| File name: | 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe |
| Full analysis: | https://app.any.run/tasks/b63877bf-e3b3-4cae-b920-863ad3881919 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | May 28, 2025, 10:28:23 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 6715D11F16E855F367A9C3AADD76FA1F |
| SHA1: | FF50320EE9169931A653036883E46F9176275841 |
| SHA256: | 30A655A5E37718D40B4934961301A74A8D39853D435F377BBE58D42EE222CE5D |
| SSDEEP: | 98304:qR1d0+GhzZcaIuZFPI8ROstWkhAbCtEwJo:a |
MALICIOUS
Steals credentials from Web Browsers
- 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe (PID: 7380)
Actions looks like stealing of personal data
- 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe (PID: 7380)
SUSPICIOUS
There is functionality for taking screenshot (YARA)
- 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe (PID: 7380)
INFO
Checks supported languages
- 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe (PID: 7380)
- elevation_service.exe (PID: 7836)
Reads the machine GUID from the registry
- 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe (PID: 7380)
Reads the computer name
- 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe (PID: 7380)
- elevation_service.exe (PID: 7836)
Executes as Windows Service
- elevation_service.exe (PID: 7836)
Manual execution by a user
- notepad.exe (PID: 7944)
- notepad.exe (PID: 8024)
- notepad.exe (PID: 8120)
- OpenWith.exe (PID: 8160)
- OpenWith.exe (PID: 672)
- OpenWith.exe (PID: 6740)
- notepad.exe (PID: 7512)
- OpenWith.exe (PID: 6248)
- OpenWith.exe (PID: 4408)
- OpenWith.exe (PID: 3308)
- OpenWith.exe (PID: 4560)
- OpenWith.exe (PID: 7220)
- WINWORD.EXE (PID: 4404)
- OpenWith.exe (PID: 7592)
- WINWORD.EXE (PID: 3208)
- WINWORD.EXE (PID: 7748)
Reads security settings of Internet Explorer
- notepad.exe (PID: 7944)
- notepad.exe (PID: 8024)
- notepad.exe (PID: 8120)
- notepad.exe (PID: 7512)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 7220)
- OpenWith.exe (PID: 6740)
- OpenWith.exe (PID: 672)
- OpenWith.exe (PID: 6248)
- OpenWith.exe (PID: 4408)
- OpenWith.exe (PID: 3308)
- OpenWith.exe (PID: 8160)
- OpenWith.exe (PID: 4560)
- OpenWith.exe (PID: 7592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:07:14 23:56:26+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 4.5 |
| CodeSize: | 2509824 |
| InitializedDataSize: | 1380864 |
| UninitializedDataSize: | 6457856 |
| EntryPoint: | 0x17100 |
| OSVersion: | 1 |
| ImageVersion: | - |
| SubsystemVersion: | 3.51 |
| Subsystem: | Windows GUI |
Total processes
162
Monitored processes
29
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 672 | "C:\WINDOWS\System32\OpenWith.exe" "C:\Users\admin\Desktop\Login Data" | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2340 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | — | 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 1 Version: 122.0.6261.70 Modules
| |||||||||||||||
| 3208 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\featurereleased.rtf /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 3308 | "C:\WINDOWS\System32\OpenWith.exe" "C:\Users\admin\Desktop\Web Data" | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4404 | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\benefitteacher.rtf /o "" | C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 16.0.16026.20146 Modules
| |||||||||||||||
| 4408 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\Cookies | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4560 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\key | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5556 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5744 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | 30a655a5e37718d40b4934961301a74a8d39853d435f377bbe58d42ee222ce5d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 1 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6028 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
24 916
Read events
24 456
Write events
426
Delete events
34
Modification events
| (PID) Process: | (7744) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (7744) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (7804) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (7804) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (7880) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 1 | |||
