File name: | mHotspot_setup_latest_2.exe |
Full analysis: | https://app.any.run/tasks/0c02f848-be87-4025-92f1-e4360703edca |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | April 27, 2019, 05:01:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 67303E6191E0D251D7FBACE129E7BA62 |
SHA1: | 1F6890B0CF4D6497C3A352E8ED033D44B8396D4A |
SHA256: | 4E8BC297E8BBB7F2D818B55234A82E198667AA25D2C69785D121396108A7D08C |
SSDEEP: | 24576:XG50ZfFK84agNXQ1g5JruMCapWPTFHic3wxqhade3e6FMoAmEkeEzFvlqOoP54jS:XG5UfgnZ5XWapKTX3phade3Fj3E6zF7Y |
.exe | | | InstallShield setup (36.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
.exe | | | Win64 Executable (generic) (23.6) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
ProductName: | mHotspot |
---|---|
OriginalFileName: | - |
LegalCopyright: | - |
InternalName: | - |
FileDescription: | mHotspot Setup |
CompanyName: | 1BN Software & IT Solutions Pvt. Ltd. |
ProductVersion: | 7.8.8.9 |
FileVersion: | 7.8.8.9 |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 7.8.8.9 |
FileVersionNumber: | 7.8.8.9 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x148d4 |
UninitializedDataSize: | - |
InitializedDataSize: | 83968 |
CodeSize: | 104448 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2011:04:18 20:54:06+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2592 | "C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe" | C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe | — | explorer.exe |
User: admin Company: 1BN Software & IT Solutions Pvt. Ltd. Integrity Level: MEDIUM Description: mHotspot Setup Exit code: 3221226540 Version: 7.8.8.9 | ||||
2408 | "C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe" | C:\Users\admin\AppData\Local\Temp\mHotspot_setup_latest_2.exe | explorer.exe | |
User: admin Company: 1BN Software & IT Solutions Pvt. Ltd. Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 7.8.8.9 | ||||
948 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\installer.exe | mHotspot_setup_latest_2.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 2.7.2.1576 | ||||
1740 | C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe | installer.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 2.7.2.1576 | ||||
3976 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe" /VERYSILENT /DIR="C:\Program Files\mHotspot" /GROUP="mHotspot" " | C:\Windows\system32\cmd.exe | — | GenericSetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3932 | "C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe" /VERYSILENT /DIR="C:\Program Files\mHotspot" /GROUP="mHotspot" | C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe | cmd.exe | |
User: admin Company: 1BN Software & IT Solutions Pvt. Ltd. Integrity Level: HIGH Description: mHotspot Setup Exit code: 0 Version: 7.8.8.9 | ||||
2828 | "C:\Users\admin\AppData\Local\Temp\is-F9MM5.tmp\Carrier.tmp" /SL5="$102B4,278796,56832,C:\Users\admin\AppData\Local\Temp\7zS86999411\Carrier.exe" /VERYSILENT /DIR="C:\Program Files\mHotspot" /GROUP="mHotspot" | C:\Users\admin\AppData\Local\Temp\is-F9MM5.tmp\Carrier.tmp | Carrier.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 | ||||
3700 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\wwqbmdhq.ctz.exe" --dealId=3DG6OyV --campaignId=h200818" | C:\Windows\system32\cmd.exe | — | GenericSetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1972 | "C:\Users\admin\AppData\Local\Temp\wwqbmdhq.ctz.exe" --dealId=3DG6OyV --campaignId=h200818 | C:\Users\admin\AppData\Local\Temp\wwqbmdhq.ctz.exe | cmd.exe | |
User: admin Integrity Level: HIGH Description: XRewardSDK Exit code: 0 Version: 1.0.0.0 | ||||
3120 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | Carrier.tmp | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe | executable | |
MD5:93DD8ED10D8A096255C73F93F8A5893B | SHA256:52E054CF6079584A875A63C6DA060EF31ED1ACCF5E596B7833F6D692D597E28C | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\it\DevLib.resources.dll | executable | |
MD5:CFE49BBD64B4EE1793D9DBED4FEF3470 | SHA256:10DD3F30A8A527B63D83DF450EAED7FD8B9B5619CB07D5CD448F9D0A7B64B2F8 | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\en\DevLib.resources.dll | executable | |
MD5:1DDE7D32EB87B5EAC33BE5BD2930270F | SHA256:3B3216E27F5813CAC1AAA7F901E16E354624B91355B982D4C0BBD4ECCC32CCF5 | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\DevLib.dll | executable | |
MD5:A0D1EB07731F50059040D1868E42E3DC | SHA256:2C010964509765586BB036034E0A0B63FD561EF3CA24328B0F6E3AAD39F9D03C | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\pt\DevLib.resources.dll | executable | |
MD5:ACAE5D9AD6659EF4E7A37D86E03CB679 | SHA256:3CB89DB8C8F861E956971D0C3E836DEEDCDC1DEA069C9C15644D7E2354A84C05 | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\Microsoft.Win32.TaskScheduler.dll | executable | |
MD5:DD7F40BFA1B5D88C1B95A896ADE39909 | SHA256:6D3AB13D023628F12B8DFDAE5137131048CDD80CA1B8ED40C90C7CA6B6530C63 | |||
1740 | GenericSetup.exe | C:\Users\admin\AppData\Local\Temp\mHotspot.log | text | |
MD5:CBB004057726BF047B562E42436C6FBB | SHA256:6AA3D76BAF7ACD2E2FE0EAA640AA9EA8CB6BC0C56B13BD321D92AFA7F49826FE | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\es\DevLib.resources.dll | executable | |
MD5:6A8E6344DFD017C9D6361A8C84DEB383 | SHA256:9B09255026A9DC5556E0CA8EB7631E354E093FF72A2460B2FBBDF565F38E9D57 | |||
2408 | mHotspot_setup_latest_2.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\ru\DevLib.resources.dll | executable | |
MD5:CA2507B3CC8E898B4FD8C0483457E9DC | SHA256:FF8AE806A00CD50B17252B40E36C01968874B34D0FE37058BAD396DA97340998 | |||
948 | installer.exe | C:\Users\admin\AppData\Local\Temp\7zS86999411\GenericSetup.exe.config | xml | |
MD5:84DE2583B776B336964D80697D3352BF | SHA256:39F8D720A6AC4722A62681EBA0BBFE7CC5E04DD676ECC0F10001185CF22D832B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1740 | GenericSetup.exe | GET | 200 | 104.17.178.102:80 | http://rt.webcompanion.com/notifications/download/rt/Installer/SpareioSDK.exe | US | executable | 44.6 Kb | malicious |
1972 | wwqbmdhq.ctz.exe | GET | 200 | 8.248.131.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.6 Kb | whitelisted |
2920 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
1972 | wwqbmdhq.ctz.exe | GET | 200 | 8.248.131.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8CF427FD790C3AD166068DE81E57EFBB932272D4.crt | US | der | 1.06 Kb | whitelisted |
948 | installer.exe | POST | 200 | 104.17.61.19:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart | US | text | 29 b | whitelisted |
2452 | iexplore.exe | GET | 301 | 68.183.82.64:80 | http://mhotspot.com/scripts/go_thankyou.html | US | html | 331 b | malicious |
2920 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
2920 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
2920 | WebCompanionInstaller.exe | POST | 200 | 64.18.87.81:80 | http://wc-tracking.lavasoft.com/Install.asmx | CA | xml | 294 b | whitelisted |
1740 | GenericSetup.exe | GET | 200 | 104.17.177.102:80 | http://webcompanion.com/nano_download.php?partner=MH170601 | US | executable | 347 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
948 | installer.exe | 104.17.61.19:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2920 | WebCompanionInstaller.exe | 64.18.87.82:80 | wc-tracking.lavasoft.com | COGECODATA | CA | unknown |
1740 | GenericSetup.exe | 104.17.60.19:443 | flow.lavasoft.com | Cloudflare Inc | US | shared |
1740 | GenericSetup.exe | 104.16.236.79:443 | sos.adaware.com | Cloudflare Inc | US | shared |
3120 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2452 | iexplore.exe | 68.183.82.64:443 | mhotspot.com | DSL Extreme | US | unknown |
2920 | WebCompanionInstaller.exe | 64.18.87.81:80 | wc-tracking.lavasoft.com | COGECODATA | CA | unknown |
1740 | GenericSetup.exe | 104.17.178.102:80 | webcompanion.com | Cloudflare Inc | US | shared |
1972 | wwqbmdhq.ctz.exe | 35.227.19.75:80 | api.spare.io | — | US | unknown |
2920 | WebCompanionInstaller.exe | 104.17.61.19:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
flow.lavasoft.com |
| whitelisted |
www.google.com |
| whitelisted |
sos.adaware.com |
| whitelisted |
webcompanion.com |
| malicious |
rt.webcompanion.com |
| malicious |
www.download.windowsupdate.com |
| whitelisted |
mhotspot.com |
| malicious |
www.bing.com |
| whitelisted |
wc-tracking.lavasoft.com |
| whitelisted |
wc-update-service.lavasoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
948 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
1740 | GenericSetup.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
1740 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1740 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
1740 | GenericSetup.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1740 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1740 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3956 | 0gbxa5iq.0v3.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3956 | 0gbxa5iq.0v3.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2156 | instup.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
Process | Message |
---|---|
wwqbmdhq.ctz.exe | Register
|
WebCompanionInstaller.exe | Detecting windows culture
|
wwqbmdhq.ctz.exe | Machine ID fingerPrint -- > CPU >> 1F8BFBFF000506E3
BIOS >> DELLDELL20110101000000.000000+000DELL - 1
BASE >>
DISK >> WDC WD20EARS ATA Device(Standard disk drives)1660034144255
VIDEO >> 6.1.7600.16385Standard VGA Graphics Adapter
MAC >> 52:54:00:4A:04:AF
WCID >> WCID20
|
wwqbmdhq.ctz.exe | Machine ID hash UUID -- > 735550BB-0FAF-AAB3-C4F6-BBAC563DACB9
|
wwqbmdhq.ctz.exe | Getting SysInfo
|
wwqbmdhq.ctz.exe | cpuInfo
|
WebCompanionInstaller.exe | 4/27/2019 6:02:46 AM :-> Starting installer 4.6.1974.3869 with: .\WebCompanionInstaller.exe --partner=MH170601 --version=4.6.1974.3869 --prod --silent --homepage=1 --search=1 --partner=MH170601, Run as admin: True
|
WebCompanionInstaller.exe | Preparing for installing Web Companion
|
wwqbmdhq.ctz.exe | gpuInfo
|
wwqbmdhq.ctz.exe | uptimePct
|