File name:	boiii.exe
Full analysis:	https://app.any.run/tasks/1c0e4c75-db59-4358-bf85-8b21efdb0158
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	July 27, 2024, 17:52:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	A06E431ACF3D0BB1CFCB93A8760276D2
SHA1:	05197A5CBAE6A6F6B17DCB6252FF09342BFC6B9F
SHA256:	2A8ED51131CC0485F6B2B769288BAD347A21618314D9D46C47D16B2DF0FAE052
SSDEEP:	98304:EfAzbiq9zCXnkpIlnuezFUk90txBWsBDrvsyJ6nVpW2i7:vzbPeUezUM

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2023:12:10 17:53:38+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.37
CodeSize:	1297920
InitializedDataSize:	1618944
UninitializedDataSize:	-
EntryPoint:	0xff6c4
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.1.1435
ProductVersionNumber:	1.0.1.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	momo5502
FileDescription:	BOIII
FileVersion:	1.0.1.1435
InternalName:	something
LegalCopyright:	Copyright (C) 2022 momo5502. All rights reserved.
OriginalFileName:	boiii.exe
ProductName:	BOIII
ProductVersion:	1.0.1


(PID) Process:	(2960) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
Operation:	delete value	Name:	DeviceTicket
Value:
(PID) Process:	(2960) WerFault.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
Operation:	delete value	Name:	0018BFFFB20EAB97
Value:

PID	Process	Filename		Type
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\gamesettings\mp\gamesettings_escort.cfg		text
		MD5:76E2E66489FEBE4ABE9509BA0737182F	SHA256:21A4ACF60132F6BE3D85D87F2E1FD14F38FD9252862EF3BECC550E97DF264CDD
396	boiii.exe	C:\Users\admin\Desktop\boiii.exe.old		executable
		MD5:A06E431ACF3D0BB1CFCB93A8760276D2	SHA256:2A8ED51131CC0485F6B2B769288BAD347A21618314D9D46C47D16B2DF0FAE052
2988	cmd.exe	C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm		dbf
		MD5:B995329DB8915F7DEA5D6FAF30FE27FF	SHA256:CB528DBFEE9F4857FF46D4DBB119569EF36638DEA7DFF5C3749664812ADC94AE
2988	cmd.exe	C:\ProgramData\Microsoft\Network\Downloader\edb.log		binary
		MD5:0356354B449FBC25E5D7E76690DE115B	SHA256:39C07C0FB5998C761F6E2585B373DC7531F4D9642173E166778AFBE6BBBE5219
2988	cmd.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\settings.dat		binary
		MD5:A0ED2202D26A10D7A6ED146775A85970	SHA256:B9F320FE808C1687E0B5EA177C2688720C590DDB1617EFECCD96EE23947C1880
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\scripts\mp\bots\_bot_loadout.gsc		binary
		MD5:A7A26611D6C8C1B8259C1E43965738AA	SHA256:76EF83FF2328239638923ED1B65016DE5B014F6C59483CF9FBA267DC06B3B514
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\lookup_tables\dvar_list.txt		text
		MD5:5E5CE6ED57B0F6642E27B72733082099	SHA256:7BC0D41E020FBAA9E2D2DA35DAC2677CF87472C3BB67E3387C7B3E159F91D8A3
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\scripts\mp\gametypes\_serversettings.gsc		binary
		MD5:943986EE54A59668300A0BCDD2C41FB8	SHA256:45FC01BC95280DD871F0F4753D053FF3E85DFD2AEE32A19BEB47019992532C17
2988	cmd.exe	C:\ProgramData\PLUG\Logs\RUXIMLog.001.etl		binary
		MD5:6C86C705612C86B396256C80AE7CDD74	SHA256:DE59D60EF3FDE0CBFBFEEA15A83AD4ADDDE136279E61C86A7481211C9CD2935D
736	boiii.exe	C:\Users\admin\AppData\Local\boiii\data\scripts\mp\bots\_bot.gsc		binary
		MD5:CE284252DEE65E17471CB56FEE3E8DAD	SHA256:23F8C0754C51C368C974D91622B068EEDB7BFF229F2249518D7A87121EA64564

