File name: | BitComet_1.37_x86_setup.exe |
Full analysis: | https://app.any.run/tasks/53cba275-638e-4008-b081-36d84cce4475 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | February 10, 2019, 17:16:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | D40AFCC9632B7351191645BC1E13C150 |
SHA1: | 1BF87D0E194901CD0DBAA7F633DC83DC42C5DC3D |
SHA256: | 43BF8DAFC7EF5193DA42B45C181FDDFB7CD650C08FDD38F848FF62E9768B646C |
SSDEEP: | 196608:DgHgcreh2lB8Rms+zoNYTr0c1S+aa7s5xGYJq53/wCTdH/RME:DgHgcrcRF+zoCv0rYs5EYJqx/wCBZR |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | 6 |
OSVersion: | 5 |
EntryPoint: | 0x39e3 |
UninitializedDataSize: | 16896 |
InitializedDataSize: | 54272 |
CodeSize: | 28672 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2012:02:24 20:19:59+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Feb-2012 19:19:59 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 24-Feb-2012 19:19:59 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006F10 | 0x00007000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.49788 |
.rdata | 0x00008000 | 0x00002A92 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.39389 |
.data | 0x0000B000 | 0x00067EBC | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.47278 |
.ndata | 0x00073000 | 0x000F1000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00164000 | 0x00009490 | 0x00009600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.86699 |
.reloc | 0x0016E000 | 0x00000F8A | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.56931 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.22365 | 1070 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.49904 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 5.72411 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 6.02336 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.93253 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 4.99447 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 3.56028 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 3.23111 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
102 | 2.71813 | 180 | Latin 1 / Western European | English - United States | RT_DIALOG |
103 | 2.2766 | 118 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3368 | "C:\Users\admin\AppData\Local\Temp\BitComet_1.37_x86_setup.exe" | C:\Users\admin\AppData\Local\Temp\BitComet_1.37_x86_setup.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | |||||||||||||||
2460 | "C:\Users\admin\AppData\Local\Temp\BitComet_1.37_x86_setup.exe" | C:\Users\admin\AppData\Local\Temp\BitComet_1.37_x86_setup.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3060 | "C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\http_Downloader.exe" /googletoolbar | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\http_Downloader.exe | BitComet_1.37_x86_setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2408 | "C:\Users\admin\AppData\Local\Temp\bitcomet_toolbar.exe" /r:SHA /h:set /d:set | C:\Users\admin\AppData\Local\Temp\bitcomet_toolbar.exe | http_Downloader.exe | ||||||||||||
User: admin Company: Google Inc. Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3104 | "C:\Program Files\BitComet\tools\BitCometService.exe" /reg | C:\Program Files\BitComet\tools\BitCometService.exe | BitComet_1.37_x86_setup.exe | ||||||||||||
User: admin Company: www.BitComet.com Integrity Level: HIGH Description: BitComet disk boost service Exit code: 0 Version: 1.25 Modules
| |||||||||||||||
2140 | C:\Users\admin\AppData\Local\Temp\GoogleToolbarStandaloneSetup_latest.exe /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=SHAB" /silent /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=gb%26h%3dset%26d%3dset" | C:\Users\admin\AppData\Local\Temp\GoogleToolbarStandaloneSetup_latest.exe | bitcomet_toolbar.exe | ||||||||||||
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Update Setup Exit code: 2147747592 Version: 1.3.21.115 Modules
| |||||||||||||||
4008 | "C:\Program Files\GUME271.tmp\GoogleUpdate.exe" /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=SHAB" /silent /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=gb%26h%3dset%26d%3dset" | C:\Program Files\GUME271.tmp\GoogleUpdate.exe | GoogleToolbarStandaloneSetup_latest.exe | ||||||||||||
