File name:

Realterm_3.0.1.44_setup.exe

Full analysis: https://app.any.run/tasks/f46a205c-b42c-4df7-8d4a-232a0d91e016
Verdict: Malicious activity
Analysis date: February 26, 2024, 03:32:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

886E8F77E860744E9AF6DA1EF77314BB

SHA1:

C7FB9A748ED8FD6B0D92027DD9C0373715972F04

SHA256:

67275D8330156546DBFF495259053705AB41E6E0F03CE07E4000F34E4BBAA5A2

SSDEEP:

98304:P66BHFqkxqVRl9aAJ3XrVWqxDTQaGGUznPUkwfUF5aZIF8s6VoetJX02NbQw36Ql:SAFqxsuHBBb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Reads security settings of Internet Explorer

      • Realterm_3.0.1.44_setup.exe (PID: 2036)
      • realterm.exe (PID: 120)

    • The process creates files with name similar to system file names

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Start notepad (likely ransomware note)

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Reads the Internet Settings

      • Realterm_3.0.1.44_setup.exe (PID: 2036)
      • realterm.exe (PID: 120)

    • Creates a software uninstall entry

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Checks Windows Trust Settings

      • realterm.exe (PID: 120)

    • Executable content was dropped or overwritten

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Reads settings of System Certificates

      • realterm.exe (PID: 120)

    • Adds/modifies Windows certificates

      • realterm.exe (PID: 120)

  • INFO

    • Checks supported languages

      • Realterm_3.0.1.44_setup.exe (PID: 2036)
      • realterm.exe (PID: 3464)
      • realterm.exe (PID: 120)

    • Reads the computer name

      • Realterm_3.0.1.44_setup.exe (PID: 2036)
      • realterm.exe (PID: 3464)
      • realterm.exe (PID: 120)

    • Creates files in the program directory

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Creates files or folders in the user directory

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Create files in a temporary directory

      • Realterm_3.0.1.44_setup.exe (PID: 2036)
      • realterm.exe (PID: 120)

    • Reads Environment values

      • Realterm_3.0.1.44_setup.exe (PID: 2036)

    • Reads the machine GUID from the registry

      • realterm.exe (PID: 120)

    • Reads the software policy settings

      • realterm.exe (PID: 120)

    • Reads CPU info

      • realterm.exe (PID: 120)

    • Checks proxy server information

      • realterm.exe (PID: 120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 22:50:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start realterm_3.0.1.44_setup.exe realterm.exe no specs realterm.exe notepad.exe no specs realterm_3.0.1.44_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Program Files\BEL\Realterm\realterm.exe" installC:\Program Files\BEL\Realterm\realterm.exe
Realterm_3.0.1.44_setup.exe
User:
admin
Company:
Broadcast Equipment Ltd
Integrity Level:
HIGH
Description:
Realterm Serial Terminal Program
Exit code:
0
Version:
3.0.1.44
Modules
Images
c:\program files\bel\realterm\realterm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2036"C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exe" C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\realterm_3.0.1.44_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2124"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\BEL\Realterm\Readme.txtC:\Windows\System32\notepad.exeRealterm_3.0.1.44_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3464"C:\Program Files\BEL\Realterm\realterm.exe" /regserverC:\Program Files\BEL\Realterm\realterm.exeRealterm_3.0.1.44_setup.exe
User:
admin
Company:
Broadcast Equipment Ltd
Integrity Level:
HIGH
Description:
Realterm Serial Terminal Program
Exit code:
0
Version:
3.0.1.44
Modules
Images
c:\program files\bel\realterm\realterm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3668"C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exe" C:\Users\admin\AppData\Local\Temp\Realterm_3.0.1.44_setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\realterm_3.0.1.44_setup.exe
c:\windows\system32\ntdll.dll
Total events
9 313
Read events
9 226
Write events
72
Delete events
15

