Malware analysis NightVerse Setup.exe Malicious activity

Add for printing

File name:	NightVerse Setup.exe
Full analysis:	https://app.any.run/tasks/c69b5b79-4885-41e4-9ec8-29d513157825
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 05, 2024, 05:58:46
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion netreactor api-base64 stealer stealc loader rhadamanthys shellcode rat asyncrat remote danabot danabot-unpacked crypto-regex
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	66A83A3A5E3D36A47A847B8FC5D01C53
SHA1:	A94B75EF8D674F31628ED6266471AECB8B925753
SHA256:	693A9860B2D4887E92BE1C28FE63953E0569317936DFCC50255E494E45B6E933
SSDEEP:	393216:GxduNwV/RgqGxl8mM0SECa+NjiDwtNv/H23TlBKDxwBbruL+3w:sjV6qGx64SECahDwtt2DqyBbrvw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - NightVerse.exe (PID: 4920)
  - explorer.exe (PID: 6160)
- Drops the executable file immediately after the start
  - NightVerse.exe (PID: 4920)
  - NightVerse Setup.exe (PID: 6648)
  - msiexec.exe (PID: 7056)
  - dpaw.exe (PID: 4788)
  - scr_previw.exe (PID: 5196)
- Stealers network behavior
  - explorer.exe (PID: 2388)
  - OOBE-Maintenance.exe (PID: 2768)
  - explorer.exe (PID: 6160)
- Steals credentials from Web Browsers
  - explorer.exe (PID: 2388)
- STEALC has been detected (SURICATA)
  - explorer.exe (PID: 2388)
- Connects to the CnC server
  - explorer.exe (PID: 2388)
- RHADAMANTHYS has been detected (SURICATA)
  - OpenWith.exe (PID: 6292)
  - OOBE-Maintenance.exe (PID: 2768)
- RHADAMANTHYS has been detected (YARA)
  - OOBE-Maintenance.exe (PID: 2768)
  - rekeywiz.exe (PID: 6988)
- Actions looks like stealing of personal data
  - OOBE-Maintenance.exe (PID: 2768)
  - explorer.exe (PID: 6160)
  - explorer.exe (PID: 2388)
- ASYNCRAT has been detected (SURICATA)
  - AppLaunch.exe (PID: 6368)
- DANABOT has been detected (YARA)
  - rekeywiz.exe (PID: 6988)
  - explorer.exe (PID: 6160)
- ASYNCRAT has been detected (YARA)
  - AppLaunch.exe (PID: 6368)
- DANABOT has been detected (SURICATA)
  - explorer.exe (PID: 6160)
- Change Internet Settings
  - explorer.exe (PID: 6160)
SUSPICIOUS
- Process drops legitimate windows executable
  - NightVerse Setup.exe (PID: 6648)
  - explorer.exe (PID: 2388)
  - dpaw.exe (PID: 4788)
  - msiexec.exe (PID: 7056)
  - scr_previw.exe (PID: 5196)
- Executable content was dropped or overwritten
  - NightVerse Setup.exe (PID: 6648)
  - NightVerse.exe (PID: 4920)
  - explorer.exe (PID: 2388)
  - dpaw.exe (PID: 4788)
  - scr_previw.exe (PID: 5196)
- The process creates files with name similar to system file names
  - NightVerse Setup.exe (PID: 6648)
- Creates a software uninstall entry
  - NightVerse Setup.exe (PID: 6648)
- Malware-specific behavior (creating "System.dll" in Temp)
  - NightVerse Setup.exe (PID: 6648)
- The process drops C-runtime libraries
  - NightVerse Setup.exe (PID: 6648)
  - explorer.exe (PID: 2388)
- Script adds exclusion path to Windows Defender
  - NightVerse.exe (PID: 4920)
  - explorer.exe (PID: 6160)
- Starts POWERSHELL.EXE for commands execution
  - NightVerse.exe (PID: 4920)
  - explorer.exe (PID: 6160)
- Starts CMD.EXE for commands execution
  - snss1.exe (PID: 7008)
  - snss2.exe (PID: 5408)
  - dpaw.exe (PID: 7152)
  - scr_previw.exe (PID: 6700)
- Checks for external IP
  - svchost.exe (PID: 2256)
- Windows Defender mutex has been found
  - explorer.exe (PID: 2388)
- Searches for installed software
  - explorer.exe (PID: 2388)
  - OOBE-Maintenance.exe (PID: 2768)
- Connects to the server without a host name
  - explorer.exe (PID: 2388)
- The process checks if it is being run in the virtual environment
  - OpenWith.exe (PID: 6292)
- Contacting a server suspected of hosting an CnC
  - explorer.exe (PID: 2388)
  - OpenWith.exe (PID: 6292)
  - OOBE-Maintenance.exe (PID: 2768)
  - AppLaunch.exe (PID: 6368)
  - explorer.exe (PID: 6160)
- Potential Corporate Privacy Violation
  - explorer.exe (PID: 2388)
- Process requests binary or script from the Internet
  - explorer.exe (PID: 2388)
- The process drops Mozilla's DLL files
