File name:

file

Full analysis: https://app.any.run/tasks/2281ec03-5b0b-4880-bf78-c054ad8b0c76
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:17:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
loader
gcleaner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InnoSetup self-extracting archive
MD5:

BDAD45DAC7BBD0CB0263A300BFC4BB63

SHA1:

2FB870F779BD536DB151C78A52BF94921AEDC35C

SHA256:

6C4AD26709B000C5B9554E392BBEC88DECD5657CF3D9472C66CD7B9CFAD81730

SSDEEP:

98304:CUMlJD2gWDSzySQEYdWS2NLaZi1a1SrzBRsSiVzDX:pMlJDNWSwf2laZi81uzBRWVX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • is-1VSRV.tmp (PID: 1292)
    • Application was dropped or rewritten from another process

      • qllVNk8LceaMDS.exe (PID: 2032)
    • G-cleaner network activity is detected

      • PrintFolders.exe (PID: 3112)
  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • is-1VSRV.tmp (PID: 1292)
    • Executable content was dropped or overwritten

      • is-1VSRV.tmp (PID: 1292)
    • Drops a file with too old compile date

      • is-1VSRV.tmp (PID: 1292)
    • Creates a directory in Program Files

      • is-1VSRV.tmp (PID: 1292)
    • Reads Microsoft Outlook installation path

      • PrintFolders.exe (PID: 3112)
    • Reads the Internet Settings

      • PrintFolders.exe (PID: 3112)
    • Connects to the server without a host name

      • PrintFolders.exe (PID: 3112)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2580)
    • Starts CMD.EXE for commands execution

      • PrintFolders.exe (PID: 3112)
    • Uses TASKKILL.EXE to terminate process

      • cmd.exe (PID: 2580)
  • INFO

    • Checks supported languages

      • is-1VSRV.tmp (PID: 1292)
      • file.exe (PID: 3512)
      • PrintFolders.exe (PID: 3112)
      • qllVNk8LceaMDS.exe (PID: 2032)
    • Creates a file in a temporary directory

      • file.exe (PID: 3512)
      • is-1VSRV.tmp (PID: 1292)
    • Reads the computer name

      • is-1VSRV.tmp (PID: 1292)
      • PrintFolders.exe (PID: 3112)
    • Drops a file that was compiled in debug mode

      • is-1VSRV.tmp (PID: 1292)
    • Loads dropped or rewritten executable

      • is-1VSRV.tmp (PID: 1292)
    • Creates files in the program directory

      • is-1VSRV.tmp (PID: 1292)
    • Creates a software uninstall entry

      • is-1VSRV.tmp (PID: 1292)
    • Application was dropped or rewritten from another process

      • is-1VSRV.tmp (PID: 1292)
    • Checks proxy server information

      • PrintFolders.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (82.8)
.exe | Win32 Executable Delphi generic (10.7)
.exe | Win32 Executable (generic) (3.4)
.exe | Generic Win/DOS Executable (1.5)
.exe | DOS Executable Generic (1.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
Comments: This installation was built with Inno Setup: http://www.innosetup.com
CompanyName:
FileDescription: PrintFolders Setup
FileVersion:
InternalName:
OriginalFilename:
ProductName:
ProductVersion:

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
36352
36352
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60044
DATA
40960
584
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.72043
BSS
45056
3684
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
49152
2248
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2508
.tls
53248
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
57344
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.199108
.reloc
61440
2156
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
65536
54688
54784
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.75782

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26485
5672
Latin 1 / Western European
English - United States
RT_ICON
2
5.20743
3752
Latin 1 / Western European
English - United States
RT_ICON
3
5.46677
2216
Latin 1 / Western European
English - United States
RT_ICON
4
5.74812
1736
Latin 1 / Western European
English - United States
RT_ICON
5
5.56273
1384
Latin 1 / Western European
English - United States
RT_ICON
6
4.79202
16936
Latin 1 / Western European
English - United States
RT_ICON
7
5.82124
9640
Latin 1 / Western European
English - United States
RT_ICON
8
5.89108
4264
Latin 1 / Western European
English - United States
RT_ICON
9
6.13941
2440
Latin 1 / Western European
English - United States
RT_ICON
10
6.51874
1128
Latin 1 / Western European
English - United States
RT_ICON

