analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

AIO Gift Card Generator (v1.4).exe

Full analysis: https://app.any.run/tasks/89eac946-a7a5-4718-9831-20a062262127
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: September 11, 2019, 03:01:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6D605AC78C1CA737522B281CA9FFFBDF

SHA1:

51B9167131E5CA759AFB99FC611BE7640CE08787

SHA256:

2DF956BA7260272FABA5AA5D51D7909FA655741C4DC40E10E9EB0B4A89FC3F12

SSDEEP:

49152:9h+ZkldoPK8YasfW7kZJqBqodLj9DjOUzwSc:u2cPK8IW7kZAXLj9DjOM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads the Task Scheduler COM API

      • AIO Gift Card Generator (v1.4).exe (PID: 3424)
      • KeyCredMgr.exe (PID: 3548)
    • Stealing of credential data

      • KeyCredMgr.exe (PID: 3548)
    • Application was dropped or rewritten from another process

      • KeyCredMgr.module.exe (PID: 3848)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • KeyCredMgr.exe (PID: 3548)
    • Reads Internet Cache Settings

      • rundll32.exe (PID: 2636)
      • rundll32.exe (PID: 2604)
      • rundll32.exe (PID: 2256)
    • Reads the cookies of Mozilla Firefox

      • KeyCredMgr.exe (PID: 3548)
    • Starts itself from another location

      • AIO Gift Card Generator (v1.4).exe (PID: 3424)
    • Executable content was dropped or overwritten

      • AIO Gift Card Generator (v1.4).exe (PID: 3424)
      • KeyCredMgr.exe (PID: 3548)
    • Creates files in the user directory

      • AIO Gift Card Generator (v1.4).exe (PID: 3424)
      • KeyCredMgr.exe (PID: 3548)
      • KeyCredMgr.module.exe (PID: 3848)
    • Reads the cookies of Google Chrome

      • KeyCredMgr.exe (PID: 3548)
    • Uses ATTRIB.EXE to modify file attributes

      • KeyCredMgr.exe (PID: 3548)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 4.1.4.3
OriginalFileName: dnscacheugc.exe
InternalName: dnscacheugc.exe
FileVersion: 4.1.4.3
FileDescription: SecurityCenterBrokerPS
CompanyName: Logon User Experience
Comments: GwHaya8YeNWIFtXISNBZmOALrSwtwnmRZtlF8uyyDn5Vka6sEvOPZk8n
CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 4.1.4.3
FileVersionNumber: 4.1.4.3
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x2800a
UninitializedDataSize: -
InitializedDataSize: 1302016
CodeSize: 581632
LinkerVersion: 12
PEType: PE32
TimeStamp: 2019:09:10 22:54:45+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Sep-2019 20:54:45
Detected languages:
  • English - United Kingdom
Comments: GwHaya8YeNWIFtXISNBZmOALrSwtwnmRZtlF8uyyDn5Vka6sEvOPZk8n
CompanyName: Logon User Experience
FileDescription: SecurityCenterBrokerPS
FileVersion: 4.1.4.3
InternalName: dnscacheugc.exe
OriginalFilename: dnscacheugc.exe
ProductVersion: 4.1.4.3

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 10-Sep-2019 20:54:45
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0008DFDD
0x0008E000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.67525
.rdata
0x0008F000
0x0002FD8E
0x0002FE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.76324
.data
0x000BF000
0x00008F74
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.19638
.rsrc
0x000C8000
0x00101B24
0x00101C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.97984
.reloc
0x001CA000
0x00007134
0x00007200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.78396

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.40026
1007
Latin 1 / Western European
English - United Kingdom
RT_MANIFEST
2
3.65355
744
Latin 1 / Western European
English - United Kingdom
RT_ICON
3
3.43704
296
Latin 1 / Western European
English - United Kingdom
RT_ICON
4
4.16139
3752
Latin 1 / Western European
English - United Kingdom
RT_ICON
5
4.07494
2216
Latin 1 / Western European
English - United Kingdom
RT_ICON
6
2.18302
1384
Latin 1 / Western European
English - United Kingdom
RT_ICON
7
3.34702
1428
Latin 1 / Western European
English - United Kingdom
RT_STRING
8
3.2817
1674
Latin 1 / Western European
English - United Kingdom
RT_STRING
9
3.28849
1168
Latin 1 / Western European
English - United Kingdom
RT_STRING
10
3.28373
1532
Latin 1 / Western European
English - United Kingdom
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start aio gift card generator (v1.4).exe keycredmgr.exe rundll32.exe no specs rundll32.exe no specs keycredmgr.module.exe no specs rundll32.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3424"C:\Users\admin\AppData\Local\Temp\AIO Gift Card Generator (v1.4).exe" C:\Users\admin\AppData\Local\Temp\AIO Gift Card Generator (v1.4).exe
explorer.exe
User:
admin
Company:
Logon User Experience
Integrity Level:
MEDIUM
Description:
SecurityCenterBrokerPS
Exit code:
0
Version:
4.1.4.3
3548C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.exe
AIO Gift Card Generator (v1.4).exe
User:
admin
Company:
Logon User Experience
Integrity Level:
MEDIUM
Description:
SecurityCenterBrokerPS
Version:
4.1.4.3
2636"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeKeyCredMgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2604"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeKeyCredMgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3848C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.module.exe a -y -mx9 -ssw "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\ENU_6887FE9730D2535E9D41.7z" "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\1\*"C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.module.exeKeyCredMgr.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2256"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeKeyCredMgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3580attrib +s +h "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client"C:\Windows\system32\attrib.exeKeyCredMgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
227
Read events
192
Write events
35
Delete events
0

Modification events

(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:GlobalUserOffline
Value:
0
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3548) KeyCredMgr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\KeyCredMgr_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
2
Suspicious files
1
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
3424AIO Gift Card Generator (v1.4).exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\ENU_6887FE9730D2535E9D41
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Local\Temp\aut958E.tmp
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.sqlite3.module.dll.2
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.sqlite3.module.dll
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Local\Temp\aut9DBC.tmp
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\KeyCredMgr.module.exe.2
MD5:
SHA256:
3548KeyCredMgr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\getMe[1]text
MD5:FC388D4F186EEF236602C60E30DF3B40
SHA256:5C6404C75DD33FEBD480B4B1B7B188B329A121EE45D8438347E3495038A93BAA
3548KeyCredMgr.exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\1\Cookies\Mozilla Firefox (10).txttext
MD5:87CC984576777CE52103C94663ABA355
SHA256:6B7CFDC32A9FBEB8A2FE9D310BD64BDC831868140E225886E14823DE3BE5CFA3
3548KeyCredMgr.exeC:\Users\admin\AppData\Roaming\amd64_microsoft-windows-security-spp-client\1\AutoFills.txttext
MD5:0FA6517BD2CE038B938ED75535ED8411
SHA256:DCFA323C1460A0395188F00F340BCA5308849739760F0B79DCF35F8BE908226A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3548
KeyCredMgr.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious
3548
KeyCredMgr.exe
104.25.210.99:443
ipapi.co
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
api.telegram.org
  • 149.154.167.220
shared
ipapi.co
  • 104.25.210.99
  • 104.25.209.99
shared

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
No debug info