analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| URL: | http://dry-amami-8272.babyblue.jp/blessed/bbbbb.exe |
| Full analysis: | https://app.any.run/tasks/91a3ad56-c948-4f32-b9f4-d82240d8f31a |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 21, 2020, 16:16:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 193A90ED2EFA99F1735E6FB5B8B9F03C |
| SHA1: | 0677D0E1FAA3BAF9637AF23E8504403F2298527D |
| SHA256: | 476502D6CE2C7C533A8C08914012E1370DE817EACA1A146DB18CADB0719E1E56 |
| SSDEEP: | 3:N1KaXDBXt8pVR4AWHBgHHkA:CaXDB98ZIOkA |
MALICIOUS
Application was dropped or rewritten from another process
- bbbbb.exe (PID: 2720)
- RegAsm.exe (PID: 3288)
Downloads executable files from the Internet
- iexplore.exe (PID: 3252)
Changes the autorun value in the registry
- RegAsm.exe (PID: 3288)
Actions looks like stealing of personal data
- RegAsm.exe (PID: 3288)
SUSPICIOUS
Executable content was dropped or overwritten
- iexplore.exe (PID: 304)
- RegAsm.exe (PID: 3288)
Creates files in the user directory
- RegAsm.exe (PID: 3288)
Connects to SMTP port
- RegAsm.exe (PID: 3288)
Reads the cookies of Mozilla Firefox
- RegAsm.exe (PID: 3288)
Reads the cookies of Google Chrome
- RegAsm.exe (PID: 3288)
INFO
Reads Internet Cache Settings
- iexplore.exe (PID: 3252)
- iexplore.exe (PID: 304)
Changes internet zones settings
- iexplore.exe (PID: 304)
Modifies the phishing filter of IE
- iexplore.exe (PID: 304)
Creates files in the user directory
- iexplore.exe (PID: 304)
Reads settings of System Certificates
- iexplore.exe (PID: 304)
Adds / modifies Windows certificates
- iexplore.exe (PID: 304)
Changes settings of System certificates
- iexplore.exe (PID: 304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 304 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://dry-amami-8272.babyblue.jp/blessed/bbbbb.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
| 3252 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:304 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
| 2720 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\bbbbb.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\bbbbb.exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 3288 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | bbbbb.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
Total events
6 338
Read events
1 132
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
9
Text files
3
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3252 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\bbbbb[1].exe | — | |
MD5:— | SHA256:— | |||
| 3252 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\bbbbb.exe.7fkn8kj.partial | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF62D3AC99A6794F08.TMP | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\bbbbb.exe.7fkn8kj.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Cab254E.tmp | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Tar254F.tmp | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver259E.tmp | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\TT7NY3E3.txt | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GLA9AI4H.txt | — | |
MD5:— | SHA256:— | |||
| 304 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF7F5B09305582C1D3.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
12
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
304 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3252 | iexplore.exe | GET | 200 | 157.7.107.55:80 | http://dry-amami-8272.babyblue.jp/blessed/bbbbb.exe | JP | executable | 1.19 Mb | suspicious |
304 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
304 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
304 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
304 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
3252 | iexplore.exe | 157.7.107.55:80 | dry-amami-8272.babyblue.jp | GMO Internet,Inc | JP | suspicious |
3288 | RegAsm.exe | 174.129.223.190:443 | api.ipify.org | Amazon.com, Inc. | US | malicious |
3288 | RegAsm.exe | 77.88.21.158:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dry-amami-8272.babyblue.jp |
| suspicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
api.ipify.org |
| shared |
smtp.yandex.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3252 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3288 | RegAsm.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
3288 | RegAsm.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
3288 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
1 ETPRO signatures available at the full report