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start file.exe no specs file.exe is-1vsrv.tmp #GCLEANER printfolders.exe qllvnk8lceamds.exe no specs cmd.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exeExplorer.EXE
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
PrintFolders Setup
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
3512"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
Explorer.EXE
User:
admin
Company:
Integrity Level:
HIGH
Description:
PrintFolders Setup
Exit code:
0
Version:
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1292"C:\Users\admin\AppData\Local\Temp\is-EJFCO.tmp\is-1VSRV.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\file.exe" 3450895 96256 C:\Users\admin\AppData\Local\Temp\is-EJFCO.tmp\is-1VSRV.tmp
file.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.42.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ejfco.tmp\is-1vsrv.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
3112"C:\Program Files\PrintFolders\PrintFolders.exe" C:\Program Files\PrintFolders\PrintFolders.exe
is-1VSRV.tmp
User:
admin
Company:
Atr Software
Integrity Level:
HIGH
Description:
Data Recovery
Exit code:
0
Version:
1.2.3.101
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\printfolders\printfolders.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2032 C:\Users\admin\AppData\Roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\qllVNk8LceaMDS.exePrintFolders.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\{e29ac6c0-7037-11de-816d-806e6f6e6963}\qllvnk8lceamds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2580"C:\Windows\System32\cmd.exe" /c taskkill /im "PrintFolders.exe" /f & erase "C:\Program Files\PrintFolders\PrintFolders.exe" & exitC:\Windows\System32\cmd.exePrintFolders.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\apphelp.dll
3232taskkill /im "PrintFolders.exe" /f C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
Total events
1 360
Read events
1 326
Write events
34
Delete events
0

Modification events

(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_CURRENT_USER\Software\Auapoint Software\PrintFolders
Operation:writeName:Language
Value:
eng
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.1.2-beta
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\PrintFolders
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\PrintFolders\
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
PrintFolders
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:DisplayName
Value:
PrintFolders 3.101
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PrintFolders\PrintFolders.exe
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe"
(PID) Process:(1292) is-1VSRV.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2483CD7A-78F2-476F-86FF-B2EA93461085}}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\PrintFolders\unins000.exe" /SILENT
Executable files
8
Suspicious files
4
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-2JBRE.tmp
MD5:
SHA256:
1292is-1VSRV.tmpC:\Program Files\PrintFolders\PrintFolders.exe
MD5:
SHA256:
1292is-1VSRV.tmpC:\Program Files\PrintFolders\History.txttext
MD5:C8B211D81EB7D4F9EBB071A117444D51
SHA256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-SEU3F.tmptext
MD5:C8B211D81EB7D4F9EBB071A117444D51
SHA256:AFD6FEA6A792B722E45A6587F70334F30051798017F4A278508C7ED3FEEA80CC
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-FS5T4.tmpexecutable
MD5:4C797D442BE1F6264A8EF767DF41B85A
SHA256:415E5D17EB635B23DAC030BA6AD0363507C2C4CBA9F87A206E7B9C2A5C7716D4
1292is-1VSRV.tmpC:\Program Files\PrintFolders\Guide.chmchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-V4ROA.tmpchm
MD5:204A5BF160646F9A55ED70AB6E1A07A6
SHA256:CACDD2C8BFA4BAE33A16A10ED609F4841AC5C4C2FE481ED0FD8CB04BC8016BBD
1292is-1VSRV.tmpC:\Users\admin\AppData\Local\Temp\is-S1VG4.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1292is-1VSRV.tmpC:\Users\admin\AppData\Local\Temp\is-S1VG4.tmp\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
1292is-1VSRV.tmpC:\Program Files\PrintFolders\is-G5RBH.tmptext
MD5:A5E8094B0CBADE929AEE07F5DA5E9429
SHA256:F3AC2009C96EB3A42AFAEC7FA67D3A14E5E9E30819B543D572C9BEA790CFCAD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
3
DNS requests
0
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/ping.php
US
text
17 b
suspicious
3112
PrintFolders.exe
GET
200
45.139.105.171:80
http://45.139.105.171/itsnotmalware/count.php?sub=NOSUB&stream=mixtwo&substream=mixinte
BG
binary
1 b
unknown
3112
PrintFolders.exe
GET
200
107.182.129.235:80
http://107.182.129.235/storage/extension.php
US
binary
92.0 Kb
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
3112
PrintFolders.exe
GET
200
171.22.30.106:80
http://171.22.30.106/library.php
GB
binary
1 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
PrintFolders.exe
45.139.105.171:80
Xdeer Limited
BG
unknown
3112
PrintFolders.exe
107.182.129.235:80
Delis LLC
US
suspicious
3112
PrintFolders.exe
171.22.30.106:80
Delis LLC
US
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3112
PrintFolders.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 9
No debug info