analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FRST.exe

Full analysis: https://app.any.run/tasks/2543db1b-5ac9-4243-a409-73958a79ed76
Verdict: Malicious activity
Analysis date: April 01, 2023, 14:11:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8FD530684A780174D09F112CA1CBA2E2

SHA1:

C306E0C1C408AFF070650F7D9B88ED89C279F319

SHA256:

57D68724FE795D3D7184EFD747CAAD78D9F1146C1C9E93C3043EEECA7961D520

SSDEEP:

49152:OTvC/MTQYxsWR7aDJ+F1QYX+IuJjno6BS+GBPwYixzC:GjTQYxsWR4Rw+sPbixu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Steals credentials from Web Browsers

      • FRST.exe (PID: 3432)
    • Actions looks like stealing of personal data

      • FRST.exe (PID: 3432)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • FRST.exe (PID: 3432)
    • Starts CMD.EXE for commands execution

      • FRST.exe (PID: 3432)
    • Executes as Windows Service

      • VSSVC.exe (PID: 2812)
    • Detected use of alternative data streams (AltDS)

      • FRST.exe (PID: 3432)
    • Reads the Internet Settings

      • FRST.exe (PID: 3432)
    • Reads settings of System Certificates

      • FRST.exe (PID: 3432)
    • Uses REG/REGEDIT.EXE to modify register

      • cmd.exe (PID: 3260)
    • Checks Windows Trust Settings

      • FRST.exe (PID: 3432)
    • Reads security settings of Internet Explorer

      • FRST.exe (PID: 3432)
  • INFO

    • Reads mouse settings

      • FRST.exe (PID: 3432)
    • Checks supported languages

      • FRST.exe (PID: 3432)
    • Reads the computer name

      • FRST.exe (PID: 3432)
    • Create files in a temporary directory

      • FRST.exe (PID: 3432)
    • The process checks LSA protection

      • FRST.exe (PID: 3432)
      • VSSVC.exe (PID: 2812)
    • Reads the machine GUID from the registry

      • FRST.exe (PID: 3432)
    • Checks proxy server information

      • FRST.exe (PID: 3432)
    • Checks Windows language

      • FRST.exe (PID: 3432)
    • Creates files or folders in the user directory

      • FRST.exe (PID: 3432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

InternalName: FRST
OriginalFileName: FRST.exe
LegalCopyright: ©Farbar
CompanyName: Farbar
ProductVersion: 25-03-2023
ProductName: FRST
FileDescription: Farbar Recovery Scan Tool
Comments: http://www.autoitscript.com/autoit3/
FileVersion: 25.3.2023.0
CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Unknown
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 25.0.0.0
FileVersionNumber: 25.3.2023.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x20577
UninitializedDataSize: -
InitializedDataSize: 1445888
CodeSize: 633856
LinkerVersion: 14.16
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2023:03:25 12:15:33+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Mar-2023 12:15:33
Detected languages:
  • English - United Kingdom
FileVersion: 25.3.2023.0
Comments: http://www.autoitscript.com/autoit3/
FileDescription: Farbar Recovery Scan Tool
ProductName: FRST
ProductVersion: 25-03-2023
CompanyName: Farbar
LegalCopyright: ©Farbar
OriginalFilename: FRST.exe
InternalName: FRST

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 25-Mar-2023 12:15:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0009AB1D
0x0009AC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.66827
.rdata
0x0009C000
0x0002FB82
0x0002FC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.69181
.data
0x000CC000
0x0000706C
0x00004800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.584667
.rsrc
0x000D4000
0x00125560
0x00125600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98935
.reloc
0x001FA000
0x00007594
0x00007600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.79721

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.33896
1625
Latin 1 / Western European
English - United Kingdom
RT_MANIFEST
2
2.05883
296
Latin 1 / Western European
English - United Kingdom
RT_ICON
3
2.25499
296
Latin 1 / Western European
English - United Kingdom
RT_ICON
4
2.11977
9640
Latin 1 / Western European
English - United Kingdom
RT_ICON
7
3.34702
1428
Latin 1 / Western European
English - United Kingdom
RT_STRING
8
3.2804
1674
Latin 1 / Western European
English - United Kingdom
RT_STRING
9
3.28849
1168
Latin 1 / Western European
English - United Kingdom
RT_STRING
10
3.28373
1532
Latin 1 / Western European
English - United Kingdom
RT_STRING
11
3.26322
1628
Latin 1 / Western European
English - United Kingdom
RT_STRING
12
3.25812
1126
Latin 1 / Western European
English - United Kingdom
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start frst.exe no specs frst.exe cmd.exe no specs cmd.exe no specs bcdedit.exe no specs vssvc.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Users\admin\Downloads\FRST.exe" C:\Users\admin\Downloads\FRST.exeexplorer.exe
User:
admin
Company:
Farbar
Integrity Level:
MEDIUM
Description:
Farbar Recovery Scan Tool
Exit code:
3221226540
Version:
25.3.2023.0
Modules
Images
c:\users\admin\downloads\frst.exe
c:\windows\system32\ntdll.dll
3432"C:\Users\admin\Downloads\FRST.exe" C:\Users\admin\Downloads\FRST.exe
explorer.exe
User:
admin
Company:
Farbar
Integrity Level:
HIGH
Description:
Farbar Recovery Scan Tool
Version:
25.3.2023.0
Modules
Images
c:\users\admin\downloads\frst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
3780C:\Windows\system32\cmd.exe /u /c echo 2C:\Windows\System32\cmd.exeFRST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4068C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCDC:\Windows\System32\cmd.exeFRST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1580C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCDC:\Windows\System32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2812C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3260C:\Windows\system32\cmd.exe /c reg load hklm\k9Es0Jb8 C:\FRST\d5Mu9Gs0Ay6H\systemC:\Windows\System32\cmd.exeFRST.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3444reg load hklm\k9Es0Jb8 C:\FRST\d5Mu9Gs0Ay6H\systemC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
Total events
78 348
Read events
78 106
Write events
238
Delete events
4