  - explorer.exe (PID: 2388)
- Loads DLL from Mozilla Firefox
  - OOBE-Maintenance.exe (PID: 2768)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 7056)
- Starts itself from another location
  - dpaw.exe (PID: 4788)
  - scr_previw.exe (PID: 5196)
- There is functionality for communication over UDP network (YARA)
  - rekeywiz.exe (PID: 6988)
  - explorer.exe (PID: 6160)
- Connects to unusual port
  - AppLaunch.exe (PID: 6368)
- Creates or modifies Windows services
  - explorer.exe (PID: 6160)
- Executes as Windows Service
  - explorer.exe (PID: 6448)
- Found regular expressions for crypto-addresses (YARA)
  - explorer.exe (PID: 6168)
- Adds/modifies Windows certificates
  - explorer.exe (PID: 6160)
INFO
- Checks supported languages
  - NightVerse Setup.exe (PID: 6648)
  - NightVerse.exe (PID: 4920)
  - snss1.exe (PID: 7008)
  - snss2.exe (PID: 5408)
  - msiexec.exe (PID: 7056)
  - dpaw.exe (PID: 4788)
  - dpaw.exe (PID: 7152)
  - wmpnscfg.exe (PID: 6816)
  - scr_previw.exe (PID: 5196)
  - scr_previw.exe (PID: 6700)
  - AppLaunch.exe (PID: 6368)
- Creates files in the program directory
  - NightVerse Setup.exe (PID: 6648)
  - NightVerse.exe (PID: 4920)
  - explorer.exe (PID: 2388)
  - dpaw.exe (PID: 4788)
  - scr_previw.exe (PID: 5196)
- Reads the computer name
  - NightVerse Setup.exe (PID: 6648)
  - NightVerse.exe (PID: 4920)
  - snss1.exe (PID: 7008)
  - snss2.exe (PID: 5408)
  - msiexec.exe (PID: 7056)
  - dpaw.exe (PID: 4788)
  - dpaw.exe (PID: 7152)
  - scr_previw.exe (PID: 5196)
  - scr_previw.exe (PID: 6700)
  - AppLaunch.exe (PID: 6368)
- Creates files or folders in the user directory
  - NightVerse Setup.exe (PID: 6648)
  - explorer.exe (PID: 2388)
  - OOBE-Maintenance.exe (PID: 2768)
  - msiexec.exe (PID: 7056)
- Create files in a temporary directory
  - NightVerse Setup.exe (PID: 6648)
  - snss1.exe (PID: 7008)
  - NightVerse.exe (PID: 4920)
  - snss2.exe (PID: 5408)
  - dpaw.exe (PID: 7152)
  - scr_previw.exe (PID: 6700)
- Reads the machine GUID from the registry
  - NightVerse.exe (PID: 4920)
  - wmpnscfg.exe (PID: 6816)
  - AppLaunch.exe (PID: 6368)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6168)
  - powershell.exe (PID: 1044)
  - powershell.exe (PID: 3272)
  - powershell.exe (PID: 2132)
  - powershell.exe (PID: 6200)
- Checks proxy server information
  - NightVerse.exe (PID: 4920)
  - explorer.exe (PID: 2388)
  - explorer.exe (PID: 6160)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 2132)
  - powershell.exe (PID: 3272)
  - powershell.exe (PID: 1044)
  - powershell.exe (PID: 6168)
  - powershell.exe (PID: 6200)
- Reads the software policy settings
  - NightVerse.exe (PID: 4920)
  - AppLaunch.exe (PID: 6368)
- Reads mouse settings
  - snss1.exe (PID: 7008)
- Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')
  - NightVerse.exe (PID: 4920)
- Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')
  - NightVerse.exe (PID: 4920)
- .NET Reactor protector has been detected
  - NightVerse.exe (PID: 4920)
- Potential library load (Base64 Encoded 'LoadLibrary')
  - NightVerse.exe (PID: 4920)
- Potential dynamic function import (Base64 Encoded 'GetProcAddress')
  - NightVerse.exe (PID: 4920)
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 2388)
  - OOBE-Maintenance.exe (PID: 2768)
  - explorer.exe (PID: 6160)
- Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')
  - NightVerse.exe (PID: 4920)
- Potential access to remote process (Base64 Encoded 'OpenProcess')
  - NightVerse.exe (PID: 4920)
- Drops the executable file immediately after the start
  - explorer.exe (PID: 2388)
- Reads Microsoft Office registry keys
  - OOBE-Maintenance.exe (PID: 2768)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 7056)
- Creates a software uninstall entry
  - msiexec.exe (PID: 7056)
- Reads Environment values
  - AppLaunch.exe (PID: 6368)
- Reads Windows Product ID
  - explorer.exe (PID: 6160)
- Reads the time zone
  - explorer.exe (PID: 6448)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AsyncRat

(PID) Process(6368) AppLaunch.exe

C2 (1)85.192.63.68

Ports (1)8245

Version0.5.8

BotnetDefault

Options

AutoRunfalse

MutexLFs3tAXovKDK

InstallFolder%AppData%

BSoDfalse

AntiVMtrue

Certificates

Cert1MIIE4DCCAsigAwIBAgIQALLvjtCZHzFARtdMuD4D9TANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwNzEyMDgxODM0WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKxbGertDiPtLHGFUcSq7TdyuJxLgKnGUeCtUxiI7P90/qmVfUd6ms0P/aCWQGKZCKv+/dT2ENEMSj8wkD94AETP3KvhXqPSvZA6...

Server_SignaturemGHK9NzT6383ckP8iN8yBNB/fHCvRnFWdDYRpGfrAbiTtnlcUv34wU1KqF+JG5E8mWvhbjx/o9AktS+61WRoMDIer4ohBTpu9r9gHiQDQjCgMJIx/AC9Dm0B1Vf8ouDhFJdpzOqHuUlTFvrn36SeF2LMM3sF+f7sQzUeoIL1tTgRVuV1dRpY0eWblCGTj8szvu6dy5QUuoUSKRcgvJ27Gd4MI3VnJ596Hb6TNVy6sAa1/N5D7OGO2UwrDKMiRj57KUFyzQyxnrOy8vtwPYuTQvd0bvsIa7EuHB4wrT9bZxdJ...

Keys

AESedc7eeae28553d5aa15ef66746434def65f5caa5aae9471f897919e29ab07bb9

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

DanaBot

(PID) Process(6160) explorer.exe

C2 (3)81.19.137.7:443

23.94.225.177:443

89.169.52.59:443

Attributes

(19)0123456789ABCDEF0123456789abcdef

77777777777777777777777777777777

424a0d380332858ee55bdebc4af3789f

74e70a2b3ba1cf29d84b9b4bcf3e2e37

00001111222233334444555566667777

20142015201620172018201920202021

20222023202420252026202720282029

20302031203220332034203520362037

20132012201120102009200820072006

20052004200320022001200019991998

19971996199519941993199219911990

19891988198719861985198419831982

19811980197919781977197619751974

19731972197119701969196819671966

19651964196319621961196019591958

19571956195519541953195219511950

F70C77D46DEF9D46A6C7B43F0228AA7C

319BE5C4E9A566DE15DBA0957CFD9B65

F34493F167DD6A5B065D516FF3EB198E

Certificates

(29)-----BEGIN CERTIFICATE----- MIICvDCCAiUCEEoZ0jiMglkcpV1zXxVd3KMwDQYJKoZIhvcNAQEEBQAwgZ4xHzAd BgNVBAoTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWdu LCBJbmMuMSwwKgYDVQQLEyNWZXJpU2lnbiBUaW1lIFN0YW1waW5nIFNlcnZpY2Ug Um9vdDE0MDIGA1UECxMrTk8gTElBQklMSVRZIEFDQ0VQVEVELCAoYyk5NyBWZXJp U2lnbiw...

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:02 02:09:43+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26624
InitializedDataSize:	139776
UninitializedDataSize:	2048
EntryPoint:	0x3645
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.2.0.0
ProductVersionNumber:	1.2.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	NightVerse Team
FileDescription:	NightVerse
FileVersion:	1.2.0.0
LegalCopyright:	Copyright 2024 © NightVerse
ProductName:	NightVerse

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

183

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1044

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\admin'; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

NightVerse.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1184

C:\WINDOWS\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

—

snss2.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1488

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

OOBE-Maintenance.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2132

"powershell" /command Add-MpPreference -ExclusionPath 'C:\Users\admin'; Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

NightVerse.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2272

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2388

C:\WINDOWS\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\xsg
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

