analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.plumbytes.com/download/cuid/?tid=rwid_p00000

Full analysis: https://app.any.run/tasks/0b25f3e4-b397-4c78-8db0-b6166abdad3a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 13:30:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

FB272237645C97D5C553376D8DCBDAA4

SHA1:

48F28A6C7F1F990EDDF86FBCAFC7F270B088BC16

SHA256:

67F1CC45583ECFB089FF1E8DC279FFCEB7030860BC11212D1AA02F178DCFC96B

SSDEEP:

3:N1KJS4pdWKL2X0d/V:Cc4pdNk0FV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • antimalwaresetup.exe (PID: 1260)
      • antimalwaresetup.exe (PID: 1780)
      • paiBE5.tmp (PID: 1084)
      • AmwService.exe (PID: 3552)
      • Plumbytes.exe (PID: 3824)
      • AmwService.exe (PID: 1660)

    • Changes settings of System certificates

      • paiBE5.tmp (PID: 1084)
      • AmwService.exe (PID: 3552)

    • Downloads executable files from the Internet

      • antimalwaresetup.exe (PID: 1780)

    • Downloads executable files from IP

      • antimalwaresetup.exe (PID: 1780)

    • Loads dropped or rewritten executable

      • paiBE5.tmp (PID: 1084)
      • AmwService.exe (PID: 3552)
      • Plumbytes.exe (PID: 3824)
      • AmwService.exe (PID: 1660)

    • Changes the autorun value in the registry

      • paiBE5.tmp (PID: 1084)

    • Actions looks like stealing of personal data

      • AmwService.exe (PID: 3552)

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1964)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 1964)
      • antimalwaresetup.exe (PID: 1780)
      • paiBE5.tmp (PID: 1084)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 1000)

    • Starts application with an unusual extension

      • antimalwaresetup.exe (PID: 1780)

    • Uses RUNDLL32.EXE to load library

      • antimalwaresetup.exe (PID: 1780)

    • Adds / modifies Windows certificates

      • paiBE5.tmp (PID: 1084)
      • AmwService.exe (PID: 3552)

    • Executed as Windows Service

      • AmwService.exe (PID: 3552)

    • Creates files in the program directory

      • paiBE5.tmp (PID: 1084)
      • AmwService.exe (PID: 3552)

    • Creates files in the user directory

      • paiBE5.tmp (PID: 1084)

    • Creates a software uninstall entry

      • paiBE5.tmp (PID: 1084)

    • Reads Environment values

      • Plumbytes.exe (PID: 3824)

    • Creates files in the Windows directory

      • AmwService.exe (PID: 3552)

    • Reads the cookies of Google Chrome

      • AmwService.exe (PID: 1660)
      • AmwService.exe (PID: 3552)

    • Removes files from Windows directory

      • AmwService.exe (PID: 3552)

    • Application launched itself

      • AmwService.exe (PID: 3552)

    • Reads the cookies of Mozilla Firefox

      • AmwService.exe (PID: 3552)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2888)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3512)
      • chrome.exe (PID: 1964)

    • Application launched itself

      • iexplore.exe (PID: 2888)
      • chrome.exe (PID: 1964)

    • Creates files in the user directory

      • iexplore.exe (PID: 3512)

    • Manual execution by user

      • chrome.exe (PID: 1964)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1964)
      • AmwService.exe (PID: 3552)
      • Plumbytes.exe (PID: 3824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
34
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs antimalwaresetup.exe no specs antimalwaresetup.exe rundll32.exe no specs paibe5.tmp amwservice.exe plumbytes.exe amwservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2888"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3512"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2888 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1964"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
1336"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6cbc0f18,0x6cbc0f28,0x6cbc0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
1928"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1796 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3900"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=10627961841751624350 --mojo-platform-channel-handle=972 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
2860"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --service-pipe-token=12363143163395274445 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12363143163395274445 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
928"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --service-pipe-token=7901468687251067827 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7901468687251067827 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --service-pipe-token=14107423651330491991 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14107423651330491991 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15269340765029668939 --mojo-platform-channel-handle=3720 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
1 933
Read events
1 676
Write events
0
Delete events
0

Modification events

No data
Executable files
67
Suspicious files
62
Text files
232
Unknown types
12

Dropped files

PID
Process
Filename
Type
2888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2888iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a010e1a0-54b5-415f-b0bc-07bbc7dae5ca.tmp
MD5:
SHA256:
1964chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
3512iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:D0942DD5026F6F188D45DA9ED7BA594B
SHA256:B5297AF26486F57C00F997B914DABA0BC1D17B40E44453E96967E873A11A23EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
40
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1780
antimalwaresetup.exe
GET
45.55.29.117:80
http://45.55.29.117/download/nsis/pb_nsissetup.exe
US
suspicious
1780
antimalwaresetup.exe
GET
45.55.29.117:80
http://45.55.29.117/download/nsis/pb_nsissetup.exe
US
suspicious
3512
iexplore.exe
GET
301
45.55.29.117:80
http://www.plumbytes.com/download/cuid/?tid=rwid_p00000
US
html
260 b
suspicious
1964
chrome.exe
GET
200
173.194.137.71:80
http://r2---sn-aigzrn76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=194.187.251.125&mm=28&mn=sn-aigzrn76&ms=nvh&mt=1558704640&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
1964
chrome.exe
GET
301
45.55.29.117:80
http://plumbytes.com/download/cuid/?tid=rwid_p00000
US
html
260 b
suspicious
1964
chrome.exe
GET
302
172.217.16.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
506 b
whitelisted
1780
antimalwaresetup.exe
GET
206
45.55.29.117:80
http://45.55.29.117/download/nsis/pb_nsissetup.exe
US
executable
20.8 Mb
suspicious
1084
paiBE5.tmp
GET
301
45.55.29.117:80
http://plumbytes.com/logs.php?cuid=ver_
US
html
248 b
suspicious
2888
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3824
Plumbytes.exe
GET
301
45.55.29.117:80
http://www.plumbytes.com/settings/amw.xml
US
html
246 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1964
chrome.exe
172.217.21.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1964
chrome.exe
172.217.16.141:443
accounts.google.com
Google Inc.
US
suspicious
2888
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2888
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1964
chrome.exe
172.217.23.142:443
clients1.google.com
Google Inc.
US
whitelisted
3512
iexplore.exe
45.55.29.117:80
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
3512
iexplore.exe
45.55.29.117:443
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
1964
chrome.exe
172.217.21.195:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1964
chrome.exe
172.217.23.131:443
www.gstatic.com
Google Inc.
US
whitelisted
1964
chrome.exe
172.217.21.225:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.plumbytes.com
  • 45.55.29.117
suspicious
plumbytes.com
  • 45.55.29.117
suspicious
clientservices.googleapis.com
  • 172.217.21.227
whitelisted
www.google.com.ua
  • 172.217.21.227
whitelisted
accounts.google.com
  • 172.217.16.141
shared
clients1.google.com
  • 172.217.23.142
whitelisted
ssl.gstatic.com
  • 172.217.21.195
whitelisted
www.gstatic.com
  • 172.217.23.131
whitelisted
apis.google.com
  • 172.217.22.110
whitelisted

Threats

PID
Process
Class
Message
1780
antimalwaresetup.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1780
antimalwaresetup.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1780
antimalwaresetup.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
1780
antimalwaresetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1780
antimalwaresetup.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1084
paiBE5.tmp
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
1084
paiBE5.tmp
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
1780
antimalwaresetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1780
antimalwaresetup.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1780
antimalwaresetup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.plumbytes.com/download/cuid/?tid=rwid_p00000