analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample.exe

Full analysis: https://app.any.run/tasks/f15b633d-3117-4d28-bb7d-f7f25407d941
Verdict: Malicious activity
Analysis date: June 19, 2019, 10:42:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pup
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A29C9F523B47027FB97190B908C18979

SHA1:

203CA880EFA5E1C883F37AD56A4B0E832B813A15

SHA256:

25CEEAED228C2D7C08BAD41362AD6619C243324AD8A0E05C75D3672E96373BED

SSDEEP:

49152:QS3LOzY7exX2IFqucmyChAgZmY+jsCt8cv1XuYyU7rhTqr6iZVQA:QS3qvxXvgucmTegr+bcO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • sample.exe (PID: 2688)

    • MAILRU was detected

      • sample.exe (PID: 2688)

    • Connects to CnC server

      • sample.exe (PID: 2688)

    • Changes the autorun value in the registry

      • sample.exe (PID: 2688)

  • SUSPICIOUS

    • Application launched itself

      • sample.exe (PID: 2448)

    • Reads the cookies of Google Chrome

      • sample.exe (PID: 2688)

    • Adds / modifies Windows certificates

      • sample.exe (PID: 2688)

    • Creates files in the program directory

      • sample.exe (PID: 2688)

    • Creates files in the user directory

      • sample.exe (PID: 2688)

    • Reads the cookies of Mozilla Firefox

      • sample.exe (PID: 2688)

    • Executable content was dropped or overwritten

      • sample.exe (PID: 2688)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (53.4)
.exe | Win64 Executable (generic) (35.5)
.exe | Win32 Executable (generic) (5.8)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

ProductVersion: 5.1.0.194
ProductName: sputnik
OriginalFileName: sputnik.exe
LegalCopyright: Copyright c 2005 - 2015
InternalName: sputnik
FileVersion: 5.1.0.194
FileDescription: sputnik
CharacterSet: Windows, Cyrillic
LanguageCode: Russian
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.1.0.194
FileVersionNumber: 5.1.0.194
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x118241
UninitializedDataSize: -
InitializedDataSize: 452096
CodeSize: 1660416
LinkerVersion: 14.12
PEType: PE32
TimeStamp: 2019:02:22 09:36:08+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 22-Feb-2019 08:36:08
Detected languages:
  • English - United States
  • Russian - Russia
TLS Callbacks: 1 callback(s) detected.
Debug artifacts:
  • D:\Build\desktop_apps\_out\sputnik_installer.pdb
FileDescription: sputnik
FileVersion: 5.1.0.194
InternalName: sputnik
LegalCopyright: Copyright c 2005 - 2015
OriginalFilename: sputnik.exe
ProductName: sputnik
ProductVersion: 5.1.0.194

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 22-Feb-2019 08:36:08
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x001955B3
0x00195600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65676
.rdata
0x00197000
0x0004B8FC
0x0004BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04915
.data
0x001E3000
0x0000A888
0x00008E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.97286
.rsrc
0x001EE000
0x000055E0
0x00005600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.86905
.reloc
0x001F4000
0x00012AE4
0x00012C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.588

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.12107
796
UNKNOWN
English - United States
RT_MANIFEST
GO_MAIL_RU_ICO
7.98034
10132
UNKNOWN
Russian - Russia
BIN
GO_MAIL_RU_PNG
7.53676
815
UNKNOWN
Russian - Russia
BIN
MAIL_RU_ICO
7.97151
8319
UNKNOWN
Russian - Russia
BIN
MAIL_RU_PNG
7.52939
783
UNKNOWN
Russian - Russia
BIN

Imports

ADVAPI32.dll
CRYPT32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
VERSION.dll
WINHTTP.dll
WTSAPI32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sample.exe no specs #MAILRU sample.exe

