File name: | 777.exe |
Full analysis: | https://app.any.run/tasks/f773bf42-037c-4565-9085-20f5358829e8 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | December 05, 2022, 19:53:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 2CC6354FB80ABA5B598E03ACD73B8A58 |
SHA1: | 0285E5F32A8241F668E2BFDF6FBB50B5FE85425A |
SHA256: | 38A4AA886E31B053DA14946BDA69BFFCDBC9278C95D943D5F8B16BDF5A3E3915 |
SSDEEP: | 12288:ErkSnXEju456VTVAXfWjMfYhA4RePTkIQg84cuGBwhv9:ErkSnXYuE6VTW9fYy4aoI8YGBC9 |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 1998-Jul-04 07:12:23 |
Comments: | 9=JC:2HEC75<:JA5C |
CompanyName: | >AI=9I9J:@=4G48;@@E;D |
FileDescription: | E><5<7>@IA:D44JA |
FileVersion: | 7.10.13.17 |
InternalName: | 666.exe |
LegalCopyright: | Copyright © 2010 >AI=9I9J:@=4G48;@@E;D |
OriginalFilename: | 666.exe |
ProductName: | E><5<7>@IA:D44JA |
ProductVersion: | 7.10.13.17 |
Assembly Version: | 1.0.0.0 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 1998-Jul-04 07:12:23 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 8192 | 1122692 | 1122816 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.53738 |
.rsrc | 1138688 | 4373 | 4608 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98596 |
.reloc | 1146880 | 12 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.58491 | 892 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
1 (#2) | 4.98865 | 3321 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1328 | "C:\Users\admin\AppData\Local\Temp\777.exe" | C:\Users\admin\AppData\Local\Temp\777.exe | Explorer.EXE | ||||||||||||
User: admin Company: >AI=9I9J:@=4G48;@@E;D Integrity Level: MEDIUM Description: E><5<7>@IA:D44JA Exit code: 0 Version: 7.10.13.17 Modules
| |||||||||||||||
3452 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\or.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\or.exe | 777.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Microsoft Visual Studio Version: 15.9.28307.1440 Modules
RedLine(PID) Process(3452) or.exe US (153) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Host Port : User Pass cookies.sqlite GetDirectories Entity12 EnumerateDirectories String.Replace String.Remove bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrhKeyyptDeshKeytroyKhKeyey hKey BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob - {0} net.tcp:// / localhost 60894ac4c1d4d6c9ffb36078809b8c34 Authorization ns1 HiAwGT4DCSQ4DwZHJQQaDSsbHVkgBxNWLjNUUw== MDwvERYEKGMuNFxP Stearin Yandex\YaAddon asf *wallet* ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu... _ T e l gr am . ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata 1 string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections ( UNIQUE " Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia | https://api.ip.sb/ip SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM Name SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' System.Text.RegularExpressions ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ Network\ String Replace 80 81 0.0.0.0 Auth_value60894ac4c1d4d6c9ffb36078809b8c34 Err_msg Botnetprivate C2 (1)151.80.89.227:45878 | |||||||||||||||
2928 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | 777.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Version: 4.0.30319.34209 built by: FX452RTMGDR |
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (1328) 777.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\777_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1328 | 777.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\or.exe | executable | |
MD5:84133F05486EDB29F9AEB9FBA88F1DB8 | SHA256:07283E05C15A739215C1E2C46007F82EFF2B3DB5A7019855E9195B8FEA953913 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1328 | 777.exe | 142.250.186.164:443 | www.google.com | GOOGLE | US | whitelisted |
3452 | or.exe | 151.80.89.227:45878 | — | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
dns.msftncsi.com |
| shared |