File name:

6debd28b906829415f377bde04de8cc0.exe

Full analysis: https://app.any.run/tasks/965d1a89-af1d-4ab4-9902-691f349cd8dc
Verdict: Malicious activity
Threats:

DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.

Malware Trends Tracker     >>>
Analysis date: May 17, 2024, 15:27:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sinkhole
darkgate
spyware
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

6DEBD28B906829415F377BDE04DE8CC0

SHA1:

EF7C56E3EAB6BC8EC40288B53B7C08725A214C0B

SHA256:

46F311A5D291DBDE2C686E49AB74CE6A9EC903E8958D7ACC6023BBDC554BEC98

SSDEEP:

49152:T5/x4evIcLHyHIngxN0HljxZJrrSDKl13kW4xz2KV6x4bexFsqq7nkjF3mT8onXL:r4e79ngxNOlhk7VQxDsqq7nkjF3mT1ci

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Connects to the CnC server

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Actions looks like stealing of personal data

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Process drops legitimate windows executable

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Contacting a server suspected of hosting an CnC

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Executable content was dropped or overwritten

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

  • INFO

    • Reads the computer name

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Checks supported languages

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Checks proxy server information

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)

    • Creates files or folders in the user directory

      • 6debd28b906829415f377bde04de8cc0.exe (PID: 4260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 1986:04:12 09:55:23+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 466944
InitializedDataSize: 965120
UninitializedDataSize: -
EntryPoint: 0x6e6f0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6.2
Subsystem: Windows GUI
FileVersionNumber: 2.1.1.0
ProductVersionNumber: 2.1.1.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: V2.1.1
CompanyName: Microsoft Corporation
FileDescription: TraceView Application
FileVersion: V2.1.1
InternalName: TraceView.exe
LegalCopyright: Copyright © 2002-2005, Microsoft Corporation. All rights reserved.
OriginalFileName: TraceView.exe
PrivateBuild: (none)
ProductVersion: 2, 1, 1, 0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
115
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 6debd28b906829415f377bde04de8cc0.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4260"C:\Users\admin\AppData\Local\Temp\6debd28b906829415f377bde04de8cc0.exe" C:\Users\admin\AppData\Local\Temp\6debd28b906829415f377bde04de8cc0.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TraceView Application
Version:
V2.1.1
Modules
Images
c:\users\admin\appdata\local\temp\6debd28b906829415f377bde04de8cc0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5128C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
701
Read events
701
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
42606debd28b906829415f377bde04de8cc0.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:460ED977F396BE7C8498F44FA517B425
SHA256:9E45754617BCB7F47F7EF92857CAD7D2AA9B513B14CE4EB6921FF7A4B497621D
42606debd28b906829415f377bde04de8cc0.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:E774EBDC6C4663147ADD6900A990CBC2
SHA256:1253268B67ECEA40AA530EDBF6F26929264B8D95A7452BB04A8210FAE2F893BF
42606debd28b906829415f377bde04de8cc0.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:5CC01BF4A405D0B493733F77B2B6127F
SHA256:9E8D72F59644A4AAA5BDB209D83D61A125DC3FBD8E671465EC1C9CFB06058C7B
42606debd28b906829415f377bde04de8cc0.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:4C310D7686447343ADC47D3FFDAC8B0B
SHA256:41FD3592799AED874CC1ED24B535BE9E7AB9461E8A7DAEB7D6B1159AA6FF943B
42606debd28b906829415f377bde04de8cc0.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:ECED12CA5C2CA21A238817E96067A019
SHA256:95E74E9DDE7FA6D0018EE5E762E90ACCE44D0F900A2B38BFDAB970A2556FD2E0
42606debd28b906829415f377bde04de8cc0.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:78D4E1C9540A135ABA11618B240C80FF
SHA256:898D7A66B2436AB07378BE4D90C2AF4E2B38AF4785E8820317BFDABCF7137FFE
42606debd28b906829415f377bde04de8cc0.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:EE75684DD247E805B4C1D023E9EC4B9D
SHA256:4BFF12E722CD75A42CC375EC0AB8479369AC27D587E4FA61AFCC466909BE50DE
5128FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-17.1528.5128.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
5128FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-17.1528.5128.1.odlbinary
MD5:2F8B34BCC063186F4594A58DE0FA56E7
SHA256:F5E5857508E60E583BBC96D737262E6B29C2DA64E7319EE63F4204DAFEFBB1EC
42606debd28b906829415f377bde04de8cc0.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:D256A35EB248D6A21016CEE2A2513FDA
SHA256:16D548CAB6F735A0D66E244A7FE2FD4A9DA882A5EA6AE14E422742CE743ED0CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
13
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4260
6debd28b906829415f377bde04de8cc0.exe
POST
200
35.91.124.102:80
http://pywolwnvd.biz/anh
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/i
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
44.221.84.105:80
http://npukfztj.biz/klap
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/tebjivdb
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
200
44.221.84.105:80
http://npukfztj.biz/kldgixi
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
54.157.24.8:80
http://przvgke.biz/mulxjdyywn
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
54.157.24.8:80
http://przvgke.biz/uoljvy
unknown
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
POST
49.13.77.253:80
http://zlenh.biz/uwbpkpvnciano
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
52.182.143.214:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5576
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5632
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
35.91.124.102:80
pywolwnvd.biz
AMAZON-02
US
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4260
6debd28b906829415f377bde04de8cc0.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
unknown
4260
6debd28b906829415f377bde04de8cc0.exe
54.244.188.177:80
cvgrf.biz
AMAZON-02
US
unknown
5456
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
pywolwnvd.biz
  • 35.91.124.102
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
ssbzmoy.biz
  • 18.141.10.107
unknown
cvgrf.biz
  • 54.244.188.177
malicious
npukfztj.biz
  • 44.221.84.105
unknown
przvgke.biz
  • 54.157.24.8
unknown
zlenh.biz
  • 49.13.77.253
unknown
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2184
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6debd28b906829415f377bde04de8cc0.exe