Process information

PID
CMD
Path
Indicators
Parent process
2448"C:\Users\admin\AppData\Local\Temp\sample.exe" C:\Users\admin\AppData\Local\Temp\sample.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
sputnik
Exit code:
0
Version:
5.1.0.194
2688"C:\Users\admin\AppData\Local\Temp\sample.exe" --elevationC:\Users\admin\AppData\Local\Temp\sample.exe
sample.exe
User:
admin
Integrity Level:
HIGH
Description:
sputnik
Version:
5.1.0.194
Total events
1 343
Read events
769
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
2688sample.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2688sample.exeC:\Users\admin\AppData\Local\Temp\4175-7e29-6bb1-4219\MailRu.ico
MD5:
SHA256:
2688sample.exeC:\Users\admin\AppData\Local\Temp\117c-8a97-0caa-d222\GoMailRu.ico
MD5:
SHA256:
2688sample.exeC:\ProgramData\Mail.Ru\Idtext
MD5:2A5F5EE021D8C5E82849BA1A76A6DD15
SHA256:706E95DC473F3EFD4567E66794DCAB0D3428C5B9B2297A2609A65B0B0A541F9F
2688sample.exeC:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\metadatabinary
MD5:123728C745374CA4516EE424E61C74C6
SHA256:0D19176A0DCCF5018F7B3170E5BD2387E47FBF326246260161B0E6205BCC1A2B
2688sample.exeC:\Users\admin\Favorites\Искать в Интернете.urltext
MD5:EB08378217B4A9D27F46FA00527D778B
SHA256:B0C3586271724BE93C4BA4AF3D9A7DF05462F76B603DD7EF7E5BA4448BB7C244
2688sample.exeC:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mail.Ru.lnklnk
MD5:85B59880C49352B02E6FD0B15A2E272C
SHA256:653B7C200485DBBCAEA23D2D3A62335E374A679C7C8D9DC2B0251C896B74EFD5
2688sample.exeC:\Users\admin\AppData\Local\Mail.Ru\Sputnik\MailRu.icoimage
MD5:1B8FB79AAA423BE16049803FD901B79D
SHA256:7F9C40702936F23F24828FB0B49EDD70534F617BFADAC2854061620D6DD435D2
2688sample.exeC:\Users\admin\Desktop\Искать в Интернете.urltext
MD5:EAA4AE3F04FD33F17CA945431D639099
SHA256:8C1F09710F5AA6E6A82433F12FE1854C2E64A9A07ED9D5F32E1DB8AE43ACC202
2688sample.exeC:\Users\admin\AppData\Local\Mail.Ru\Tmp\DeferredTasks\{ED89690A-8CF7-47DA-9384-7A89BC7967C1}_cbinary
MD5:B5232444AC326CF3F81FF61B62F087CB
SHA256:B98322A0D14AA176D33FA8CDD214A873625BAF076CF989A2E5083B83CE960012
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_gomailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=fav_gomailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
2688
sample.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=spparams&raw=--elevation&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
2688
sample.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=install&bgn=1&standalone=1&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=7&elapsed_time=0&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
2688
sample.exe
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=taskbar_mailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=ie_mailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
GET
204
217.69.139.245:80
http://mrds.mail.ru/update/2/version.txt?type=setup_unit&id=desktop_mailru&event=done&masterid=%7B3186C5F9-BEC0-46CA-A21B-6DFA1E4AE3C7%7D&user_id=%7B43939F52-5166-4A04-A2F7-9FD9233890E8%7D&osver=7&osbit=32&osvernum=6.1&ossp=Service%20Pack%201&uac=1&admin=1&ver=5.1.0.194&mailru_guard=0&mailru_updater=0&comp_mem=3583&tool_mem=13&elapsed_time=3&mr_service=0&os=win6.1&tool=sputnik&GUID=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&common_rfr=&install_id=%7B37E95E96-4E7C-4E3F-8697-913DFDFB7E9D%7D&rfr_rules=
RU
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
94.100.180.110:443
mailruupdater.cdnmail.ru
Limited liability company Mail.Ru
RU
suspicious
217.69.139.245:443
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
2688
sample.exe
217.69.139.247:443
xmlbinupdate.mail.ru
Limited liability company Mail.Ru
RU
malicious
2688
sample.exe
217.69.139.122:443
conserv.go.mail.ru
Limited liability company Mail.Ru
RU
unknown
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
2688
sample.exe
217.69.139.245:80
mrds.mail.ru
Limited liability company Mail.Ru
RU
malicious
2688
sample.exe
94.100.180.110:443
mailruupdater.cdnmail.ru
Limited liability company Mail.Ru
RU
suspicious

DNS requests

Domain
IP
Reputation
xmlbinupdate.mail.ru
  • 217.69.139.247
shared
dns.msftncsi.com
  • 131.107.255.255
shared
conserv.go.mail.ru
  • 217.69.139.122
unknown
mrds.mail.ru
  • 217.69.139.245
suspicious
mailruupdater.cdnmail.ru
  • 94.100.180.110
unknown
xtnmailru.cdnmail.ru
  • 94.100.180.110
unknown

Threats

Found threats are available for the paid subscriptions
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample.exe