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	188.114.96.3:443	https://bo3.ezz.lol/boiii.json?1722102744069504000	unknown	text	4.55 Kb	—
—	—	GET	200	92.123.104.62:443	https://www.bing.com/th?id=ODSWG.60d4f6f4-d64d-40f4-a05f-e19f4f6f2b60&pid=dsb	unknown	image	125 Kb	—
—	—	POST	200	20.42.65.84:443	https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176	unknown	—	—	—
—	—	GET	200	188.114.97.3:443	https://bo3.ezz.lol/boiii/boiii.exe?743876FCF7CD24FF0CE5C303C787F143AE04578A	unknown	executable	2.60 Mb	—
—	—	GET	200	188.114.96.3:443	https://bo3.ezz.lol/boiii.json?1722102773793160500	unknown	ini	4.55 Kb	—
—	—	POST	204	92.123.104.7:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—
—	—	GET	200	92.123.104.33:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&pastMomentsInDays=6&cc=US&setlang=en-us&clientDateTime=7%2F27%2F2024%2C%205%3A52%3A45%20PM	unknown	text	137 Kb	—
—	—	GET	200	92.123.104.65:443	https://www.bing.com/th?id=ODSWG.cf3f3c93-5961-41fb-bc7b-18bc4e081bbf&pid=dsb	unknown	image	134 Kb	—
—	—	GET	200	150.171.22.254:443	https://ln-ring.msedge.net/apc/trans.gif?8d10b1d3d5c7dc784a2ae689497d6be5	unknown	image	43 b	—
—	—	POST	204	92.123.104.17:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
6064	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	131.253.33.254:443	a-ring-fallback.msedge.net	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	92.123.104.17:443	www.bing.com	Akamai International B.V.	DE	unknown
6012	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2736	slui.exe	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1272	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.83.72.98:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
396	boiii.exe	188.114.97.3:443	bo3.ezz.lol	CLOUDFLARENET	NL	unknown

Domain	IP	Reputation
t-ring-fdv2.msedge.net	13.107.237.254	unknown
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59 40.127.240.158	whitelisted
a-ring-fallback.msedge.net	131.253.33.254	unknown
www.bing.com	92.123.104.17 92.123.104.59 92.123.104.67 92.123.104.65 92.123.104.33 92.123.104.32 92.123.104.63 92.123.104.62 92.123.104.61 92.123.104.64 92.123.104.7 92.123.104.51 92.123.104.53 92.123.104.52 92.123.104.46 92.123.104.38	whitelisted
google.com	142.250.186.110	whitelisted
bo3.ezz.lol	188.114.97.3 188.114.96.3	unknown
self.events.data.microsoft.com	20.42.72.131	whitelisted
fp-afd-nocache-ccp.azureedge.net	13.107.246.45	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.13	whitelisted
fp.msedge.net	204.79.197.222	whitelisted

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

boiii.exe

A06E431ACF3D0BB1CFCB93A8760276D2

05197A5CBAE6A6F6B17DCB6252FF09342BFC6B9F

2A8ED51131CC0485F6B2B769288BAD347A21618314D9D46C47D16B2DF0FAE052

98304:EfAzbiq9zCXnkpIlnuezFUk90txBWsBDrvsyJ6nVpW2i7:vzbPeUezUM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Renames files like ransomware

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Creates file in the systems drive root

Reads security settings of Internet Explorer

Executes application which crashes

Deletes system .NET executable

INFO

Creates files or folders in the user directory

Reads the machine GUID from the registry

Dropped object may contain TOR URL's

Checks supported languages

Reads the computer name

Manual execution by a user

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings