .exe | | | Win32 Executable (generic) (5.8) |
| .exe | | | Generic Win/DOS Executable (2.5) |
| .exe | | | DOS Executable Generic (2.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 5120 |
| InitializedDataSize: | 41077760 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20cc |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 18.5.0.0 |
| ProductVersionNumber: | 18.5.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Node.js |
| ProductName: | Node.js |
| FileDescription: | Node.js JavaScript Runtime |
| FileVersion: | 18.5.0 |
| ProductVersion: | 18.5.0 |
| OriginalFileName: | node.exe |
| InternalName: | node |
| LegalCopyright: | Copyright Node.js contributors. MIT license. |
Total processes
140
Monitored processes
11
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1324 | "C:\Users\admin\AppData\Local\Temp\sda.exe" | C:\Users\admin\AppData\Local\Temp\sda.exe | sda.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2236 | "C:\Users\admin\Desktop\Deushack.exe" | C:\Users\admin\Desktop\Deushack.exe | explorer.exe | ||||||||||||
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js JavaScript Runtime Exit code: 0 Version: 18.5.0 Modules
| |||||||||||||||
| 4696 | "C:\Users\admin\AppData\Local\Temp\sda.exe" | C:\Users\admin\AppData\Local\Temp\sda.exe | — | Deushack.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
| 4976 | "C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe" - | C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe | — | lsass.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 5164 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5400 | powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | lsass.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5436 | "C:\Program Files\Google\Chrome\Application\lsass.exe" - | C:\Program Files\Google\Chrome\Application\lsass.exe | — | lsass.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 5728 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Deushack.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5756 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5800 | "C:\Users\admin\AppData\Local\Temp\Deushack.exe" | C:\Users\admin\AppData\Local\Temp\Deushack.exe | Deushack.exe | ||||||||||||
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js JavaScript Runtime Exit code: 0 Version: 18.5.0 Modules
| |||||||||||||||
Total events
13 592
Read events
13 589
Write events
3
Delete events
0
Modification events
| (PID) Process: | (2236) Deushack.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (4696) sda.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000 | |||
| (PID) Process: | (4696) sda.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309DCF020000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000060B81DB4E48ED2119906E49FADC173CA8D000000 | |||
Executable files
5
Suspicious files
1
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2236 | Deushack.exe | C:\Users\admin\AppData\Local\Temp\Deushack.exe | — | |
MD5:— | SHA256:— | |||
| 2236 | Deushack.exe | C:\Users\admin\AppData\Local\Temp\sda.exe | executable | |
MD5:043CD983CE3439B6C9BC39DA5771C72D | SHA256:A9F1B64CC2A889ECDF1F222E4D8C5B271280FE30D556579C4A73895F5B73B12F | |||
| 1324 | sda.exe | C:\Users\admin\AppData\Local\MicrosoftEdge\sppsvc.exe | executable | |
MD5:043CD983CE3439B6C9BC39DA5771C72D | SHA256:A9F1B64CC2A889ECDF1F222E4D8C5B271280FE30D556579C4A73895F5B73B12F | |||
| 5400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iywsmg0k.vxe.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5400 | powershell.exe | C:\Windows\System32\drivers\etc\hosts | text | |
MD5:D07AA03412ABDCCAF245A080FDEE8BA3 | SHA256:D152AFF173BA3C148DE1C17FC870E923CE41132DE24B5D50DC9BFC15D7891EB1 | |||
| 6640 | lsass.exe | C:\Program Files\Google\Chrome\Application\lsass.exe | executable | |
MD5:043CD983CE3439B6C9BC39DA5771C72D | SHA256:A9F1B64CC2A889ECDF1F222E4D8C5B271280FE30D556579C4A73895F5B73B12F | |||
| 5400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uldo53fe.ham.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wufrg4kj.zoa.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mry202uj.rcc.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6640 | lsass.exe | C:\Program Files (x86)\Microsoft\Edge\Application\lsass.exe | executable | |
MD5:043CD983CE3439B6C9BC39DA5771C72D | SHA256:A9F1B64CC2A889ECDF1F222E4D8C5B271280FE30D556579C4A73895F5B73B12F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
59
DNS requests
16
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
6668 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6668 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
6668 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6668 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
6668 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.242.39.171:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | — |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
6668 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 20.10.31.115:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5800 | Deushack.exe | 104.21.63.110:443 | aml-robot.live | CLOUDFLARENET | — | unknown |
3216 | svchost.exe | 20.10.31.115:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1324 | sda.exe | 1.1.1.1:443 | — | — | — | whitelisted |
1324 | sda.exe | 172.67.191.102:443 | — | — | — | unknown |
6640 | lsass.exe | 1.1.1.1:443 | — | — | — | whitelisted |
6640 | lsass.exe | 172.67.191.102:443 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
aml-robot.live |
| unknown |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |