File name: | SQLi Dumper.exe |
Full analysis: | https://app.any.run/tasks/54eb279f-cdcb-49ff-a771-bcc87bef9082 |
Verdict: | Malicious activity |
Analysis date: | January 09, 2019, 04:51:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | D3C358F1785594FB5619CDA521B9FF04 |
SHA1: | 9C4A88B66DA3FAB2BC1B8FE2D2D4BC12903D7603 |
SHA256: | 4879007515FC16FD0B22156852F2AF0424C947F8CF543F5F4CCCF1AED52BC97D |
SSDEEP: | 196608:sDKjAQxVBnZwfZ1l6yYrWOVr62bXfwvZR8T3WkYoZx8n:vjAOVBZwfQWyWAfwaG4Gn |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
---|---|---|
.exe | | | Win64 Executable (generic) (21.3) |
.scr | | | Windows screen saver (10.1) |
.dll | | | Win32 Dynamic Link Library (generic) (5) |
.exe | | | Win32 Executable (generic) (3.4) |
AssemblyVersion: | 8.3.0.0 |
---|---|
ProductVersion: | 8.3.0.0 |
ProductName: | SQLi Dumper |
OriginalFileName: | SQLi Dumper.exe |
LegalTrademarks: | - |
LegalCopyright: | [email protected] |
InternalName: | SQLi Dumper.exe |
FileVersion: | 8.3.0.0 |
FileDescription: | SQLi Dumper |
CompanyName: | [email protected] |
Comments: | I take NO responsibility for what you do with this tool. Use at your OWN risk!! |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 8.3.0.0 |
FileVersionNumber: | 8.3.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x6ddc8a |
UninitializedDataSize: | - |
InitializedDataSize: | 7288832 |
CodeSize: | 7192064 |
LinkerVersion: | 80 |
PEType: | PE32 |
TimeStamp: | 2017:04:02 19:15:54+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Apr-2017 17:15:54 |
Debug artifacts: |
|
Comments: | I take NO responsibility for what you do with this tool. Use at your OWN risk!! |
CompanyName: | [email protected] |
FileDescription: | SQLi Dumper |
FileVersion: | 8.3.0.0 |
InternalName: | SQLi Dumper.exe |
LegalCopyright: | [email protected] |
LegalTrademarks: | - |
OriginalFilename: | SQLi Dumper.exe |
ProductName: | SQLi Dumper |
ProductVersion: | 8.3.0.0 |
Assembly Version: | 8.3.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 02-Apr-2017 17:15:54 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x006DBC90 | 0x006DBE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.37433 |
.reloc | 0x006DE000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
.rsrc | 0x006E0000 | 0x000178F4 | 0x00017A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.50513 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 6.4157 | 1736 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 6.41469 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 6.09568 | 3752 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 6.26925 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 6.38223 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 5.9831 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 6.02246 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 5.07717 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 2.94974 | 132 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3664 | "C:\Users\admin\AppData\Local\Temp\SQLi Dumper.exe" | C:\Users\admin\AppData\Local\Temp\SQLi Dumper.exe | explorer.exe | |
3316 | "C:\Users\admin\AppData\Local\Temp\SQLi Dumper.exe" "http://www.ultraddaytrail.com/actualites-article.php?id=999999.9 union all select 1,2,[t],4,5,6" "MySQL Union" | C:\Users\admin\AppData\Local\Temp\SQLi Dumper.exe | SQLi Dumper.exe | |
User: admin Company: Integrity Level: MEDIUM Description: SQLi Dumper Exit code: 0 Version: 8.3.0.0 | ||||
684 | "C:\Users\admin\AppData\Local\Temp\SQLi Dumper.exe" "http://www.clemcoindustries.com/products_showitem_clemco.php?item_id=999999.9 union all select 1,2,3,4,[t],6,7,8,9" "MySQL Union" | C:\Users\admin\AppData\Local\Temp\SQLi Dumper.exe | SQLi Dumper.exe | |
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3664) SQLi Dumper.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SQLi Dumper_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\Settings.xml | xml | |