User: admin Company: Google Inc. Integrity Level: HIGH Description: Google Installer Exit code: 2147747592 Version: 1.3.21.103 Modules
| |||||||||||||||
3088 | "C:\Program Files\BitComet\BitComet.exe" | C:\Program Files\BitComet\BitComet.exe | BitComet_1.37_x86_setup.exe | ||||||||||||
User: admin Company: www.BitComet.com Integrity Level: MEDIUM Description: BitComet - a BitTorrent Client Version: 1.37 Modules
| |||||||||||||||
2492 | "C:\Program Files\BitComet\tools\BitCometService.exe" -service | C:\Program Files\BitComet\tools\BitCometService.exe | services.exe | ||||||||||||
User: SYSTEM Company: www.BitComet.com Integrity Level: SYSTEM Description: BitComet disk boost service Version: 1.25 Modules
| |||||||||||||||
3952 | "C:\Program Files\BitComet\tools\UPNP.exe" -addfw -app BitComet -tcpport 22201 -udpport 22201 -q | C:\Program Files\BitComet\tools\UPNP.exe | — | BitComet.exe | |||||||||||
User: admin Company: www.BitComet.com Integrity Level: MEDIUM Description: UPNP config tool for BitComet Exit code: 0 Version: 1.0 Modules
|
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted |
Operation: | write | Name: | C:\Users\admin\AppData\Local\Temp\BitComet_1.37_x86_setup.exe |
Value: 1 | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Google Toolbar |
Operation: | write | Name: | test |
Value: test | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Google Toolbar |
Operation: | delete value | Name: | test |
Value: test | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Google Toolbar |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\GCAPITemp |
Operation: | write | Name: | test |
Value: te | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\GCAPITemp |
Operation: | delete value | Name: | test |
Value: te | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\GCAPITemp |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_CURRENT_USER\Software\BitComet |
Operation: | write | Name: | NeedGoogleToolBar |
Value: 0 | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_CURRENT_USER\Software\BitComet |
Operation: | write | Name: | GoogleToolBarInstalled |
Value: 0 | |||
(PID) Process: | (2460) BitComet_1.37_x86_setup.exe | Key: | HKEY_CURRENT_USER\Software\BitComet |
Operation: | write | Name: | NeedGoogleToolBar |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\gtbinstallcomplete.ini | text | |
MD5:A72130FA85E927D09D9AF98CD0B9FC0E | SHA256:845B27C7E1A4D9AC6C677072ABB0D0D8A7CEE567B33D5E101C4ACA36B6E6B73B | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\toolbar_search.gif | image | |
MD5:8ECC19594C13E5C49996D2709BD8626B | SHA256:2787432B9AA0FA55A77C87CD749AD93DE7429168C5B66D5C61DF92FB2060AE7D | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\installchrome.ini | text | |
MD5:5A51D74262A2849DB41877011BA97EA3 | SHA256:EAC6DEA03D330A0519B7A4D040F71A2D0A7AA7C0F0308992028583B300A33500 | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\toolbarpreview_cn.gif | image | |
MD5:A8CFBBF5F2BC09A3C444D33D22A16BD4 | SHA256:DCD23E8CA857DA6CA435631EC8CAD2F1970640A7B7B56C9EFC5FEF0531D7C373 | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\installchrome_gtb.ini | text | |
MD5:4D1794F577763193874F09EADBCBF293 | SHA256:826FFD1E4B004770B5D8ABCF071EF121A6B81E681C2B85BC0DF801F5FF6F4EE7 | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\toolbarpreview_en.gif | image | |
MD5:1CEACCC0643F0BC669F27836DE1C07AD | SHA256:5CC70A779F1FCB19FD1A17EC067435CAF6CFDF1E2C27BCDCC50F7D66F58C7968 | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\toolbarinstalled_cn.gif | image | |
MD5:DEC4280DF7C521109C61CD7C47F0CE77 | SHA256:8B09A147D727F279A7AC4332AFBB02D9474F183E17C456C927595A46AA54FF40 | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\chromeinstallcomplete.ini | text | |
MD5:8EFF23B6D3600F3ABF30DAA1AF2FEBE0 | SHA256:9457D4A8A6452176B91F8CCAE1D9E3C127919B18DC75FC09874D103CD7D88A03 | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\toolbar_share.gif | image | |
MD5:8B1D7F57D889BE806C97CA0D04F95784 | SHA256:4025A2E570E2AA102EDBA3D1E9A4943B0203FC2F0376A9519E383DB8D7A3D84F | |||
2460 | BitComet_1.37_x86_setup.exe | C:\Users\admin\AppData\Local\Temp\nsk809C.tmp\chrome_installed.gif | image | |
