File name:	boiii.exe
Full analysis:	https://app.any.run/tasks/1c0e4c75-db59-4358-bf85-8b21efdb0158
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 27, 2024, 17:52:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	A06E431ACF3D0BB1CFCB93A8760276D2
SHA1:	05197A5CBAE6A6F6B17DCB6252FF09342BFC6B9F
SHA256:	2A8ED51131CC0485F6B2B769288BAD347A21618314D9D46C47D16B2DF0FAE052
SSDEEP:	98304:EfAzbiq9zCXnkpIlnuezFUk90txBWsBDrvsyJ6nVpW2i7:vzbPeUezUM

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:12:10 17:53:38+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.37
CodeSize:	1297920
InitializedDataSize:	1618944
UninitializedDataSize:	-
EntryPoint:	0xff6c4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.1.1435
ProductVersionNumber:	1.0.1.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	momo5502
FileDescription:	BOIII
FileVersion:	1.0.1.1435
InternalName:	something
LegalCopyright:	Copyright (C) 2022 momo5502. All rights reserved.
OriginalFileName:	boiii.exe
ProductName:	BOIII
ProductVersion:	1.0.1


(PID) Process:	(2960) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:	delete value	Name:	DeviceTicket
Value:
(PID) Process:	(2960) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:	delete value	Name:	0018BFFFB20EAB97
Value:

PID	Process	Filename		Type
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\gamesettings\mp\gamesettings_escort.cfg		text
		MD5:76E2E66489FEBE4ABE9509BA0737182F	SHA256:21A4ACF60132F6BE3D85D87F2E1FD14F38FD9252862EF3BECC550E97DF264CDD
396	boiii.exe	C:\Users\admin\Desktop\boiii.exe		executable
		MD5:F735CF4A04B61B019912737343068087	SHA256:6E12E10E88FC0A9FBD0477FDF4BE6F5B7EFD0BBCB1849281DAEB1CD453ACC684
396	boiii.exe	C:\Users\admin\Desktop\boiii.exe.old		executable
		MD5:A06E431ACF3D0BB1CFCB93A8760276D2	SHA256:2A8ED51131CC0485F6B2B769288BAD347A21618314D9D46C47D16B2DF0FAE052
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\launcher\noise.jpg		image
		MD5:ABA1FEFDB1253E206EBDBAB179421124	SHA256:815A7129C1511DBB247E4FD0BB7643F0B6C21719931527D8BA927F070525503D
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\ext.dll		executable
		MD5:B4F9DF67B658D666DFAFAC29578AAB48	SHA256:7467BAAAF371ABEB90B42207E69CEBB54F1F4D44A0880D1B7A4FEC46053903DD
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\launcher\main.html		html
		MD5:DF042ACA22D32324D1F3844C5426A086	SHA256:B2851BFE50C579B2BAB9DA61ADE29E6956EA569389A369A745D201159663B9B8
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\scripts\mp\bots\_bot.gsc_raw		text
		MD5:BE1F293C30A3C3032CE5BFBFC5163F86	SHA256:623AF61F307ADD74914FCC525116507E5B10DDC69675896890BEC44F873A2696
2988	cmd.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat.LOG1		binary
		MD5:8F175809A1E5BF2E819178CC3428E709	SHA256:637EFE6C47156500F8251A5390AE3E70BC4019EBC6CACE52D2DE7EA7AB7D649E
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\scripts\mp\gametypes\_serversettings.gsc		binary
		MD5:943986EE54A59668300A0BCDD2C41FB8	SHA256:45FC01BC95280DD871F0F4753D053FF3E85DFD2AEE32A19BEB47019992532C17
2988	cmd.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat		binary
		MD5:A0ED2202D26A10D7A6ED146775A85970	SHA256:B9F320FE808C1687E0B5EA177C2688720C590DDB1617EFECCD96EE23947C1880

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	150.171.22.254:443	https://ln-ring.msedge.net/apc/trans.gif?897cd2e2a675404be78cb9af5ae3d63b	unknown	image	43 b	unknown
—	—	GET	200	92.123.104.67:443	https://www.bing.com/dsb/scenario?name=TrendingSearchWithCache&cc=us&setlang=en-us	unknown	binary	647 b	unknown
—	—	GET	200	188.114.96.3:443	https://bo3.ezz.lol/boiii/data/gamesettings/mp/gamesettings_escort.cfg?6B97D13A010C5413F087411D1439AC6D7E79BF2A	unknown	text	1.18 Kb	unknown
—	—	GET	200	92.123.104.65:443	https://www.bing.com/th?id=ODSWG.cf3f3c93-5961-41fb-bc7b-18bc4e081bbf&pid=dsb	unknown	image	134 Kb	unknown
—	—	GET	200	188.114.97.3:443	https://bo3.ezz.lol/boiii/ext.dll?DF3FE0853C920D591304F8DE2CB4039EC0514208	unknown	executable	1.09 Mb	unknown
—	—	POST	204	92.123.104.17:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	unknown
—	—	GET	200	188.114.97.3:443	https://bo3.ezz.lol/boiii/boiii.exe?743876FCF7CD24FF0CE5C303C787F143AE04578A	unknown	executable	2.60 Mb	unknown
—	—	GET	200	188.114.96.3:443	https://bo3.ezz.lol/boiii.json?1722102744069504000	unknown	text	4.55 Kb	unknown
—	—	POST	200	20.42.72.131:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	unknown
—	—	GET	200	92.123.104.33:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&pastMomentsInDays=6&cc=US&setlang=en-us&clientDateTime=7%2F27%2F2024%2C%205%3A52%3A45%20PM	unknown	text	137 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
6064	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	92.123.104.17:443	www.bing.com	Akamai International B.V.	DE	unknown
6012	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2736	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1272	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
396	boiii.exe	188.114.97.3:443	bo3.ezz.lol	CLOUDFLARENET	NL	unknown

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 40.127.240.158	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	92.123.104.17 92.123.104.59 92.123.104.67 92.123.104.65 92.123.104.33 92.123.104.32 92.123.104.63 92.123.104.62 92.123.104.61 92.123.104.64 92.123.104.7 92.123.104.51 92.123.104.53 92.123.104.52 92.123.104.46 92.123.104.38	whitelisted
google.com	142.250.186.110	whitelisted
bo3.ezz.lol	188.114.97.3 188.114.96.3	unknown
self.events.data.microsoft.com	20.42.72.131	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.45	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.13	whitelisted
fp.msedge.net	204.79.197.222	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

boiii.exe

A06E431ACF3D0BB1CFCB93A8760276D2

05197A5CBAE6A6F6B17DCB6252FF09342BFC6B9F

2A8ED51131CC0485F6B2B769288BAD347A21618314D9D46C47D16B2DF0FAE052

98304:EfAzbiq9zCXnkpIlnuezFUk90txBWsBDrvsyJ6nVpW2i7:vzbPeUezUM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Renames files like ransomware

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Creates file in the systems drive root

Reads security settings of Internet Explorer

Executes application which crashes

Deletes system .NET executable

INFO

Reads the machine GUID from the registry

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Dropped object may contain TOR URL's

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings