analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SteamDesktopAuthenticator.exe

Full analysis: https://app.any.run/tasks/b8745cbf-2368-424e-931c-f71169e56c59
Verdict: Malicious activity
Threats:

WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.

Analysis date: January 24, 2022, 16:03:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
stealer
avemaria
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

32FE1A46FF2157F06B719071BEFAB73A

SHA1:

A2D467FFC3E323B4DB1A46E42B091C64172F6F0B

SHA256:

4E4636B36B72097E974B66F818FCB3070234D3A15E13269C5E68B8F383B72746

SSDEEP:

49152:T0gtO4WdD7ZZ2u6VKtUKMjzmQdIP1aRvUV9rqOotMQIZDvMW8IRNdmpi:T0WLwHZZ2FyMjzvy9KIrRZbd7Nmo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • SteamDesktopAuthenticator.exe (PID: 2824)
      • cmd.exe (PID: 3720)
      • STEAM.exe (PID: 3004)
      • DllHost.exe (PID: 3684)
      • cmd.exe (PID: 272)
    • Runs app for hidden code execution

      • Sdaex.exe (PID: 3452)
      • BBrowser.exe (PID: 1000)
    • AVEMARIA was detected

      • Sdaex.exe (PID: 3452)
      • BBrowser.exe (PID: 1000)
      • BBrowser.exe (PID: 2472)
    • Changes the autorun value in the registry

      • Sdaex.exe (PID: 3452)
    • Application was dropped or rewritten from another process

      • Sdaex.exe (PID: 3452)
      • BBrowser.exe (PID: 1000)
      • STEAM.exe (PID: 3044)
      • STEAM.exe (PID: 3004)
      • Sdaex.exe (PID: 1740)
      • BBrowser.exe (PID: 2472)
      • BBrowser.exe (PID: 276)
      • BBrowser.exe (PID: 3028)
      • runtimeCrtDhcpwinCommon.exe (PID: 1340)
    • Runs injected code in another process

      • BBrowser.exe (PID: 1000)
      • BBrowser.exe (PID: 2472)
    • Loads dropped or rewritten executable

      • dism.exe (PID: 2852)
      • dism.exe (PID: 2296)
    • Application was injected by another process

      • Explorer.EXE (PID: 1656)
    • Connects to CnC server

      • BBrowser.exe (PID: 1000)
      • BBrowser.exe (PID: 2472)
    • UAC/LUA settings modification

      • runtimeCrtDhcpwinCommon.exe (PID: 1340)
    • Writes to the hosts file

      • runtimeCrtDhcpwinCommon.exe (PID: 1340)
  • SUSPICIOUS

    • Checks supported languages

      • SteamDesktopAuthenticator.exe (PID: 2824)
      • Sdaex.exe (PID: 3452)
      • cmd.exe (PID: 3720)
      • STEAM.exe (PID: 3004)
      • BBrowser.exe (PID: 1000)
      • WScript.exe (PID: 1708)
      • Sdaex.exe (PID: 1740)
      • cmd.exe (PID: 272)
      • BBrowser.exe (PID: 2472)
      • cmd.exe (PID: 3460)
      • powershell.exe (PID: 3852)
      • runtimeCrtDhcpwinCommon.exe (PID: 1340)
      • BBrowser.exe (PID: 3028)
      • BBrowser.exe (PID: 276)
    • Reads the computer name

      • SteamDesktopAuthenticator.exe (PID: 2824)
      • Sdaex.exe (PID: 3452)
      • cmd.exe (PID: 3720)
      • BBrowser.exe (PID: 1000)
      • STEAM.exe (PID: 3004)
      • WScript.exe (PID: 1708)
      • Sdaex.exe (PID: 1740)
      • cmd.exe (PID: 272)
      • powershell.exe (PID: 3852)
      • BBrowser.exe (PID: 2472)
      • runtimeCrtDhcpwinCommon.exe (PID: 1340)
      • BBrowser.exe (PID: 276)
      • BBrowser.exe (PID: 3028)
    • Executable content was dropped or overwritten

      • SteamDesktopAuthenticator.exe (PID: 2824)
      • Sdaex.exe (PID: 3452)
      • cmd.exe (PID: 3720)
      • STEAM.exe (PID: 3004)
      • cmd.exe (PID: 272)
      • DllHost.exe (PID: 3684)
    • Creates a directory in Program Files

      • Sdaex.exe (PID: 3452)
      • Sdaex.exe (PID: 1740)
    • Drops a file that was compiled in debug mode

      • SteamDesktopAuthenticator.exe (PID: 2824)
    • Starts itself from another location

      • Sdaex.exe (PID: 3452)
    • Starts CMD.EXE for commands execution

      • Sdaex.exe (PID: 3452)
      • BBrowser.exe (PID: 1000)
      • WScript.exe (PID: 1708)
    • Creates files in the user directory

      • Sdaex.exe (PID: 3452)
    • Executed via COM

      • DllHost.exe (PID: 3684)
    • Executes scripts

      • STEAM.exe (PID: 3004)
    • Drops a file with a compile date too recent

      • STEAM.exe (PID: 3004)
    • Creates files in the Windows directory

      • pkgmgr.exe (PID: 2424)
      • makecab.exe (PID: 2468)
    • Executes PowerShell scripts

      • BBrowser.exe (PID: 2472)
    • Reads Environment values

      • runtimeCrtDhcpwinCommon.exe (PID: 1340)
  • INFO

    • Reads the computer name

      • DllHost.exe (PID: 3684)
      • dism.exe (PID: 2852)
      • dism.exe (PID: 2296)
    • Checks supported languages

      • DllHost.exe (PID: 3684)
      • pkgmgr.exe (PID: 2424)
      • makecab.exe (PID: 2468)
      • dism.exe (PID: 2852)
      • pkgmgr.exe (PID: 4012)
      • makecab.exe (PID: 3648)
      • dism.exe (PID: 2296)
    • Checks Windows Trust Settings

      • WScript.exe (PID: 1708)
      • powershell.exe (PID: 3852)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3852)
    • Manual execution by user

      • BBrowser.exe (PID: 276)
      • BBrowser.exe (PID: 3028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ea80
UninitializedDataSize: -
InitializedDataSize: 82944
CodeSize: 200704
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:06:25 12:38:24+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Jun-2020 10:38:24
Detected languages:
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 25-Jun-2020 10:38:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00030F2A
0x00031000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70442
.rdata
0x00032000
0x0000A5F2
0x0000A600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.2593
.data
0x0003D000
0x00023720
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.70568
.didat
0x00061000
0x00000188
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.29951
.rsrc
0x00062000
0x00006670
0x00006800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.47251
.reloc
0x00069000
0x00002264
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.55675