2532

C:\WINDOWS\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

—

snss1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2628

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2768

"C:\WINDOWS\system32\OOBE-Maintenance.exe"

C:\Windows\System32\OOBE-Maintenance.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

OOBE-Maintenance

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\oobe-maintenance.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll

Add for printing

Total events

58 492

Read events

57 911

Write events

562

Delete events

Modification events


(PID) Process:	(6648) NightVerse Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NightVerse
Operation:	write	Name:	DisplayName
Value: NightVerse
(PID) Process:	(6648) NightVerse Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NightVerse
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\NightVerse\NightVerse.exe
(PID) Process:	(6648) NightVerse Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NightVerse
Operation:	write	Name:	DisplayVersion
Value: 1.2.0.0
(PID) Process:	(6648) NightVerse Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NightVerse
Operation:	write	Name:	Publisher
Value: NightVerse Team
(PID) Process:	(6648) NightVerse Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NightVerse
Operation:	write	Name:	URLInfoAbout
Value:
(PID) Process:	(6648) NightVerse Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NightVerse
Operation:	write	Name:	Installer Language
Value: 1033
(PID) Process:	(4920) NightVerse.exe	Key:	HKEY_CURRENT_USER\MicrosoftUpdatesService
Operation:	write	Name:	Count
Value: 1
(PID) Process:	(2388) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2388) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2388) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

487

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6648	NightVerse Setup.exe	C:\Program Files (x86)\NightVerse\DirectWriteForwarder.dll		executable
		MD5:69044C681EA1EEDCA54D13ED97E1452A	SHA256:778936B5BAF157C3A040955BC637936952E7B68C5AFF83536D4B613ED9691CDE
6648	NightVerse Setup.exe	C:\Users\admin\AppData\Local\Temp\nsj7973.tmp\InstallOptions.dll		executable
		MD5:D095B082B7C5BA4665D40D9C5042AF6D	SHA256:B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
6648	NightVerse Setup.exe	C:\Users\admin\AppData\Local\Temp\nsj7973.tmp\LangDLL.dll		executable
		MD5:50016010FB0D8DB2BC4CD258CEB43BE5	SHA256:32230128C18574C1E860DFE4B17FE0334F685740E27BC182E0D525A8948C9C2E
6648	NightVerse Setup.exe	C:\Users\admin\AppData\Local\Temp\nsj7973.tmp\modern-wizard.bmp		image
		MD5:E51AA821EBC60C88B030E4067378B4BE	SHA256:14C6A373AC1D2BC8B990656EF1C8F3B7A73E3058680E0E0143A6E1B57B182433
6648	NightVerse Setup.exe	C:\Users\admin\AppData\Local\Temp\nsj7973.tmp\ioSpecial.ini		ini
		MD5:E2D5070BC28DB1AC745613689FF86067	SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
6648	NightVerse Setup.exe	C:\Program Files (x86)\NightVerse\Microsoft.DiaSymReader.Native.amd64.dll		executable
		MD5:804B9539F7BE4ECE92993DC95C8486F5	SHA256:76D0DA51C2ED6CE4DE34F0F703AF564CBEFD54766572A36B5A45494A88479E0B
6648	NightVerse Setup.exe	C:\Program Files (x86)\NightVerse\Microsoft.Win32.Registry.AccessControl.dll		executable
		MD5:8ED7B1AA897A85BD5619220F28BE88EF	SHA256:9EE0D84655655E39EDE6D23AED940C98A3A8EB6270D878B252EA1720F750CEAD
6648	NightVerse Setup.exe	C:\Program Files (x86)\NightVerse\Microsoft.Win32.SystemEvents.dll		executable
		MD5:089EDCAAE873C9371B2DC9A4399F62B9	SHA256:C81A58BD27C74F91E26245C530C4CADC5425A1A1586886C6A5631EEF9D81FDE2
6648	NightVerse Setup.exe	C:\Program Files (x86)\NightVerse\NightVerse.dll		executable
		MD5:594B0719E5F91EE2BEE77DEF26704E21	SHA256:BFB2C6822CDC11061CC848E4D2659DE216F6E836C2FB3D01EE79191FDD6810D5
6648	NightVerse Setup.exe	C:\Program Files (x86)\NightVerse\PenImc_cor3.dll		executable
		MD5:362E037C4BE1CB28FAC25612E9BE029D	SHA256:F95B51B5BEE746EA3430A277F0473F42E4E22FC12B8DBFC719346CEE579B80FF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2388	explorer.exe	GET	200	195.211.124.201:80	http://195.211.124.201/a011f7f7085e3930/mozglue.dll	unknown	—	—	unknown
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2636	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2636	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6796	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6748	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2388	explorer.exe	GET	200	195.211.124.201:80	http://195.211.124.201/	unknown	—	—	suspicious
2388	explorer.exe	POST	200	195.211.124.201:80	http://195.211.124.201/be7c600e19a47f1c.php	unknown	—	—	unknown
2388	explorer.exe	POST	200	195.211.124.201:80	http://195.211.124.201/be7c600e19a47f1c.php	unknown	—	—	unknown
2388	explorer.exe	POST	200	195.211.124.201:80	http://195.211.124.201/be7c600e19a47f1c.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1664	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5336	SearchApp.exe	2.23.209.179:443	www.bing.com	Akamai International B.V.	GB	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2636	svchost.exe	40.126.31.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.110	whitelisted
settings-win.data.microsoft.com	51.104.136.2 20.106.86.13	whitelisted
www.bing.com	2.23.209.179 2.23.209.178 2.23.209.182 2.23.209.189 2.23.209.187 2.23.209.186 2.23.209.181 2.23.209.183 2.23.209.176 104.126.37.169 104.126.37.178 104.126.37.152 104.126.37.161 104.126.37.171 104.126.37.163 104.126.37.170 104.126.37.155 104.126.37.153	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.73 20.190.159.75 20.190.159.2 20.190.159.64 40.126.31.67 20.190.159.68 20.190.159.4 20.190.159.23	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
th.bing.com	2.23.209.133 2.23.209.130 2.23.209.135 2.23.209.131 2.23.209.189 2.23.209.191 2.23.209.192 2.23.209.136 2.23.209.140	whitelisted
fd.api.iris.microsoft.com	20.199.58.43 20.223.35.26	whitelisted
arc.msn.com	20.199.58.43	whitelisted
slscr.update.microsoft.com	13.85.23.86	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2388	explorer.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Stealc HTTP POST Request
2388	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc Requesting browsers Config from C2
2388	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc Requesting plugins Config from C2
2388	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
2388	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/Stealc Submitting System Information to C2
2388	explorer.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request
2388	explorer.exe	A suspicious filename was detected	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
2388	explorer.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2388	explorer.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

