analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

app2.exe

Full analysis: https://app.any.run/tasks/fbcb7e7d-9add-4edf-9431-2457473f3e3b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 02:05:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
meterpreter
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B358E9CC9242E19F4BFA876B5EB7DF98

SHA1:

9B2356BDE95888C777A8A6A5785BA09B416D94C0

SHA256:

34D4781100062FA79498AA79B0D711A16FDF72742AD7219BACB846B8B4F763B5

SSDEEP:

1536:IkGWJVmr2A5LQbZ7KpaXFF4DpW9CaiMb+KR0Nc8QsJq39:wuVmr2KLQbZ7WaXFFKlaie0Nc8QsC9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • METERPRETER was detected

      • app2 (1).exe (PID: 3476)

    • Application was injected by another process

      • host.exe (PID: 4088)

    • Runs injected code in another process

      • app2 (1).exe (PID: 3476)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2672)
      • chrome.exe (PID: 272)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 2672)
      • explorer.exe (PID: 2980)

    • Reads the hosts file

      • chrome.exe (PID: 2672)
      • chrome.exe (PID: 272)

    • Application launched itself

      • chrome.exe (PID: 2672)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 2.2.14
ProductName: Apache HTTP Server
OriginalFileName: ab.exe
LegalCopyright: Copyright 2009 The Apache Software Foundation.
InternalName: ab.exe
FileVersion: 2.2.14
FileDescription: ApacheBench command line utility
CompanyName: Apache Software Foundation
Comments: Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.2.14.0
FileVersionNumber: 2.2.14.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x5370
UninitializedDataSize: -
InitializedDataSize: 40960
CodeSize: 45056
LinkerVersion: 6
PEType: PE32
TimeStamp: 2009:05:02 20:25:03+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-May-2009 18:25:03
Detected languages:
  • English - United States
Debug artifacts:
  • 0\asf\release\build-2.2.14\support\Release\ab.pdb
Comments: Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
CompanyName: Apache Software Foundation
FileDescription: ApacheBench command line utility
FileVersion: 2.2.14
InternalName: ab.exe
LegalCopyright: Copyright 2009 The Apache Software Foundation.
OriginalFilename: ab.exe
ProductName: Apache HTTP Server
ProductVersion: 2.2.14

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 02-May-2009 18:25:03
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000A966
0x0000B000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.00411
.rdata
0x0000C000
0x00000FE6
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.31839
.data
0x0000D000
0x0000705C
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.40784
.rsrc
0x00015000
0x000007C8
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.9583

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.49991
1896
UNKNOWN
English - United States
RT_VERSION

Imports

ADVAPI32.dll
KERNEL32.dll
MSVCRT.dll
WS2_32.dll
WSOCK32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
27
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start inject app2.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs app2.exe chrome.exe no specs chrome.exe no specs #METERPRETER app2 (1).exe host.exe chrome.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1072"C:\Users\admin\AppData\Local\Temp\app2.exe" C:\Users\admin\AppData\Local\Temp\app2.exe
explorer.exe
User:
admin
Company:
Apache Software Foundation
Integrity Level:
MEDIUM
Description:
ApacheBench command line utility
Exit code:
0
Version:
2.2.14
2672"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
556"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f1da9d0,0x6f1da9e0,0x6f1da9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3752"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1008 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3852"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,1184488586429825153,5549271513412027231,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17642722237270144452 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
272"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=992,1184488586429825153,5549271513412027231,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=5745676782653015065 --mojo-platform-channel-handle=1572 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2788"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,1184488586429825153,5549271513412027231,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15385973703826374427 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1516"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,1184488586429825153,5549271513412027231,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17029249843211570096 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
892"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,1184488586429825153,5549271513412027231,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15571817569737074558 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=992,1184488586429825153,5549271513412027231,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15528768221194016246 --mojo-platform-channel-handle=3324 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 053
Read events
923
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
49
Text files
112
Unknown types
9