MD5:175060A5BBA6748EFD8CAFA55D8DB9E5 | SHA256:BC59D700639365916E14B5A08E6EC15B9CF43E515E7E3957F9CA0674F102254F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2168 | updater.exe | GET | 302 | 213.136.77.195:80 | http://download.bitcomet.com/update/bitcomet_setup.exe | DE | — | — | suspicious |
3088 | BitComet.exe | GET | — | 208.100.26.240:80 | http://tracker.p2pcache.org/issupported | US | — | — | malicious |
3060 | http_Downloader.exe | GET | 200 | 213.136.77.195:80 | http://download.bitcomet.com/google_component/bitcomet_toolbar.exe | DE | executable | 6.61 Mb | suspicious |
4008 | GoogleUpdate.exe | POST | 200 | 216.58.206.14:80 | http://tools.google.com/service/update2 | US | xml | 233 b | whitelisted |
4008 | GoogleUpdate.exe | POST | 200 | 216.58.206.14:80 | http://tools.google.com/service/update2 | US | xml | 233 b | whitelisted |
3088 | BitComet.exe | GET | 200 | 54.70.241.215:80 | http://update.bitcomet.com/client/bitcomet/?ver=1.37&intl=en_us&osintl=en_us&cid=8df8a09fac922b319d16e2876e64f2a3&btcnt=0&httpcnt=0&p=x86&idt=20190210 | US | xml | 5.58 Kb | suspicious |
3088 | BitComet.exe | GET | 200 | 54.70.241.215:80 | http://update.bitcomet.com/client/bitcomet/passport/v0.89-v1.40/passport_login_en_us.mht | US | eml | 11.3 Kb | suspicious |
3088 | BitComet.exe | GET | 200 | 54.70.241.215:80 | http://update.bitcomet.com/client/bitcomet/passport/v0.89-v1.40/passport_info_en_us.mht | US | eml | 26.4 Kb | suspicious |
2168 | updater.exe | GET | 200 | 143.204.98.159:80 | http://d3sug1er2oor8n.cloudfront.net/28~p80d77gulh/bitcomet_setup.exe | US | executable | 2.68 Mb | suspicious |
3088 | BitComet.exe | GET | 200 | 54.70.241.215:80 | http://update.bitcomet.com/client/bitcomet/fav/v1.05-v1.40/fav_en_us.xml | US | xml | 1.30 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4008 | GoogleUpdate.exe | 216.58.206.14:80 | tools.google.com | Google Inc. | US | whitelisted |
— | — | 103.212.116.152:14590 | — | first E-commerce and TriplePlay Service ISP in Mongolia. | MN | unknown |
— | — | 5.144.57.113:17177 | — | Triple C Cloud Computing Ltd. | IL | unknown |
— | — | 2.236.243.32:6881 | — | Fastweb | IT | unknown |
3088 | BitComet.exe | 67.215.246.10:6881 | router.bittorrent.com | QuadraNet, Inc | US | suspicious |
— | — | 188.251.97.205:22102 | — | Servicos De Comunicacoes E Multimedia S.A. | PT | unknown |
— | — | 79.36.111.65:40818 | — | Telecom Italia | IT | unknown |
— | — | 91.159.132.13:6881 | — | Elisa Oyj | FI | unknown |
3060 | http_Downloader.exe | 213.136.77.195:80 | download.bitcomet.com | Contabo GmbH | DE | suspicious |
— | — | 112.185.148.31:54000 | — | Korea Telecom | KR | unknown |
Domain | IP | Reputation |
---|---|---|
download.bitcomet.com |
| suspicious |
tools.google.com |
| whitelisted |
router.bittorrent.com |
| shared |
router.bitcomet.net |
| unknown |
update.bitcomet.com |
| suspicious |
d3sug1er2oor8n.cloudfront.net |
| suspicious |
tracker.p2pcache.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3060 | http_Downloader.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4008 | GoogleUpdate.exe | Misc activity | SUSPICIOUS [PTsecurity] Win32/Bundled.Toolbar.Google.D potentially unsafe |
4008 | GoogleUpdate.exe | Misc activity | SUSPICIOUS [PTsecurity] Win32/Bundled.Toolbar.Google.D potentially unsafe |
3088 | BitComet.exe | Potential Corporate Privacy Violation | ET P2P BitTorrent DHT ping request |
3088 | BitComet.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
3088 | BitComet.exe | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
2168 | updater.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2168 | updater.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3088 | BitComet.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] BitComet Client |
— | — | Potential Corporate Privacy Violation | ET P2P BitTorrent DHT nodes reply |
Process | Message |
---|---|
BitCometService.exe | BITCOMET_HELPER_SERVICE
|
BitCometService.exe | Service DACL updated successfully
|
BitCometService.exe | Service Register succeed.
|
GoogleUpdate.exe | LOG_SYSTEM: [GoogleUpdate:goopdate]: ERROR - Cannot create ETW log writer |
BitCometService.exe | BITCOMET_HELPER_SERVICE
|
BitCometService.exe | ServiceProcess lunched.
|