analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe

Full analysis: https://app.any.run/tasks/c028f064-6203-45b2-b534-290e77759b48
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: September 30, 2020, 11:53:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3F6E8330D2FEE900C0F62733DD93D9D0

SHA1:

3BA73E5B26AA98A99C5ED5FC98807E708C259FF9

SHA256:

632315695BF3D61C6249DDF215DF529AA5459840E1AD75A388C6AF06F7ACC99C

SSDEEP:

49152:elBy2uIIBYAU8XF97A8tDTsCKP5RixHcZgCP/8aroBsUsro9H7J7Q:CB5u+Az/88tDTcRYxHcZgy/m2CN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
    • Stealing of credential data

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
    • Actions looks like stealing of personal data

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
    • Searches for installed software

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
    • Creates files in the user directory

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
    • Checks for external IP

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
    • Reads the cookies of Google Chrome

      • 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe (PID: 2724)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

AssemblyVersion: 2.0.0.0
ProductVersion: 2.0.0.0
ProductName: Intel plugin
OriginalFileName: Echelon.exe
LegalTrademarks: adfgag
LegalCopyright: Intel © 2020 Control plugin
InternalName: Echelon.exe
FileVersion: 2.0.0.0
FileDescription: Intel plugin
CompanyName: Intel plugin
Comments: Intel plugin
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.0.0.0
FileVersionNumber: 2.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x3ba000
UninitializedDataSize: -
InitializedDataSize: 2560
CodeSize: 1185792
LinkerVersion: 8
PEType: PE32
TimeStamp: 2020:09:28 13:36:07+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-Sep-2020 11:36:07
Comments: Intel plugin
CompanyName: Intel plugin
FileDescription: Intel plugin
FileVersion: 2.0.0.0
InternalName: Echelon.exe
LegalCopyright: Intel © 2020 Control plugin
LegalTrademarks: adfgag
OriginalFilename: Echelon.exe
ProductName: Intel plugin
ProductVersion: 2.0.0.0
Assembly Version: 2.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x867A
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 28-Sep-2020 11:36:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x00002000
0x00122000
0x00122000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.7762
.rsrc
0x00124000
0x00000602
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.41069
.idata
0x00126000
0x00002000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.29928
bcbkgyop
0x00128000
0x00292000
0x00290C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.48615
qeypxhra
0x003BA000
0x00002000
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.40759

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

comctl32.dll
kernel32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Users\admin\Desktop\632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe" C:\Users\admin\Desktop\632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
explorer.exe
User:
admin
Company:
Intel plugin
Integrity Level:
MEDIUM
Description:
Intel plugin
Exit code:
0
Version:
2.0.0.0
Total events
64
Read events
41
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
16
Unknown types
6

Dropped files

PID
Process
Filename
Type
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\DotNetZip-gnaxx1oc.tmp
MD5:
SHA256:
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T11_54_00.0553750+00_001818sqlite
MD5:6624BB001B05AE955BB5DF0503F672FB
SHA256:E503BD51B1695FF5500ABEB20AE973A507343CB1982F5107B37D30E20BD3258E
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\69178BFBFF000506E37CD9E0E6BZPXFFJVBVHBLVwuL\Programms.txttext
MD5:5D03AA591E2C41D82ADBD8727D45BB50
SHA256:2FAC2515DA02F12417607FD8A31B6A01B39618C36D5778936FC48669F9062B62
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\69178BFBFF000506E37CD9E0E6BZPXFFJVBVHBLVwuL\Browsers\Cookies\Cookies_Mozilla.txttext
MD5:7312EBCD2E68824524D342F08061C2C1
SHA256:A392CB62991E0C972B23DC38C7FC1A39C5B28D0177793CAA5FAA7F0343D4328D
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\69178BFBFF000506E37CD9E0E6BZPXFFJVBVHBLVwuL\Browsers\Passwords\Passwords_Mozilla.txttext
MD5:59B58BB51996A7E817F1A089ABB93BD5
SHA256:067DB87BC566A66E9C08F269A7F3E4A38B7F7CC60FAF63B320757FCE63423E56
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\69178BFBFF000506E37CD9E0E6BZPXFFJVBVHBLVwuL\Browsers\Passwords\ChromiumV2.txttext
MD5:022AA0FBB881C36D5326B30F1A01624D
SHA256:07B1A1C3551B7DFB565FCCBF35E5B5F0FB0BBC8583620555884C5AF1CD0BACFA
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\69178BFBFF000506E37CD9E0E6BZPXFFJVBVHBLVwuL\Processes.txttext
MD5:F2DEADA3AAD754C27079146EA37D610B
SHA256:B9988ECF9BE651912BFBD3A8762669E5E18E97C3A694CB8421755E5DF1ECBD22
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Local\178BFBFF000506E37CD9E0E6text
MD5:4C6C227B17BFFF26A1B6536359CB914E
SHA256:C2DBA47E4FFD34B441C6CA70ED00E9C78EDD0F914B6B8D933D3E3208F5C9A2D5
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\admin_USER-PC[DE].zipcompressed
MD5:416C4262BC22B684466B3F1CA307BF6E
SHA256:916F4A820FBC9161A9F7C804B1C67410D576D8024B32B10A18621E1E72529507
2724632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exeC:\Users\admin\AppData\Roaming\BZPXFFJVBVHBLVwuL178BFBFF000506E37CD9E0E669\69178BFBFF000506E37CD9E0E6BZPXFFJVBVHBLVwuL\System_Information.txttext
MD5:C5CFE713BA59C2E8F600355E88D93B78
SHA256:1286F301971E32B4D9AFF3B58C7B6BEB0F3C3BA81849072572BC060A243A5986
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
448 b
shared
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
448 b
shared
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
POST
200
185.206.26.41:80
http://gfs208n131.userstorage.mega.co.nz/ul/8mU2kZeDFXKbbgKZuvHEfnLayZUPNiNThcJh0Q29x6hov5rkfiDr1wU9ujmIlxfKoMp5VQ5nzVX1Z58GKekAaA/0
DE
text
36 b
suspicious
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
448 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
185.206.26.41:80
gfs208n131.userstorage.mega.co.nz
DE
suspicious
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
184.73.247.141:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
66.203.125.11:443
g.api.mega.co.nz
RealNetworks, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 184.73.247.141
  • 54.235.169.38
  • 54.227.255.202
  • 54.235.83.248
  • 174.129.214.20
  • 54.235.98.120
  • 54.225.66.103
  • 50.19.252.36
shared
ip-api.com
  • 208.95.112.1
shared
g.api.mega.co.nz
  • 66.203.125.11
  • 66.203.125.12
  • 66.203.125.15
  • 66.203.125.14
  • 66.203.125.13
shared
gfs208n131.userstorage.mega.co.nz
  • 185.206.26.41
suspicious

Threats

PID
Process
Class
Message
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST to MEGA Userstorage
2724
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
A Network Trojan was detected
STEALER [PTsecurity] Agensla.gen
Process
Message
632315695bf3d61c6249ddf215df529aa5459840e1ad75a388c6af06f7acc99c.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------