File name:

file

Full analysis: https://app.any.run/tasks/9e2aec92-ce21-4393-8522-7f851e2ad6c8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 23, 2024, 22:22:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
stealc
loader
themida
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D373B4B79DF48249752714876F9CA220

SHA1:

B3A700F70E22287AED6A8E218FF239B77A70B461

SHA256:

5202F99BAF32BD7C0DF659637B99CFBD53F7BD3D171ECF61529FEC4DAF7E71B4

SSDEEP:

98304:lPIr3Zw2XRx+ZtgGrqdytJoER1fwT24nNsSkVMd3qhNPj97U/dumh+63LEANsJHy:iIk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • StealC has been detected

      • file.exe (PID: 2084)

    • Actions looks like stealing of personal data

      • file.exe (PID: 2084)

    • STEALC has been detected (YARA)

      • file.exe (PID: 2084)

    • Connects to the CnC server

      • file.exe (PID: 2084)

    • Stealers network behavior

      • file.exe (PID: 2084)

    • STEALC has been detected (SURICATA)

      • file.exe (PID: 2084)

  • SUSPICIOUS

    • Reads the BIOS version

      • file.exe (PID: 2084)

    • Searches for installed software

      • file.exe (PID: 2084)

    • Reads security settings of Internet Explorer

      • file.exe (PID: 2084)

    • Windows Defender mutex has been found

      • file.exe (PID: 2084)

    • Process drops legitimate windows executable

      • file.exe (PID: 2084)

    • The process drops Mozilla's DLL files

      • file.exe (PID: 2084)

    • Executable content was dropped or overwritten

      • file.exe (PID: 2084)

    • The process drops C-runtime libraries

      • file.exe (PID: 2084)

    • Process requests binary or script from the Internet

      • file.exe (PID: 2084)

    • Contacting a server suspected of hosting an CnC

      • file.exe (PID: 2084)

    • Potential Corporate Privacy Violation

      • file.exe (PID: 2084)

    • Connects to the server without a host name

      • file.exe (PID: 2084)

  • INFO

    • Reads product name

      • file.exe (PID: 2084)

    • Checks supported languages

      • file.exe (PID: 2084)

    • Reads CPU info

      • file.exe (PID: 2084)

    • Sends debugging messages

      • file.exe (PID: 2084)

    • Reads the computer name

      • file.exe (PID: 2084)

    • Reads Environment values

      • file.exe (PID: 2084)

    • Checks proxy server information

      • file.exe (PID: 2084)

    • Creates files or folders in the user directory

      • file.exe (PID: 2084)

    • Creates files in the program directory

      • file.exe (PID: 2084)

    • Themida protector has been detected

      • file.exe (PID: 2084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(2084) file.exe
C2185.215.113.37
Strings (212)INSERT_KEY_HERE
30
10
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.215.113.37
silence
!|
/e2b1563c6670f193.php
/0d60be0de163924d/
save
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:23 18:57:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 118272
InitializedDataSize: 2365952
UninitializedDataSize: -
EntryPoint: 0x69e000
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT file.exe

Process information

PID
CMD
Path
Indicators
Parent process
2084"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Stealc
(PID) Process(2084) file.exe
C2185.215.113.37
Strings (212)INSERT_KEY_HERE
30
10
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://185.215.113.37
silence
!|
/e2b1563c6670f193.php
/0d60be0de163924d/
save
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Total events
346
Read events
343
Write events
3
Delete events
0

Modification events

(PID) Process:(2084) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2084) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2084) file.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
12
Suspicious files
10
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2084file.exeC:\ProgramData\HDGIEBGHDAEBGDGCFIIDbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
2084file.exeC:\ProgramData\DHIJDHIDBGHJKECBFIIDAAEHJKsqlite
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
2084file.exeC:\ProgramData\KECGDBFCBKFIDHIDHDHIECGDHC
MD5:
SHA256:
2084file.exeC:\ProgramData\EHCAEGDHbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
2084file.exeC:\ProgramData\CFCBAAEBKEGHIEBFIJJKEBAFBAbinary
MD5:0038776EBF9A0DBB1B684F8086FED757
SHA256:9CD06F52792D10BD70992DD6C9B617435725B3A5F03DE62050E8A52FAE2A709C
2084file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mozglue[1].dllexecutable
MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
2084file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\freebl3[1].dllexecutable
MD5:550686C0EE48C386DFCB40199BD076AC
SHA256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
2084file.exeC:\ProgramData\freebl3.dllexecutable
MD5:550686C0EE48C386DFCB40199BD076AC
SHA256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
2084file.exeC:\ProgramData\BGIJEGCGbinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
2084file.exeC:\ProgramData\EHCAEGDHJKFHJKFIJKJEsqlite
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
24
DNS requests
14
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
2084
file.exe
GET
200
185.215.113.37:80
http://185.215.113.37/
unknown
unknown
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
2120
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
2084
file.exe
GET
200
185.215.113.37:80
http://185.215.113.37/0d60be0de163924d/sqlite3.dll
unknown
unknown
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
2084
file.exe
POST
200
185.215.113.37:80
http://185.215.113.37/e2b1563c6670f193.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6248
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5092
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2084
file.exe
185.215.113.37:80
1337team Limited
SC
malicious
2064
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2064
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 172.217.16.142
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.71
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.68
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted

Threats

PID
Process
Class
Message
2084
file.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc HTTP POST Request
2084
file.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
2084
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting plugins Config from C2
2084
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting browsers Config from C2
2084
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Submitting System Information to C2
2084
file.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2084
file.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
2084
file.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2084
file.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2084
file.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2 ETPRO signatures available at the full report
Process
Message
file.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------