Modification events

(PID) Process:(2036) Realterm_3.0.1.44_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2036) Realterm_3.0.1.44_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2036) Realterm_3.0.1.44_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2036) Realterm_3.0.1.44_setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3464) realterm.exeKey:HKEY_CURRENT_USER\Software\BEL\Realterm
Operation:writeName:Last Update Check
Value:
FEA3D2B98424E640
(PID) Process:(3464) realterm.exeKey:HKEY_CURRENT_USER\Software\BEL\Realterm
Operation:writeName:Block Update Checks
Value:
0
(PID) Process:(3464) realterm.exeKey:HKEY_CURRENT_USER\Software\BEL\Realterm
Operation:writeName:Run Count
Value:
0
(PID) Process:(3464) realterm.exeKey:HKEY_CURRENT_USER\Software\BEL\Realterm
Operation:writeName:Run Days
Value:
0000000000000000
(PID) Process:(3464) realterm.exeKey:HKEY_CURRENT_USER\Software\BEL\Realterm
Operation:writeName:Latest Version
Value:
(PID) Process:(3464) realterm.exeKey:HKEY_CURRENT_USER\Software\BEL\Realterm
Operation:writeName:IT Version
Value:
Executable files
14
Suspicious files
19
Text files
57
Unknown types
1

Dropped files

PID
Process
Filename
Type
2036Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Realterm\realterm_defaultXX.initext
MD5:8343C7B7E804AFE3E50A636C3D8B4FB9
SHA256:76306A945C4DA625284B8831108AD5D6FE181E4E260BD5E6AFCBFBC05758B05C
2036Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Local\Temp\nscF908.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2036Realterm_3.0.1.44_setup.exeC:\Program Files\BEL\Realterm\realterm.exeexecutable
MD5:CB760B5C22BB24E0AD080C4D78E21E3D
SHA256:6B01E516DA366150A495B4B529F5795DB002461160E794CB87520722FC2B774C
2036Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Realterm\realterm_macro1.initext
MD5:A8545311BD9282FAE3FC6BDD1FAF0BF0
SHA256:B79AAC5E6F93A97190B804587414E966DA81B35DCD77743CC9DE74718F86F8D1
2036Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Local\Temp\nscF908.tmp\nsDialogs.dllexecutable
MD5:C10E04DD4AD4277D5ADC951BB331C777
SHA256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
2036Realterm_3.0.1.44_setup.exeC:\Program Files\BEL\Realterm\Readme.txttext
MD5:EB69399CDC9B9F1367996E2DCE5E78C6
SHA256:6A8E6F01D2A0D60FD2284FCFC95C14B4434295D53E979A51CCC772700BF91673
2036Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Realterm\realterm_macro2.initext
MD5:767CAFDBAF2C833A986B06F44ED105E5
SHA256:3D98D45172AA307DF002D799330DED0B706D76BCBC2882D218034D2E82A37A16
2036Realterm_3.0.1.44_setup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Realterm\Realterm I2C.lnkbinary
MD5:A7F1243229134B65F6F4EC058557C8B4
SHA256:B654BC9C39B504517BC6F7769F9C781CB3F54B35F1040E380F57D1FC6F1DA171
2036Realterm_3.0.1.44_setup.exeC:\Program Files\BEL\Realterm\change_log.txttext
MD5:F0246E80D45BEFF0A9D55C910515A0F6
SHA256:3EFDBEF559E204AFE02BCAC38C876EBF2C2E9E7AF1D7AE681F1CF16ADEEB225A
2036Realterm_3.0.1.44_setup.exeC:\Program Files\BEL\Realterm\ThisVersionNumber.txttext
MD5:80E4F08215523D2351EE5E7618CBA119
SHA256:A90CA00B4DB53BEDCA063D7DB17B246F97526C0AB76F350E00398F54A9D78609
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
120
realterm.exe
GET
200
87.248.205.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f25cf4c87ca694ad
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
120
realterm.exe
87.248.205.0:80
ctldl.windowsupdate.com
LLNW
US
unknown
120
realterm.exe
96.126.99.234:443
appanalytics.embarcadero.com
Linode, LLC
US
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 87.248.205.0
whitelisted
appanalytics.embarcadero.com
  • 96.126.99.234
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Realterm_3.0.1.44_setup.exe