Dropped files

PID
Process
Filename
Type
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F73E806-A70.pma
MD5:
SHA256:
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\684bc13b-c3ef-4aea-a3dd-b7b155d0b456.tmp
MD5:
SHA256:
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000046.dbtmp
MD5:
SHA256:
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:745FF98D6EB320D6A946D4C43E8D3317
SHA256:558AE8B06570B9C63A72F515E6CD288BCA67368A23E349B625D8B1B7E42E9918
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF3bf231.TMPtext
MD5:D55489ED6031D8B188E37B0B59F5CED3
SHA256:365B01D1B3333E366EEA50106551AAC8721156CB2572C173E2F501D8255093F4
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF3bf240.TMPtext
MD5:4AFC066387D33D5264F8E796393B223B
SHA256:BB3E0F925E883318FB09FC498CACEA57F0F71548C9D42FF07634DC30D87F2D86
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:D33038DC70A58F2AC0EA1823980691AE
SHA256:6EE5DB5588EB879D13CE5A0DB3CA1744079C1BE3F73959A3B900684C56061D97
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:C5C3F347BDC11EA7A5BF62BCEA89896F
SHA256:EAE604A1C662FF82AD4B2D1056179FD77587159FDD7F1674404C0465E0610BC1
2672chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG.old~RF3bf2cd.TMPtext
MD5:3401B14F6B2624E5E44EB20FB8735443
SHA256:E32F20AE6528B8952EE2FF112DACEE4E9005868B7DAF85D3533B6F0135403875
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
25
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
272
chrome.exe
GET
200
45.236.128.190:8888
http://45.236.128.190:8888/app2.exe
unknown
executable
72.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1072
app2.exe
45.236.128.190:4444
malicious
272
chrome.exe
172.217.23.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
272
chrome.exe
172.217.22.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
272
chrome.exe
172.217.22.68:443
www.google.com
Google Inc.
US
whitelisted
272
chrome.exe
142.250.74.205:443
accounts.google.com
Google Inc.
US
whitelisted
272
chrome.exe
216.58.210.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted
272
chrome.exe
172.217.16.195:443
www.gstatic.com
Google Inc.
US
whitelisted
272
chrome.exe
172.217.22.67:443
ssl.gstatic.com
Google Inc.
US
whitelisted
272
chrome.exe
45.236.128.190:8888
malicious
272
chrome.exe
172.217.18.174:443
clients2.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
accounts.google.com
  • 142.250.74.205
shared
www.google.com
  • 172.217.22.68
whitelisted
fonts.gstatic.com
  • 216.58.210.3
  • 172.217.22.35
whitelisted
fonts.googleapis.com
  • 172.217.23.170
whitelisted
clients2.google.com
  • 172.217.18.174
whitelisted
ssl.gstatic.com
  • 172.217.22.67
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
safebrowsing.googleapis.com
  • 216.58.212.170
whitelisted
www.gstatic.com
  • 172.217.16.195
  • 216.58.206.3
whitelisted

Threats

PID
Process
Class
Message
272
chrome.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
272
chrome.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
272
chrome.exe
A Network Trojan was detected
ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)
272
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3476
app2 (1).exe
A Network Trojan was detected
MALWARE [PTsecurity] Possible Metasploit Payload Bind_API (from server)
3476
app2 (1).exe
Generic Protocol Command Decode
SURICATA Applayer Protocol detection skipped
3476
app2 (1).exe
A Network Trojan was detected
ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server)
3476
app2 (1).exe
A Network Trojan was detected
MALWARE [PTsecurity] BackDoor.Meterpreter.19
3476
app2 (1).exe
A Network Trojan was detected
REMOTE [PTsecurity] Meterpreter
3476
app2 (1).exe
Exploitation attributes have been detected
SHELL [PTsecurity] Meterpreter TCP session opened: RSA2048 key exchange
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
app2.exe