File name:

malbomb.exe

Full analysis: https://app.any.run/tasks/9922030d-a378-4c65-8bba-657c730d6dbd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 27, 2023, 19:02:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
kelihos
trojan
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

1B39F40A03129F2B640E61FEAAC089A6

SHA1:

EFAABEC12D2C13D2A07B1C9699158D6ABF1E76A1

SHA256:

3176AAB6F98D39995829E4C2C501FD5B02D16F2768E8B7E7FFA368EA937403F7

SSDEEP:

1536:ud3syM2MGPPwM2MGnkM2MGpvM2MG4G0M2MGpvM2MG4GuhftMvV+t:sDM2MGPPwM2MGnkM2MGpvM2MG4G0M2M5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • KELIHOS has been detected (SURICATA)

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Actions looks like stealing of personal data

      • malbomb.exe (PID: 2040)

  • SUSPICIOUS

    • Reads the Internet Settings

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Reads security settings of Internet Explorer

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Reads settings of System Certificates

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Block-list domains

      • malbomb.exe (PID: 2040)

    • Checks Windows Trust Settings

      • malbomb.exe (PID: 5596)
      • malbomb.exe (PID: 2040)

    • Connects to the server without a host name

      • malbomb.exe (PID: 5596)
      • malbomb.exe (PID: 2040)

    • Process requests binary or script from the Internet

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Connects to unusual port

      • malbomb.exe (PID: 5596)
      • malbomb.exe (PID: 2040)

  • INFO

    • Reads the computer name

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Checks supported languages

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Drops the executable file immediately after the start

      • malbomb.exe (PID: 2040)

    • Checks proxy server information

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Reads the machine GUID from the registry

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Creates files or folders in the user directory

      • malbomb.exe (PID: 2040)
      • malbomb.exe (PID: 5596)

    • Create files in a temporary directory

      • malbomb.exe (PID: 2040)

    • Manual execution by a user

      • malbomb.exe (PID: 5596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:12:27 20:04:38+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 18944
InitializedDataSize: 12800
UninitializedDataSize: -
EntryPoint: 0x4ada
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #KELIHOS malbomb.exe #KELIHOS malbomb.exe

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Users\admin\Desktop\malbomb.exe" C:\Users\admin\Desktop\malbomb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Modules
Images
c:\users\admin\desktop\malbomb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
5596"C:\Users\admin\Desktop\malbomb.exe" C:\Users\admin\Desktop\malbomb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
Modules
Images
c:\users\admin\desktop\malbomb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
Total events
30 949
Read events
30 874
Write events
75
Delete events
0

Modification events

(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(2040) malbomb.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
58815650F738DA01
Executable files
0
Suspicious files
129
Text files
67
Unknown types
1

Dropped files

PID
Process
Filename
Type
2040malbomb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:CB666A11D397575FC80608F6076C15D2
SHA256:9CA75A6081D1D764D36BB63DC8E7177ACBEB11A281E5F0CCB7893C35441F7B54
2040malbomb.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\text[1].txttext
MD5:ABBD1DEC6BC172E111CC34BE6D7CFC8B
SHA256:FAD1532A9928B1D74B0C7E9301CB261D3B52B5A90C7FF9D47EA945A58C7A8636
2040malbomb.exeC:\Users\admin\AppData\Local\Temp\Tar924.tmpcat
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
2040malbomb.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\XV9KCFAY.txttext
MD5:8859A75824828EEB5FE751DCD2C610B5
SHA256:474E076D2DBF3482521289298E9D9180BF566DABBB19D499ACBDB424C6019BEC
2040malbomb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
2040malbomb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:11FBC0CF0DBDE21BEE55EFDDC66C05CD
SHA256:2C485E74CA9C3D79D4EE43B33B8721188DEE1347064C39B015A8E2801C8836EC
2040malbomb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_89709BA6A8E04CB298EC71539929CC6Dbinary
MD5:2375463B063B7C7A00DA1A395CACD52F
SHA256:14FDB8E7FF9B8A43C682EBA02ED2B34745A1250D9976E0A54FB904AB0C52929C
2040malbomb.exeC:\Users\admin\AppData\Local\Temp\Cab923.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2040malbomb.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:56E2AF7ED8478272CFE5C55A5DBE5E7A
SHA256:29FF494FAF1329CA7A5695CD8856D9737D8FB58815AC19FFDE7F82D2AE424579
2040malbomb.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CO2ZQRAV.txttext
MD5:F86BB2B7D47D9F0E6EDB7E2C7B50359F
SHA256:5D633CEB134328009D5977B384AC3A212B1F6E96ED048560FC6A7BA8499FC0AB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
632
TCP/UDP connections
2 451
DNS requests
354
Threats
1 610

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2040
malbomb.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEH3wUWDKXSh7Z3b6AuDWurw%3D
unknown
binary
1.40 Kb
unknown
2040
malbomb.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9dcd550dac845bb
unknown
compressed
4.66 Kb
unknown
2040
malbomb.exe
GET
185.81.157.152:333
http://185.81.157.152:333/sodium/sodium.jpg
unknown
unknown
2040
malbomb.exe
GET
185.81.157.152:333
http://185.81.157.152:333/SYNC/SYNC.jpg
unknown
unknown
2040
malbomb.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
2040
malbomb.exe
GET
185.16.38.38:555
http://185.16.38.38:555/24/b.jpg
unknown
unknown
2040
malbomb.exe
GET
109.107.182.3:80
http://109.107.182.3/test/valid.exe
unknown
unknown
2040
malbomb.exe
GET
185.172.128.32:80
http://185.172.128.32/ama.exe
unknown
unknown
2040
malbomb.exe
GET
77.91.68.21:80
http://77.91.68.21/nova/foxi.exe
unknown
unknown
2040
malbomb.exe
GET
404
77.91.68.21:80
http://77.91.68.21/red/line.exe
unknown
html
162 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2040
malbomb.exe
151.101.2.49:443
urlhaus.abuse.ch
FASTLY
US
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2040
malbomb.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2040
malbomb.exe
104.18.20.226:80
ocsp2.globalsign.com
CLOUDFLARENET
shared
2040
malbomb.exe
185.85.191.197:443
www.bakirkoynakliyat.gen.tr
Ideal Hosting Teknoloji A.S.
TR
unknown
2040
malbomb.exe
162.159.135.233:443
cdn.discordapp.com
CLOUDFLARENET
shared
2040
malbomb.exe
185.81.157.152:333
Inulogic Sarl
FR
unknown
2040
malbomb.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
urlhaus.abuse.ch
  • 151.101.2.49
  • 151.101.66.49
  • 151.101.130.49
  • 151.101.194.49
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
www.bakirkoynakliyat.gen.tr
  • 185.85.191.197
unknown
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.130.233
shared
ocsp.digicert.com
  • 192.229.221.95
whitelisted
moscow-post.ru.com
  • 127.0.0.1
unknown
artemcraft.temp.swtest.ru
  • 77.222.40.147
unknown
tmpfiles.org
  • 172.67.195.247
  • 104.21.21.16
malicious
1qwqewrewqweqwrqe.sbs
  • 104.21.94.207
  • 172.67.140.12
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
2040
malbomb.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2040
malbomb.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 21
2040
malbomb.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
2040
malbomb.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
2040
malbomb.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
2040
malbomb.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
2040
malbomb.exe
Attempted Information Leak
ET POLICY curl User-Agent Outbound
2040
malbomb.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
2040
malbomb.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
17 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malbomb.exe