analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample3.bin

Full analysis: https://app.any.run/tasks/49f8be1d-585d-4e81-95f6-a05ef6213539
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 18, 2020, 06:07:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3AF2B1263FA37C7184E45DA519455788

SHA1:

F6A713BDA47DFC66B2B3D878FD61003FD5C31050

SHA256:

3671C19E6419C6343A2E54DB18C2C2342F1C34B05D9D24BE933036D9EE1A6979

SSDEEP:

12288:yBZv8zbkN8OnL7iaG3Zvd1UlOXqLj1+BnX1zfkKf+jOtR676kqLrb8CHR4cQxlIP:yBvuJIlOaLoxVfkKfOOtQ6RHb8fcQxGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 2824)
      • Eap3Host.exe (PID: 2232)
    • Downloads executable files from the Internet

      • sample3.bin.exe (PID: 3956)
      • svchost.exe (PID: 2824)
    • Runs injected code in another process

      • svchost.exe (PID: 2824)
    • Application was injected by another process

      • explorer.exe (PID: 352)
      • winlogon.exe (PID: 552)
    • Loads dropped or rewritten executable

      • svchost.exe (PID: 2824)
    • Connects to CnC server

      • svchost.exe (PID: 2824)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • sample3.bin.exe (PID: 3956)
    • Creates executable files which already exist in Windows

      • sample3.bin.exe (PID: 3956)
    • Executable content was dropped or overwritten

      • svchost.exe (PID: 2824)
      • sample3.bin.exe (PID: 3956)
      • explorer.exe (PID: 352)
    • Reads Internet Cache Settings

      • svchost.exe (PID: 2824)
    • Creates files in the program directory

      • explorer.exe (PID: 352)
  • INFO

    • Manual execution by user

      • Eap3Host.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 1.0.0.0
LegalCopyright: Copyright (C) 2017
FileVersion: 1.0.0.0
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x3f9e0
UninitializedDataSize: -
InitializedDataSize: 164864
CodeSize: 565248
LinkerVersion: 12
PEType: PE32
TimeStamp: 2019:10:30 10:55:09+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Oct-2019 09:55:09
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • F:\CZDY\Code\V5\BARS\新通道程序\580game.pdb
FileVersion: 1.0.0.0
LegalCopyright: Copyright (C) 2017
ProductVersion: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 30-Oct-2019 09:55:09
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00089F95
0x0008A000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55721
.rdata
0x0008B000
0x00018B28
0x00018C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.12749
.data
0x000A4000
0x0000867C
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.32107
.tls
0x000AD000
0x00000035
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x000AE000
0x00000680
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.49525
.reloc
0x000AF000
0x000064CC
0x00006600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.66536

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89623
392
UNKNOWN
English - United States
RT_MANIFEST
7
1.58279
42
UNKNOWN
Chinese - PRC
RT_STRING
103
3.49586
276
UNKNOWN
Chinese - PRC
RT_DIALOG
109
1.79879
16
UNKNOWN
Chinese - PRC
RT_ACCELERATOR

Imports

ADVAPI32.dll
IPHLPAPI.DLL
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WLDAP32.dll
WS2_32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start inject inject drop and start sample3.bin.exe no specs sample3.bin.exe svchost.exe explorer.exe eap3host.exe winlogon.exe

Process information

PID
CMD
Path
Indicators
Parent process
2692"C:\Users\admin\AppData\Local\Temp\sample3.bin.exe" C:\Users\admin\AppData\Local\Temp\sample3.bin.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.0.0.0
3956"C:\Users\admin\AppData\Local\Temp\sample3.bin.exe" C:\Users\admin\AppData\Local\Temp\sample3.bin.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4
Version:
1.0.0.0
2824C:\Windows\system32\svchost.exe -kC:\Windows\9552475AEC9A4BF392EC2F2351B81A9B\svchost.exe
sample3.bin.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2232"C:\ProgramData\Eap3Host.exe"C:\ProgramData\Eap3Host.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Eap Third Party Surrogate Host
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
552winlogon.exeC:\Windows\System32\winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Logon Application
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
487
Read events
443
Write events
44
Delete events
0

