analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BLTools v2.7.1 [PRO].sfx.exe

Full analysis: https://app.any.run/tasks/d787a14b-6113-4158-8205-8000f647a7e4
Verdict: Malicious activity
Analysis date: April 19, 2024, 18:54:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BD5FD5AF41AFC879A18D665F64C9EB20

SHA1:

9D5E51DDD394D66336AC2C1ED60395414913DE91

SHA256:

2F693C27BDD5DE21D5997D5956DD3F9DA16CD2372AB6AF2B265B24E89F1BE581

SSDEEP:

98304:9fLIQ/9lT9eNYrIpsPG21IIZC4QiNhPEvhOQ5s/NdM0G3OoZzl/044WOZJE41paE:9tNYjVrJjA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

    • Reads Microsoft Outlook installation path

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

    • Reads the Internet Settings

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)
      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Reads Internet Explorer settings

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

    • Executable content was dropped or overwritten

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

    • Reads settings of System Certificates

      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Process drops legitimate windows executable

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

  • INFO

    • Checks supported languages

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)
      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Reads the computer name

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)
      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Checks proxy server information

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)

    • Reads the machine GUID from the registry

      • BLTools v2.7.1 [PRO].sfx.exe (PID: 668)
      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Reads Environment values

      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Create files in a temporary directory

      • BLTools v2.7.1 [PRO].exe (PID: 3808)

    • Reads the software policy settings

      • BLTools v2.7.1 [PRO].exe (PID: 3808)
      • BLTools v2.7.1 [PRO].exe (PID: 2888)

    • Manual execution by a user

      • BLTools v2.7.1 [PRO].exe (PID: 2888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x21d50
UninitializedDataSize: -
InitializedDataSize: 263680
CodeSize: 214528
LinkerVersion: 14.33
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:09:28 10:37:13+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bltools v2.7.1 [pro].sfx.exe bltools v2.7.1 [pro].exe bltools v2.7.1 [pro].exe

Process information

PID
CMD
Path
Indicators
Parent process
668"C:\Users\admin\Desktop\BLTools v2.7.1 [PRO].sfx.exe" C:\Users\admin\Desktop\BLTools v2.7.1 [PRO].sfx.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\bltools v2.7.1 [pro].sfx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3808"C:\Users\admin\Desktop\BLTools v2.7.1 [PRO].exe" C:\Users\admin\Desktop\BLTools v2.7.1 [PRO].exe
BLTools v2.7.1 [PRO].sfx.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools Cookies Checker
Exit code:
3489660927
Version:
2.7.1.0
Modules
Images
c:\users\admin\desktop\bltools v2.7.1 [pro].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2888"C:\Users\admin\Desktop\BLTools v2.7.1 [PRO].exe" C:\Users\admin\Desktop\BLTools v2.7.1 [PRO].exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools Cookies Checker
Version:
2.7.1.0
Modules
Images
c:\users\admin\desktop\bltools v2.7.1 [pro].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
12 320
Read events
12 265
Write events
53
Delete events
2

Modification events

(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(668) BLTools v2.7.1 [PRO].sfx.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
(PID) Process:(3808) BLTools v2.7.1 [PRO].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
BLTools v2.7.1 [PRO].exe
Executable files
8
Suspicious files
0
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
3808BLTools v2.7.1 [PRO].exeC:\Users\admin\AppData\Local\Temp\Cab3D01.tmp
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\Settings.initext
MD5:3F3FA29AD9B39126AB766F374AB3A0D9
SHA256:C6B91487F72AB5315322F9FC3F6B750A848A568B4A8CAA30F499FF3ACF186814
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\Ookii.Dialogs.Wpf.dllexecutable
MD5:932EBB3F9E7113071C6A17818342B7CC
SHA256:285AA8225732DDBCF211B1158BD6CFF8BF3ACBEEAB69617F4BE85862B7105AB5
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\AlphaFS.dllexecutable
MD5:F2F6F6798D306D6D7DF4267434B5C5F9
SHA256:837F2CEAB6BBD9BC4BF076F1CB90B3158191888C3055DD2B78A1E23F1C3AAFDD
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\CookiesCreator.exeexecutable
MD5:AEE127951627898FF120D3F4A3ADA964
SHA256:A61FE2CF0E51860F3BFDE5B6159F926748F7D2D0B7B397831BF695F63CF99106
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\MaterialDesignColors.dllexecutable
MD5:5C108C4DA6D03F0FA2C3B4DC7890CB52
SHA256:B5EC30C93B1D2B4631EE2B178750EC92E302E2E331090EC9783981B9572354F8
3808BLTools v2.7.1 [PRO].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5:29F65BA8E88C063813CC50A4EA544E93
SHA256:
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\BLTools v2.7.1 [PRO].exeexecutable
MD5:1BE3CFA8F6A7F61BB6CF420D94ED6465
SHA256:15902937BCE71D868EEDAC8DE3E2C865935B22ED4C66FFADEF61BF2D29238D1F
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\MaterialDesignThemes.Wpf.dllexecutable
MD5:824CBF63999F954AA1747F79586A4D3C
SHA256:344E2CEE979E979932F504DC76BD75E97AE1FF46CAA3FE2795ADFE0A866347F7
668BLTools v2.7.1 [PRO].sfx.exeC:\Users\admin\Desktop\Extreme.Net.dllexecutable
MD5:F79F0E3A0361CAC000E2D3553753CD68
SHA256:8A6518AB7419FBEC3AC9875BAA3AFB410AD1398C7AA622A09CD9084EC6CADFCD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3808
BLTools v2.7.1 [PRO].exe
GET
200
2.19.122.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?db92176b4f1d1c24
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3808
BLTools v2.7.1 [PRO].exe
172.67.72.57:443
keyauth.win
CLOUDFLARENET
US
unknown
3808
BLTools v2.7.1 [PRO].exe
2.19.122.205:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2888
BLTools v2.7.1 [PRO].exe
172.67.72.57:443
keyauth.win
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
keyauth.win
  • 172.67.72.57
  • 104.26.0.5
  • 104.26.1.5
malicious
ctldl.windowsupdate.com
  • 2.19.122.205
  • 2.19.122.224
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Fake Game Cheat Related Domain in DNS Lookup (keyauth .win)
Potentially Bad Traffic
ET INFO Fake Game Cheat Related Domain in DNS Lookup (keyauth .win)
Potentially Bad Traffic
ET INFO Fake Game Cheat Related Domain (keyauth .win) in TLS SNI
Potentially Bad Traffic
ET INFO Fake Game Cheat Related Domain (keyauth .win) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BLTools v2.7.1 [PRO].sfx.exe