File name: | Setup.eexe |
Full analysis: | https://app.any.run/tasks/a84a498b-80ac-4e78-9ceb-70c6ccd8a897 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 05, 2022, 17:06:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 8D2F35E845E15472C6D1AD20889A377D |
SHA1: | A6ED0EF63AF22ABACCA84C99F043173716560C0B |
SHA256: | 41917221696D458C412F1073F3B1C8B618CD994970F43362CDBDB972E20196CB |
SSDEEP: | 98304:CA/hR3AuPapObj9wYh4KpylT3/Ma29R68sI775DV3VVG0kDfiefR1elXWvaeboor:lFykjnhMzV2LHzBkDjf9NPVN |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Oct-20 11:04:41 |
Detected languages: |
|
CompanyName: | IObit |
FileDescription: | Browser Anti-Tracking |
FileVersion: | 16.0.0.18 |
InternalName: | BrowserCleaner.exe |
LegalCopyright: | © IObit. All rights reserved. |
LegalTrademarks: | IObit |
OriginalFilename: | BrowserCleaner.exe |
ProductName: | Advanced SystemCare |
ProductVersion: | 16.0 |
Comments: | - |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 8 |
TimeDateStamp: | 2022-Oct-20 11:04:41 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 46091 | 0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | |
.rdata | 53248 | 10402 | 0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
.data | 65536 | 1464 | 0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.CRT | 69632 | 4 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0407808 |
.mhh0 | 73728 | 3536126 | 0 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | |
.mhh1 | 3612672 | 872 | 1024 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.27856 |
.mhh2 | 3616768 | 6166928 | 6167040 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.96519 |
.rsrc | 9785344 | 166181 | 166400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.63657 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.45546 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 5.39061 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 5.18373 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 5.32544 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 5.28403 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 7.78171 | 64683 | UNKNOWN | UNKNOWN | RT_ICON |
EFHGJHDGERTUYTITUF | 2.79908 | 90 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
1 (#2) | 3.36177 | 848 | UNKNOWN | Chinese - PRC | RT_VERSION |
1 (#3) | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
KERNEL32.dll |
KERNEL32.dll (#2) |
KERNEL32.dll (#3) |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1816 | "C:\Users\admin\Desktop\Setup.eexe.exe" | C:\Users\admin\Desktop\Setup.eexe.exe | Explorer.EXE | ||||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: Browser Anti-Tracking Version: 16.0.0.18 Modules
Raccoon(PID) Process(1816) Setup.eexe.exe Keys xordabb58cb2c7e3778b722715b6eed054f C2 (1)http://77.73.134.30/ |
PID | Process | Filename | Type | |
---|---|---|---|---|
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\T94V4mn774Xx | image | |
MD5:CAB7C58B883E3EC6838A60EF415C8644 | SHA256:14FE3F115F96DCE95A66B59C74CC7E624F0CBC5DAA6804909E01353CF921CA13 | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\cF4B7209nvX9-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\Tx2BuCIR99Z0 | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\K267j2sPp3fD | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\3quU4bBB10Rh | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\TC26X9PavI7k | text | |
MD5:E7CE898AADD69F4E4280010B7808116E | SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02 | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\J2e9x38GOd5H | sqlite | |
MD5:49E1E66E8EEFE2553D2ECEC4B7EF1D3E | SHA256:A664C359ACE3BFC149323E5403BB7140A84519043BDBA59B064EBC1BDADD32D4 | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\freebl3.dll | executable | |
MD5:15B61E4A910C172B25FB7D8CCB92F754 | SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6 | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\vcruntime140.dll | executable | |
MD5:1B171F9A428C44ACF85F89989007C328 | SHA256:9D02E952396BDFF3ABFE5654E07B7A713C84268A225E11ED9A3BF338ED1E424C | |||
1816 | Setup.eexe.exe | C:\Users\admin\AppData\LocalLow\msvcp140.dll | executable | |
MD5:1FB93933FD087215A3C7B0800E6BB703 | SHA256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll | KZ | executable | 248 Kb | malicious |
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll | KZ | executable | 438 Kb | malicious |
1816 | Setup.eexe.exe | GET | — | 89.208.104.172:80 | http://89.208.104.172/412.exe | RU | — | — | malicious |
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll | KZ | executable | 1.95 Mb | malicious |
1816 | Setup.eexe.exe | POST | 200 | 77.73.134.30:80 | http://77.73.134.30/ | KZ | text | 7.57 Kb | malicious |
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll | KZ | executable | 1.05 Mb | malicious |
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll | KZ | executable | 612 Kb | malicious |
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll | KZ | executable | 668 Kb | malicious |
1816 | Setup.eexe.exe | POST | 200 | 77.73.134.30:80 | http://77.73.134.30/07b63438148ab7e88adc635c6eb464de | KZ | text | 8 b | malicious |
1816 | Setup.eexe.exe | GET | 200 | 77.73.134.30:80 | http://77.73.134.30/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll | KZ | executable | 78.2 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 77.73.134.30:80 | — | Partner LLC | KZ | malicious |
1816 | Setup.eexe.exe | 89.208.104.172:80 | — | AEZA GROUP Ltd | NL | malicious |
1816 | Setup.eexe.exe | 77.73.134.30:80 | — | Partner LLC | KZ | malicious |
PID | Process | Class | Message |
---|---|---|---|
1816 | Setup.eexe.exe | A Network Trojan was detected | ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related |
1816 | Setup.eexe.exe | A Network Trojan was detected | ET TROJAN Win32/RecordBreaker CnC Checkin |
1816 | Setup.eexe.exe | A Network Trojan was detected | ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response |
1816 | Setup.eexe.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
1816 | Setup.eexe.exe | A Network Trojan was detected | ET MALWARE Spyware User-Agent (XXX) |
1816 | Setup.eexe.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1816 | Setup.eexe.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
1816 | Setup.eexe.exe | A Network Trojan was detected | ET MALWARE Spyware User-Agent (XXX) |
1816 | Setup.eexe.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
1816 | Setup.eexe.exe | A Network Trojan was detected | ET MALWARE Spyware User-Agent (XXX) |