Modification events

(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2824) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2824) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2824) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
6
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2232Eap3Host.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\get_ip[1].htm
MD5:
SHA256:
2232Eap3Host.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\error[1].htm
MD5:
SHA256:
2232Eap3Host.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\a436e0320284b16c[1].json
MD5:
SHA256:
2232Eap3Host.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ms[1].json
MD5:
SHA256:
2232Eap3Host.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ps[1].json
MD5:
SHA256:
2824svchost.exeC:\Users\admin\AppData\Local\Temp\YFYhgyMw\God.DLLexecutable
MD5:FED3FFD6FF0BB64C11D6C9C27DD156AF
SHA256:4CD6ECEBA1B7427D3E3FA243615BC21C24E20DC4925DB0B19587D3CD34642C45
2824svchost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\ip[1].htmtext
MD5:4B1A5D00DC33861AAA5141A916B1CAE6
SHA256:35EA888C49E5E028CDC5297AE8A8BE2B306A9E3021790C757B6D400DF7DC6DE2
2824svchost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\install[1].htmtext
MD5:27807BA8B6B485058C196DE6244D76F4
SHA256:88B14AB5E302FFA31719F4E551D82096AAC2F32CF36C2C9352E30EFAB6CB681D
2824svchost.exeC:\Users\admin\AppData\Local\Temp\YFYhgyMw\ys25.DLLexecutable
MD5:0348A0F46C39DA97AFCA1731D8F34EA5
SHA256:D02897B94726BBCC28FE8EBA55E42198F6DA94DB2A621CB0A23CB94FAFECD8CE
2824svchost.exeC:\Users\admin\AppData\Local\Temp\YFYhgyMw\ping.exeexecutable
MD5:8F6C1631C12605E52C646F08E861476B
SHA256:8DDEDD5676B778D11CC9F13DF8525B83F3F7DC8E61CEA0E43EAAF1BE5092D2BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
30
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3956
sample3.bin.exe
GET
200
198.11.136.96:80
http://api.m.taobao.com/rest/api3.do?api=mtop.common.getTimestamp
US
text
109 b
suspicious
3956
sample3.bin.exe
POST
200
47.56.20.174:80
http://byd.580.bydj2019.com/checkver
US
text
202 b
suspicious
2824
svchost.exe
POST
200
47.56.20.174:80
http://byd.580.bydj2019.com/zzz
US
executable
690 Kb
suspicious
3956
sample3.bin.exe
GET
200
198.11.136.96:80
http://api.m.taobao.com/rest/api3.do?api=mtop.common.getTimestamp
US
text
109 b
suspicious
2824
svchost.exe
POST
200
47.56.20.174:80
http://byd.580.bydj2019.com/checkver
US
text
202 b
suspicious
2824
svchost.exe
POST
200
103.39.210.144:808
http://103.39.210.144:808/001shuai/install.php
CN
text
54 b
suspicious
2824
svchost.exe
GET
200
103.39.210.144:808
http://103.39.210.144:808/ip.php
CN
text
11 b
suspicious
2824
svchost.exe
POST
200
47.56.20.174:80
http://byd.580.bydj2019.com/zzz
US
executable
12.5 Kb
suspicious
2824
svchost.exe
GET
200
198.11.136.96:80
http://api.m.taobao.com/rest/api3.do?api=mtop.common.getTimestamp
US
text
109 b
suspicious
2824
svchost.exe
POST
200
47.56.20.174:80
http://byd.580.bydj2019.com/zzz
US
text
220 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
sample3.bin.exe
47.56.20.174:80
byd.580.bydj2019.com
US
suspicious
2824
svchost.exe
47.56.20.174:80
byd.580.bydj2019.com
US
suspicious
3956
sample3.bin.exe
198.11.136.96:80
api.m.taobao.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
2824
svchost.exe
198.11.136.96:80
api.m.taobao.com
Alibaba (China) Technology Co., Ltd.
US
suspicious
2824
svchost.exe
39.96.131.68:80
yun3.6fenkj.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2824
svchost.exe
183.230.74.65:80
down.onefast.cc
Guangdong Mobile Communication Co.Ltd.
CN
suspicious
2232
Eap3Host.exe
180.163.26.100:80
apps.game.qq.com
China Telecom (Group)
CN
malicious
2824
svchost.exe
103.39.210.144:808
CN
suspicious
2232
Eap3Host.exe
103.235.46.39:80
sp0.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
unknown
2232
Eap3Host.exe
183.201.223.39:80
down.onefast.cc
China Mobile communications corporation
CN
malicious

DNS requests

Domain
IP
Reputation
api.m.taobao.com
  • 198.11.136.96
suspicious
byd.580.bydj2019.com
  • 47.56.20.174
suspicious
yun3.6fenkj.com
  • 39.96.131.68
unknown
zhaobin.byc.580.bydj2019.com
  • 47.56.20.174
suspicious
down.onefast.cc
  • 183.201.223.39
  • 117.169.77.22
  • 120.221.216.150
  • 183.230.74.14
  • 223.85.59.11
  • 223.111.243.149
  • 36.159.114.145
  • 183.250.178.141
  • 112.13.209.81
  • 221.180.248.20
  • 120.221.97.11
  • 36.159.114.146
  • 117.157.23.12
  • 223.111.153.171
  • 183.230.74.65
malicious
down.onefast.cc.cdn.dnsv1.com
malicious
8xxjezfm.slt.cdntip.com
  • 183.230.74.65
  • 183.201.223.39
  • 117.169.77.22
  • 120.221.216.150
  • 183.230.74.14
  • 223.85.59.11
  • 223.111.243.149
  • 36.159.114.145
  • 183.250.178.141
  • 112.13.209.81
  • 221.180.248.20
  • 120.221.97.11
  • 36.159.114.146
  • 117.157.23.12
  • 223.111.153.171
malicious
apps.game.qq.com
  • 180.163.26.100
  • 180.163.15.188
whitelisted
sp0.baidu.com
  • 103.235.46.39
whitelisted
www.baidu.com
  • 103.235.46.39
whitelisted

Threats

PID
Process
Class
Message
3956
sample3.bin.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3956
sample3.bin.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2824
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2824
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2824
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2824
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2824
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2824
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2824
svchost.exe
Misc activity
ET INFO Packed Executable Download
2824
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
12 ETPRO signatures available at the full report
No debug info