File name:

BLTools v2.7.1 [PRO].sfx.exe

Full analysis: https://app.any.run/tasks/265a8b5a-0e20-47fe-ae60-bc0b032d5c77
Verdict: Malicious activity
Analysis date: January 06, 2024, 19:24:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BD5FD5AF41AFC879A18D665F64C9EB20

SHA1:

9D5E51DDD394D66336AC2C1ED60395414913DE91

SHA256:

2F693C27BDD5DE21D5997D5956DD3F9DA16CD2372AB6AF2B265B24E89F1BE581

SSDEEP:

98304:9fLIQ/9lT9eNYrIpsPG21IIZC4QiNhPEvhOQ5s/NdM0G3OoZzl/044WOZJE41paE:9tNYjVrJjA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)

    • Reads the Internet Settings

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)
      • BLTools v2.7.1 [PRO].exe (PID: 492)

    • Reads Internet Explorer settings

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)

    • Reads settings of System Certificates

      • BLTools v2.7.1 [PRO].exe (PID: 492)

  • INFO

    • Drops the executable file immediately after the start

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)

    • Reads the computer name

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)
      • BLTools v2.7.1 [PRO].exe (PID: 492)

    • Checks supported languages

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)
      • BLTools v2.7.1 [PRO].exe (PID: 492)

    • Checks proxy server information

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)

    • Create files in a temporary directory

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)
      • BLTools v2.7.1 [PRO].exe (PID: 492)

    • Process drops legitimate windows executable

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)

    • Reads the machine GUID from the registry

      • BLTools v2.7.1 [PRO].exe (PID: 492)
      • BLTools v2.7.1 [PRO].sfx.exe (PID: 2044)

    • Reads Environment values

      • BLTools v2.7.1 [PRO].exe (PID: 492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:28 12:37:13+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 214528
InitializedDataSize: 263680
UninitializedDataSize: -
EntryPoint: 0x21d50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bltools v2.7.1 [pro].sfx.exe no specs bltools v2.7.1 [pro].exe

Process information

PID
CMD
Path
Indicators
Parent process
492"C:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 [PRO].exe" C:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 [PRO].exe
BLTools v2.7.1 [PRO].sfx.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools Cookies Checker
Exit code:
0
Version:
2.7.1.0
Modules
Images
c:\users\admin\appdata\local\temp\bltools v2.7.1 [pro].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2044"C:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 [PRO].sfx.exe" C:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 [PRO].sfx.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\bltools v2.7.1 [pro].sfx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
5 952
Read events
5 927
Write events
25
Delete events
0

Modification events

(PID) Process:(2044) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2044) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2044) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2044) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2044) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2044) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(492) BLTools v2.7.1 [PRO].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(492) BLTools v2.7.1 [PRO].exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
8
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\AlphaFS.dllexecutable
MD5:F2F6F6798D306D6D7DF4267434B5C5F9
SHA256:837F2CEAB6BBD9BC4BF076F1CB90B3158191888C3055DD2B78A1E23F1C3AAFDD
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\Licansia.txttext
MD5:1B9CA37C074C7AA2BC897FE35A944213
SHA256:9C0D36420DC061082831BB4D47DC9F25D8F129D65A3D3AD43A12D57C5E1C2088
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\MaterialDesignThemes.Wpf.dllexecutable
MD5:824CBF63999F954AA1747F79586A4D3C
SHA256:344E2CEE979E979932F504DC76BD75E97AE1FF46CAA3FE2795ADFE0A866347F7
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\License.dlltext
MD5:26A0D549D0987279798CB6421D2DDFA2
SHA256:A329CE0D40E38A0126731C4F47D638995808B2AFED73EC3E430909B213B232ED
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\Extreme.Net.dllexecutable
MD5:F79F0E3A0361CAC000E2D3553753CD68
SHA256:8A6518AB7419FBEC3AC9875BAA3AFB410AD1398C7AA622A09CD9084EC6CADFCD
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\MaterialDesignColors.dllexecutable
MD5:5C108C4DA6D03F0FA2C3B4DC7890CB52
SHA256:B5EC30C93B1D2B4631EE2B178750EC92E302E2E331090EC9783981B9572354F8
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\Projects\Ebay.projtext
MD5:A57E89250A50C010B2B6EDD2EFD0B39F
SHA256:51314174405FE1D723621C67C12C03550426F07A83DDCAB9E36E6D992498D899
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 [PRO].exeexecutable
MD5:1BE3CFA8F6A7F61BB6CF420D94ED6465
SHA256:15902937BCE71D868EEDAC8DE3E2C865935B22ED4C66FFADEF61BF2D29238D1F
2044BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\AppData\Local\Temp\CookiesCreator.exeexecutable
MD5:AEE127951627898FF120D3F4A3ADA964
SHA256:A61FE2CF0E51860F3BFDE5B6159F926748F7D2D0B7B397831BF695F63CF99106
492BLTools v2.7.1 [PRO].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
492
BLTools v2.7.1 [PRO].exe
GET
200
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?99583e6c0cf8fc9d
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
492
BLTools v2.7.1 [PRO].exe
104.26.0.5:443
keyauth.win
CLOUDFLARENET
US
unknown
492
BLTools v2.7.1 [PRO].exe
87.248.204.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
492
BLTools v2.7.1 [PRO].exe
104.26.4.15:443
api.steaminventoryhelper.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
keyauth.win
  • 104.26.0.5
  • 172.67.72.57
  • 104.26.1.5
malicious
ctldl.windowsupdate.com
  • 87.248.204.0
whitelisted
api.steaminventoryhelper.com
  • 104.26.4.15
  • 172.67.75.166
  • 104.26.5.15
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BLTools v2.7.1 [PRO].sfx.exe