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
7
3.66634
508
Latin 1 / Western European
UNKNOWN
RT_STRING
8
3.71728
582
Latin 1 / Western European
UNKNOWN
RT_STRING
9
3.73856
422
Latin 1 / Western European
UNKNOWN
RT_STRING
10
3.55807
220
Latin 1 / Western European
UNKNOWN
RT_STRING
11
3.89762
1124
Latin 1 / Western European
UNKNOWN
RT_STRING
12
3.68258
356
Latin 1 / Western European
UNKNOWN
RT_STRING
13
3.61824
272
Latin 1 / Western European
UNKNOWN
RT_STRING
14
3.61995
344
Latin 1 / Western European
UNKNOWN
RT_STRING
15
3.4037
232
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
25
Malicious processes
5
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start start drop and start inject steamdesktopauthenticator.exe #AVEMARIA sdaex.exe cmd.exe #AVEMARIA bbrowser.exe steam.exe no specs steam.exe wscript.exe no specs Copy/Move/Rename/Delete/Link Object pkgmgr.exe no specs pkgmgr.exe makecab.exe no specs dism.exe no specs sdaex.exe no specs cmd.exe pkgmgr.exe no specs pkgmgr.exe makecab.exe no specs dism.exe no specs #AVEMARIA bbrowser.exe explorer.exe powershell.exe no specs cmd.exe no specs runtimecrtdhcpwincommon.exe no specs bbrowser.exe no specs bbrowser.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Users\admin\AppData\Local\Temp\SteamDesktopAuthenticator.exe" C:\Users\admin\AppData\Local\Temp\SteamDesktopAuthenticator.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\steamdesktopauthenticator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3452"C:\Users\admin\AppData\Local\Temp\RarSFX0\Sdaex.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Sdaex.exe
SteamDesktopAuthenticator.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\sdaex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
3720"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe
Sdaex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
1000"C:\Users\admin\AppData\Roaming\BBrowser.exe"C:\Users\admin\AppData\Roaming\BBrowser.exe
Sdaex.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\bbrowser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3044"C:\Users\admin\AppData\Local\Temp\RarSFX0\STEAM.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\STEAM.exeSteamDesktopAuthenticator.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\steam.exe
c:\windows\system32\ntdll.dll
3004"C:\Users\admin\AppData\Local\Temp\RarSFX0\STEAM.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\STEAM.exe
SteamDesktopAuthenticator.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\steam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1708"C:\Windows\System32\WScript.exe" "C:\runtimeCrtDhcp\P9gyGMWaVKkpMztjrXqxZIEFLjz.vbe" C:\Windows\System32\WScript.exeSTEAM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft � Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wscript.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3684C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3384"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xmlC:\Windows\system32\pkgmgr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Package Manager
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\pkgmgr.exe
c:\windows\system32\ntdll.dll
2424"C:\Windows\system32\pkgmgr.exe" /n:%temp%\ellocnak.xmlC:\Windows\system32\pkgmgr.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Package Manager
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\pkgmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
7 483
Read events
7 383
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
13
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2424pkgmgr.exeC:\Windows\Logs\CBS\CbsPersist_20220124160335.log
MD5:
SHA256:
3004STEAM.exeC:\runtimeCrtDhcp\lBaELawyhQPdp.battext
MD5:B4679312EA0691EA12C7BAFC939048E2
SHA256:152163F34C77C68C01A2151340A3D0F43AE8C445A9AEC0E3D74E2D6A8534FF7E
3004STEAM.exeC:\runtimeCrtDhcp\P9gyGMWaVKkpMztjrXqxZIEFLjz.vbevbe
MD5:9CE829538043031472904BFD0A9E8354
SHA256:B33031E9B47A1ABED337C55736FF59AD4EC2ACC9AB3D2D4D520E6E692D24F8E4
2424pkgmgr.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:23114C2A2A3F1965B36B306D8261FF2C
SHA256:3003AFB4E7004158B02CAA793FAD9B6D6C657DF59382E1F470AC59B3EC7132F3
2468makecab.exeC:\Users\admin\AppData\Local\Temp\cab_2468_3binary
MD5:07001E8C9A009EA73F8BE85F4FED631B
SHA256:6A2BD78C091A3184F7183020ED342AA775F0A24218D8E104D074607DBBFDAE87
1340runtimeCrtDhcpwinCommon.exeC:\Windows\System32\drivers\etc\hoststext
MD5:C719EFC4E66B155D1E302007373B5B31
SHA256:FAFC2B9EA317A634382175A7563358025F55F2BEF734F4EF32531C46143C66D6
3004STEAM.exeC:\runtimeCrtDhcp\runtimeCrtDhcpwinCommon.exeexecutable
MD5:2523C6DBFE106C2A36F9B635E11AE06D
SHA256:87103298FEDD9D092F758E31C21E32D396803BEA14C3A537AFB32C213930DE92
2824SteamDesktopAuthenticator.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Sdaex.exeexecutable
MD5:AB6A77FD0BE3B476CF57949FC549A29C
SHA256:0C317992F58B6E7B666033B76ABE4F9ED8B4A4D1D7EEF3C0014638C65C841501
2824SteamDesktopAuthenticator.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\STEAM.exeexecutable
MD5:20E3E005C9F7CE9DA2E1E07027880F93
SHA256:9CC23D4D67F32AC1E10D22BD9B3CFF78CC27371B0204F22AB5B0AA28910261B3
3452Sdaex.exeC:\Users\admin\AppData\Roaming\BBrowser.exeexecutable
MD5:AB6A77FD0BE3B476CF57949FC549A29C
SHA256:0C317992F58B6E7B666033B76ABE4F9ED8B4A4D1D7EEF3C0014638C65C841501
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2472
BBrowser.exe
118.194.226.38:5200
Sinoycloud Limited
CN
malicious
1000
BBrowser.exe
118.194.226.38:5200
Sinoycloud Limited
CN
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1000
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
2472
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
1000
BBrowser.exe
A Network Trojan was detected
AV TROJAN Ave Maria RAT CnC Response
9 ETPRO signatures available at the full report
No debug info