13 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

NightVerse Setup.exe

66A83A3A5E3D36A47A847B8FC5D01C53

A94B75EF8D674F31628ED6266471AECB8B925753

693A9860B2D4887E92BE1C28FE63953E0569317936DFCC50255E494E45B6E933

393216:GxduNwV/RgqGxl8mM0SECa+NjiDwtNv/H23TlBKDxwBbruL+3w:sjV6qGx64SECahDwtt2DqyBbrvw

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Drops the executable file immediately after the start

Stealers network behavior

Steals credentials from Web Browsers

STEALC has been detected (SURICATA)

Connects to the CnC server

RHADAMANTHYS has been detected (SURICATA)

RHADAMANTHYS has been detected (YARA)

Actions looks like stealing of personal data

ASYNCRAT has been detected (SURICATA)

DANABOT has been detected (YARA)

ASYNCRAT has been detected (YARA)

DANABOT has been detected (SURICATA)

Change Internet Settings

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Creates a software uninstall entry

Malware-specific behavior (creating "System.dll" in Temp)

The process drops C-runtime libraries

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

Checks for external IP

Windows Defender mutex has been found

Searches for installed software

Connects to the server without a host name

The process checks if it is being run in the virtual environment

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

The process drops Mozilla's DLL files

Loads DLL from Mozilla Firefox

Reads the Windows owner or organization settings

Starts itself from another location

There is functionality for communication over UDP network (YARA)

Connects to unusual port

Creates or modifies Windows services

Executes as Windows Service

Found regular expressions for crypto-addresses (YARA)

Adds/modifies Windows certificates

INFO

Checks supported languages

Creates files in the program directory

Reads the computer name

Creates files or folders in the user directory

Create files in a temporary directory

Reads the machine GUID from the registry

Checks if a key exists in the options dictionary (POWERSHELL)

Checks proxy server information

Script raised an exception (POWERSHELL)

Reads the software policy settings

Reads mouse settings

Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')

Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

.NET Reactor protector has been detected

Potential library load (Base64 Encoded 'LoadLibrary')

Potential dynamic function import (Base64 Encoded 'GetProcAddress')

Reads security settings of Internet Explorer

Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')

Potential access to remote process (Base64 Encoded 'OpenProcess')

Drops the executable file immediately after the start

Reads Microsoft Office registry keys

Executable content was dropped or overwritten

Creates a software uninstall entry

Reads Environment values

Reads Windows Product ID