analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

111514bffbc8e4c52f98881957f0f425

Full analysis: https://app.any.run/tasks/324ec388-9502-4ff8-a828-cc476b27047b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 08, 2020, 09:58:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E167CD7F3767A956E5C47A3E22D45987

SHA1:

061C21424464E372925C19F5B95CB5C900EA9672

SHA256:

43A858AC8D3A5E07DF86C2383B6CF1FA0DB0C93FC2FC7FFC78F31FB7F7F2203A

SSDEEP:

24576:NiHXPxyBXOsp7oUNJcdKZXFaPSKAKr3jtRWvfh3AEHgZQptTVCR8m3Hcg1Ofp:NaPA7oqaKZFBKA0ROhANQptwR/XOf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses SVCHOST.EXE for hidden code execution

      • 111514bffbc8e4c52f98881957f0f425.exe (PID: 2512)

    • Downloads executable files from the Internet

      • svchost.exe (PID: 1944)

    • Downloads executable files from IP

      • svchost.exe (PID: 1944)

  • SUSPICIOUS

    • Executes scripts

      • 111514bffbc8e4c52f98881957f0f425.exe (PID: 2512)

    • Reads Internet Cache Settings

      • svchost.exe (PID: 1944)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x747d5
UninitializedDataSize: -
InitializedDataSize: 1470464
CodeSize: 602112
LinkerVersion: 6
PEType: PE32
TimeStamp: 2020:07:31 16:14:36+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 31-Jul-2020 14:14:36
Detected languages:
  • Chinese - PRC

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 31-Jul-2020 14:14:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00092D46
0x00093000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65899
.rdata
0x00094000
0x0010EBAE
0x0010F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.22932
.data
0x001A3000
0x0003DD48
0x00018000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.06969
.rsrc
0x001E1000
0x00005D10
0x00006000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.76325
.reloc
0x001E7000
0x0001387C
0x00014000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.07695
461
UNKNOWN
UNKNOWN
RT_MANIFEST
2
2.18858
296
UNKNOWN
Chinese - PRC
RT_ICON
3
5.20308
4264
UNKNOWN
UNKNOWN
RT_ICON
4
2.74274
180
UNKNOWN
Chinese - PRC
RT_CURSOR
127
1.4183
12
UNKNOWN
Chinese - PRC
RT_MENU
150
3.06278
152
UNKNOWN
Chinese - PRC
RT_DIALOG
286
3.5561
378
UNKNOWN
Chinese - PRC
RT_DIALOG
554
3.78697
250
UNKNOWN
Chinese - PRC
RT_DIALOG
1031
3.67246
584
UNKNOWN
Chinese - PRC
RT_BITMAP
1032
1.91924
20
UNKNOWN
Chinese - PRC
RT_GROUP_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.DLL
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 111514bffbc8e4c52f98881957f0f425.exe no specs svchost.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2512"C:\Users\admin\AppData\Local\Temp\111514bffbc8e4c52f98881957f0f425.exe" C:\Users\admin\AppData\Local\Temp\111514bffbc8e4c52f98881957f0f425.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1944C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe
111514bffbc8e4c52f98881957f0f425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4024"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\tem.vbs" C:\Windows\System32\WScript.exe111514bffbc8e4c52f98881957f0f425.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
412
Read events
395
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1944svchost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\seoc[1].txt
MD5:
SHA256:
2512111514bffbc8e4c52f98881957f0f425.exeC:\Users\admin\AppData\Local\Temp\tem.vbstext
MD5:BA7A0B43832F0622BBABAA7185E315F8
SHA256:D816E1E33FDF74CE89B54E786A3F30AE90073C464042843C8657F6BDA092CB30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1944
svchost.exe
GET
404
63.141.246.178:80
http://63.141.246.178/555105/better.jpg
US
html
212 b
suspicious
1944
svchost.exe
GET
200
63.141.246.178:80
http://63.141.246.178/555105/Good.jpg
US
executable
916 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1944
svchost.exe
63.141.246.178:80
DataShack, LC
US
suspicious
1944
svchost.exe
104.193.88.77:443
www.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
www.baidu.com
  • 104.193.88.77
  • 104.193.88.123
whitelisted

Threats

PID
Process
Class
Message
1944
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Suspicious EXE Download Content-Type image/jpeg
1944
svchost.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1944
svchost.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
1944
svchost.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
111514bffbc8e4c52f98881957f0f425