analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

visualstudio.exe

Full analysis: https://app.any.run/tasks/052f705d-68ba-4786-bc1b-d99252dd1a2f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 03:54:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
trojan
parasite
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C9EB67F46ADBD1A40DF3C3CBCA78E486

SHA1:

3D307A86E9177A30FA4AF6F8992C04B05DC7DFB9

SHA256:

589E6BBC874665FCAC0910487F871D72925DFB8C27F9E3E4ECCCFE64A39CC7DF

SSDEEP:

196608:D7KIzvfNexwoV6GsfAfGV+b2bpar4lrhmP/:D7KIzvfN0653Vw2bpagrh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealing of credential data

      • visualstudio.exe (PID: 1780)

    • Connects to CnC server

      • visualstudio.exe (PID: 1780)

    • PARASITE was detected

      • visualstudio.exe (PID: 1780)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • visualstudio.exe (PID: 1780)

    • Reads the cookies of Google Chrome

      • visualstudio.exe (PID: 1780)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 8.2.7.2
ProductName: Administered
InternalName: Administered
OriginalFileName: Administered
LegalCopyright: Copyright 2013. All rights reserved. Fanduel
Languages: English
FileDescription: Perfect Wirelessinternet Mscs
CompanyName: Fanduel
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 8.2.7.2
FileVersionNumber: 8.2.7.2
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x690eac
UninitializedDataSize: -
InitializedDataSize: 1340416
CodeSize: 1505280
LinkerVersion: 9
PEType: PE32
TimeStamp: 2020:03:30 22:08:03+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Mar-2020 20:08:03
Detected languages:
  • English - United States
CompanyName: Fanduel
FileDescription: Perfect Wirelessinternet Mscs
Languages: English
LegalCopyright: Copyright 2013. All rights reserved. Fanduel
OriginalFilename: Administered
InternalName: Administered
ProductName: Administered
ProductVersion: 8.2.7.2

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 30-Mar-2020 20:08:03
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0016F756
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x00171000
0x000708EC
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.data
0x001E2000
0x0000A37C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.vmp0
0x001ED000
0x0048DCB1
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.vmp1
0x0067B000
0x0078AEC0
0x0078B000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.97686
.reloc
0x00E06000
0x000005C4
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.2671
.rsrc
0x00E07000
0x0001CFD2
0x0001D000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.79087

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.79597
346
UNKNOWN
English - United States
RT_MANIFEST
2
6.47798
67624
UNKNOWN
UNKNOWN
RT_ICON
3
6.53404
16936
UNKNOWN
UNKNOWN
RT_ICON
4
6.5984
9640
UNKNOWN
UNKNOWN
RT_ICON
5
6.60291
4264
UNKNOWN
UNKNOWN
RT_ICON
6
6.45226
1128
UNKNOWN
UNKNOWN
RT_ICON
_PREVIMG - 2020-03-30T231159.775
2.79908
90
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
WTSAPI32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PARASITE visualstudio.exe

Process information

PID
CMD
Path
Indicators
Parent process
1780"C:\Users\admin\AppData\Local\Temp\visualstudio.exe" C:\Users\admin\AppData\Local\Temp\visualstudio.exe
explorer.exe
User:
admin
Company:
Fanduel
Integrity Level:
MEDIUM
Description:
Perfect Wirelessinternet Mscs
Exit code:
0
Total events
85
Read events
76
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1780visualstudio.exeC:\Users\admin\Documents\rr
MD5:
SHA256:
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\screen.jpegimage
MD5:42904749A544988F84912299FE038EAD
SHA256:F0FAF1C62F4F37DE22CFB6957CC618E5E29492D7919494F45F26FE7D6F9A4BFE
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\history.logtext
MD5:0905CC497A5C5EBC48CF9E17FECE4737
SHA256:1DD343E6CA07EF319C665D01A4EE7368B7C032DB6D40D27192316275BB7ED320
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\Browsers\Google\Autofill.logtext
MD5:63D4BEA5BF2E239193F40EFAF2A17657
SHA256:AF8965DC3ECC954D181239538809A25AC1305B3389E1D0199EBFE769252A0AFA
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\about.logtext
MD5:B9D30909A44AFDCDDD4D90BBD0A1C121
SHA256:8360AAB0F7B1090863962D839C087CDAB44331F1F426CA2D14A9ECC9B0F1D010
1780visualstudio.exeC:\Users\admin\Documents\t.zipcompressed
MD5:0C153E9B7FF10960F9B4FC9943D8D821
SHA256:54D5BB642233AF71214FB916D938EE3FBB0758743E778839FB038BBA60F11942
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\Grabber.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\Browsers\Google\Passwords.logtext
MD5:A640963598135A0C15F430BA75B4F5F4
SHA256:4AC31C4EB05CCB66DA83B6C9720DEA16547596BDE30112DF92FDC3A4B2F80C39
1780visualstudio.exeC:\Users\admin\Documents\{e29ac6c0-7037-11de-816d-806e6f6e6963}\Browsers\passwords.logtext
MD5:A640963598135A0C15F430BA75B4F5F4
SHA256:4AC31C4EB05CCB66DA83B6C9720DEA16547596BDE30112DF92FDC3A4B2F80C39
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1780
visualstudio.exe
POST
200
47.252.10.195:80
http://vputin.pk/gate.php
US
malicious
1780
visualstudio.exe
POST
200
47.252.10.195:80
http://vputin.pk/gate.php
US
malicious
1780
visualstudio.exe
POST
200
47.252.10.195:80
http://vputin.pk/gate.php
US
text
63 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1780
visualstudio.exe
47.252.10.195:80
vputin.pk
Alibaba (China) Technology Co., Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
vputin.pk
  • 47.252.10.195
malicious

Threats

PID
Process
Class
Message
1780
visualstudio.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
1780
visualstudio.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
1780
visualstudio.exe
A Network Trojan was detected
STEALER [PTsecurity] Parasite
1780
visualstudio.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (Client)
1780
visualstudio.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
1780
visualstudio.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
1780
visualstudio.exe
A Network Trojan was detected
STEALER [PTsecurity] Parasite
1780
visualstudio.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (Client)
1780
visualstudio.exe
A Network Trojan was detected
ET TROJAN Nexus Stealer CnC Data Exfil
1780
visualstudio.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
visualstudio.exe