MD5:98B2711879F193C156CDB5576C16DEC4 | SHA256:FA084AC0922610AB3AE5B5612B4E9E2FE83D8B2436E92F1BCE024803A4E5A248 | |||
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\TXT\URL Trash.txt | text | |
MD5:6A6C3278DB0292F608B30ABB066AB9D8 | SHA256:A2B76D2E8951490D168C4E24658B87C75ACDF3A2793893CBEA0C884B9254D1F7 | |||
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\XCEnh5cyCr7+M50gAvNG9A==#\ChilkatDotNet2.dll | executable | |
MD5:6990F5076EB51EE135492BA5BA619B72 | SHA256:6733F1B7DAF40076FFE88DC8A88E23181D1BA449D6E5BB36A5325B4353849460 | |||
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\TXT\URL List.txt | text | |
MD5:3BB6DC72E28020894924472021520218 | SHA256:69650DF4A3D64668FF1CAD5C68D7F5F377DE3291D39A0DC9541411D9561275CC | |||
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\TXT\URL Exploitables.xml | xml | |
MD5:0D7CCEED91B0A5F5A5DC9375E6FC6517 | SHA256:A9A4EBB565F4882A8D4FF849D73ED31820349CF167F4D0DB180B76D360A1FEB4 | |||
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\DIC\dic_file_dump.txt | text | |
MD5:351CACFFC2884FCD4E69BB1FB04DDEB5 | SHA256:C67BCC0B4ED5E5EF72AA1134C0838D9201A97C2BF462FDFF0AC9052A53B286A2 | |||
3664 | SQLi Dumper.exe | C:\Users\admin\AppData\Local\Temp\DIC\dic_admin.txt | text | |
MD5:A0E54634DDD435DF5B82E20EA20C7EFE | SHA256:963E3A1E46D5F4C35B85464DB61B7C346C5C44669E64A5C016192DDE078F997A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3664 | SQLi Dumper.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=%3fitem_id%3d | US | — | — | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=%3fitem_id%3d | US | — | — | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=%3fitem_id%3d | US | — | — | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=%3fitem_id%3d | US | — | — | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 212.82.100.137:80 | http://search.yahoo.com/search?n=100&p=%3fitem_id%3d | CH | text | 25 b | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 212.82.100.137:80 | http://search.aol.com/aol/search?s_it=sb-top&v_t=na&q=%3fitem_id%3d | CH | text | 25 b | whitelisted |
3664 | SQLi Dumper.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/search?q=%3fitem_id%3d&count=50 | US | html | 30.4 Kb | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 212.82.100.137:80 | http://search.aol.com/aol/search?s_it=sb-top&v_t=na&q=%3fitem_id%3d | CH | text | 25 b | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 212.82.100.137:80 | http://www.wow.com/search?s_it=topsearchbox.search&v_t=na&q=%3fitem_id%3d | CH | text | 25 b | whitelisted |
3664 | SQLi Dumper.exe | GET | 301 | 212.82.100.137:80 | http://search.aol.com/aol/search?s_it=sb-top&v_t=na&q=%3fitem_id%3d | CH | text | 25 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3664 | SQLi Dumper.exe | 212.82.100.137:80 | search.yahoo.com | Yahoo! UK Services Limited | CH | shared |
3664 | SQLi Dumper.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3664 | SQLi Dumper.exe | 172.217.22.68:443 | www.google.com | Google Inc. | US | whitelisted |
3664 | SQLi Dumper.exe | 151.101.2.114:443 | www.ask.com | Fastly | US | suspicious |
3664 | SQLi Dumper.exe | 151.101.2.114:80 | www.ask.com | Fastly | US | suspicious |
3664 | SQLi Dumper.exe | 212.82.100.137:443 | search.yahoo.com | Yahoo! UK Services Limited | CH | shared |
3664 | SQLi Dumper.exe | 52.4.105.42:443 | www.renderosity.com | Amazon.com, Inc. | US | unknown |
3664 | SQLi Dumper.exe | 185.171.52.138:80 | talif.sch.ir | Shahrad Net Company Ltd. | IR | unknown |
3664 | SQLi Dumper.exe | 216.74.38.76:443 | journals.plos.org | HostMySite | US | unknown |
3664 | SQLi Dumper.exe | 104.24.111.111:443 | www.mullenhealth.com.au | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
search.yahoo.com |
| whitelisted |
www.ask.com |
| whitelisted |
www.wow.com |
| whitelisted |
search.aol.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.mytreelove.com |
| unknown |
www.mullenhealth.com.au |
| unknown |
talif.sch.ir |
| whitelisted |
www.hatraklin.co.il |
| unknown |