Modification events

(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\BootConfigurationData\NewStoreRoot
Operation:delete keyName:(default)
Value:
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\BootConfigurationData
Operation:delete keyName:(default)
Value:
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}\Elements\16000020
Operation:writeName:Element
Value:
01
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{1afa9c49-16ab-4a5c-901b-212802da9460}\Elements\14000006
Operation:writeName:Element
Value:
{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006
Operation:writeName:Element
Value:
{4636856e-540f-4170-a130-a84776f4c654}
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{4636856e-540f-4170-a130-a84776f4c654}\Elements\15000011
Operation:writeName:Element
Value:
0000000000000000
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{4636856e-540f-4170-a130-a84776f4c654}\Elements\15000013
Operation:writeName:Element
Value:
0100000000000000
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{4636856e-540f-4170-a130-a84776f4c654}\Elements\15000014
Operation:writeName:Element
Value:
00C2010000000000
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{6efb52bf-1766-41db-a6b3-0ee5eff72bd7}\Elements\14000006
Operation:writeName:Element
Value:
{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
(PID) Process:(1580) bcdedit.exeKey:HKEY_LOCAL_MACHINE\BCD00000001\Objects\{7ff607e0-4395-11db-b0de-0800200c9a66}\Elements\250000f3
Operation:writeName:Element
Value:
0000000000000000
Executable files
2
Suspicious files
16
Text files
12
Unknown types
62

Dropped files

PID
Process
Filename
Type
3432FRST.exeC:\FRST\q5Dw4Kf3\SOFTWARE
MD5:
SHA256:
3432FRST.exeC:\FRST\Hives\SOFTWARE
MD5:
SHA256:
3432FRST.exeC:\FRST\q5Dw4Kf3\SYSTEM
MD5:
SHA256:
3432FRST.exeC:\FRST\Hives\SYSTEM
MD5:
SHA256:
1580bcdedit.exeC:\FRST\Hives\BCDhiv
MD5:91E8ED84A9C69044B80474B9E4AF6294
SHA256:FD732DF59C53508F8467CF817BC7108F3E326097F6E229F8267D1FB3D13C7015
3432FRST.exeC:\FRST\q5Dw4Kf3\SOFTWARE.LOG1log
MD5:CBE1C0E5D785B962F8CBBD55483F8031
SHA256:032ED548ABFEC197334B422EBEC9278F539D242551F868DC35A3695ECB592131
3432FRST.exeC:\FRST\Hives\BCD.LOGlog
MD5:5DBA9FF3FF0CAE251AF97014712AEC83
SHA256:56F6F233088A22C0890B5CF1653ACBC72F21628AE3C437A4AE4BD51B8290BA4D
3432FRST.exeC:\FRST\q5Dw4Kf3\SAMhiv
MD5:9908825D653EAE62EA75660044CFBF53
SHA256:34A55C27A47999859B96F40E9AC2017FC8BC88D109B74651C8EC8566B7DACE06
3432FRST.exeC:\FRST\q5Dw4Kf3\SYSTEM.LOG1log
MD5:4D748CF04737851C0E8F510416C50A1C
SHA256:C0B0296553D0A2912D2FD64808DEBA73E01AF323B47DA8DF0813FF114B2E060B
3432FRST.exeC:\FRST\Hives\SAMhiv
MD5:9908825D653EAE62EA75660044CFBF53
SHA256:34A55C27A47999859B96F40E9AC2017FC8BC88D109B74651C8EC8566B7DACE06
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3432
FRST.exe
GET
200
178.79.242.11:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7a13d1bef9b50ace
DE
compressed
61.1 Kb
whitelisted
3432
FRST.exe
GET
200
2.18.233.62:80
http://www.microsoft.com/pkiops/certs/Microsoft%20Development%20Root%20Certificate%20Authority%202014.crt
unknown
der
1.51 Kb
whitelisted
3432
FRST.exe
GET
403
104.20.129.30:80
http://download.bleepingcomputer.com/farbar/up32
US
text
16 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3432
FRST.exe
104.20.129.30:80
download.bleepingcomputer.com
CLOUDFLARENET
shared
3432
FRST.exe
178.79.242.11:80
ctldl.windowsupdate.com
LLNW
DE
suspicious
3432
FRST.exe
2.18.233.62:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
download.bleepingcomputer.com
  • 104.20.129.30
  • 172.67.18.91
  • 104.20.128.30
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.11
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted

Threats

PID
Process
Class
Message
3432
FRST.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
No debug info