| (PID) Process: | (7908) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 1 | |||
| (PID) Process: | (2340) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 2 | |||
| (PID) Process: | (2340) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 3 | |||
| (PID) Process: | (5744) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 2 | |||
| (PID) Process: | (5744) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 3 | |||
Executable files
1
Suspicious files
119
Text files
48
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2340 | chrome.exe | C:\Users\admin\AppData\Local\Temp\Cookies | sqlite | |
MD5:06AD9E737639FDC745B3B65312857109 | SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\featurereleased.rtf.LNK | binary | |
MD5:5B73701E23F246D46D6A5FDE6BFC2498 | SHA256:0998287F9321B8CE0C44DC37AE87F08E7079BF593BB1425FBAF343E07FB05BBB | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:C50B46F3C6EA0B7392135E8722834937 | SHA256:CCBF4C2BD7ACF7CF52400ECC68B95FB585E05BC1C3600F53691E1A2459F30E16 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\Desktop\~$nefitteacher.rtf | binary | |
MD5:3908022371174164DDB912B34556720A | SHA256:775EC3ED9ABA7C202D9F53B1D93AE009FEE190EF2C4B25812BCD4C737462DA22 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\benefitteacher.rtf.LNK | binary | |
MD5:67FCE20ECF6CA23CD17AF04E7192F6E7 | SHA256:C94EC4A481C9DE04D9335EE3B7C9A3D74695B1CB2595767B75E19A4105A505DD | |||
| 3208 | WINWORD.EXE | C:\Users\admin\Desktop\~$artblue.rtf | binary | |
MD5:EF8371759EC8C9A6117A5EB8B9AA8E57 | SHA256:68786443E11881115A072543E8922338AB6AC1B1DE1566080638CC7740ED8EB0 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:489F29D293BBFA1D04016F68F94A1215 | SHA256:B9D73A38792B0D0BD453BB7268C8A6850CE374C71D915F216B1DECE228141902 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms | binary | |
MD5:E4A1661C2C886EBB688DEC494532431C | SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\startblue.rtf.LNK | binary | |
MD5:3BB19B52761452B0F36CEDF02C008E0D | SHA256:4BB1CDE75897C03AB5543836C184C21B847AE07E8A7EFB50C36AB935BED81230 | |||
| 3208 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S | binary | |
MD5:762ED414683D8F5CE29ACCB49E03C8F7 | SHA256:56FCBE6D91A2D1E0E729B6511D80BB634A3E5E4E78F490427E878F06C49CD948 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
89
TCP/UDP connections
100
DNS requests
14
Threats
29
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3272 | RUXIMICS.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5796 | svchost.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3272 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.21.48.1:443 | https://yu.troutbunion.bet/ujs/2b0de3a0-0789-4f6f-8fe2-c8afa61b6e98 | unknown | text | 31.9 Kb | malicious |
5796 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 104.21.48.1:443 | https://yu.troutbunion.bet/Up | unknown | — | — | — |
— | — | POST | 200 | 104.21.96.1:443 | https://yu.troutbunion.bet/Up/b | unknown | — | — | — |
— | — | POST | 200 | 104.21.112.1:443 | https://yu.troutbunion.bet/Up/b | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5796 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3272 | RUXIMICS.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
3272 | RUXIMICS.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5796 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5796 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE ACR/Amatera Stealer CnC Checkin Attempt |
— | — | Misc activity | ET HUNTING ZIP file exfiltration over raw TCP |
— | — | Misc activity | ET HUNTING ZIP file exfiltration over raw TCP |
— | — | Malware Command and Control Activity Detected | ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1 |
— | — | Misc activity | ET HUNTING ZIP file exfiltration over raw TCP |
— | — | Malware Command and Control Activity Detected | ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1 |
— | — | Misc activity | ET HUNTING ZIP file exfiltration over raw TCP |
— | — | Malware Command and Control Activity Detected | ET MALWARE ACR/Amatera Stealer CnC Exfil (POST) M1 |
— | — | Misc activity | ET HUNTING ZIP file exfiltration over raw TCP |
— | — | Misc activity | ET HUNTING ZIP file exfiltration over raw TCP |