File name:

6c5ef4f45285b6ed376fd71357fa443a6b69cb290d172d2b20a11f608cfff44f.bin

Full analysis: https://app.any.run/tasks/e2c30ef3-0856-40f1-9cb0-efbdee275c32
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: June 24, 2024, 02:06:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
apt
backdoor
toneshell
mustangpanda
Indicators:
MIME: application/x-iso9660-image
File info: ISO 9660 CD-ROM filesystem data 'CDROM'
MD5:

B7B8C12163F846C6C503F702963D9CF3

SHA1:

575872F7D06880D3E048FAD556BD42DED983D7EB

SHA256:

6C5EF4F45285B6ED376FD71357FA443A6B69CB290D172D2B20A11F608CFFF44F

SSDEEP:

12288:dWBkVkQreUh3Llt0QWlreYQ336rTqwg2fsBWNE3EC+:dukVkQreUhbDDjYQ3363qAkBrf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • GSW32.EXE (PID: 3556)
      • GSW32.EXE (PID: 2516)
      • GSW32.EXE (PID: 1364)

    • Drops the executable file immediately after the start

      • GSW32.EXE (PID: 3556)

    • Connects to the CnC server

      • GSW32.EXE (PID: 3556)

    • TONESHELL has been detected (SURICATA)

      • GSW32.EXE (PID: 3556)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3416)
      • WinRAR.exe (PID: 2332)

    • Executable content was dropped or overwritten

      • GSW32.EXE (PID: 3556)

    • Contacting a server suspected of hosting an CnC

      • GSW32.EXE (PID: 3556)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 2332)
      • WinRAR.exe (PID: 2856)
      • explorer.exe (PID: 3200)
      • GSW32.EXE (PID: 3556)
      • GSW32.EXE (PID: 2516)
      • GSW32.EXE (PID: 1364)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2856)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2856)

    • Checks supported languages

      • GSW32.EXE (PID: 3556)
      • GSW32.EXE (PID: 2516)
      • GSW32.EXE (PID: 1364)

    • Reads the computer name

      • GSW32.EXE (PID: 3556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

ISO

System: LINUX
VolumeName: CDROM
VolumeBlockCount: 495
VolumeBlockSize: 2048
RootDirectoryCreateDate: 1970:01:01 00:00:00+00:00
Software: GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM
VolumeCreateDate: 2023:12:21 07:55:06.00+00:00
VolumeModifyDate: 2023:12:21 07:55:06.00+00:00
VolumeEffectiveDate: 2023:12:21 07:55:06.00+00:00

Composite

VolumeSize: 990 KiB
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
7
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs explorer.exe no specs winrar.exe winrar.exe no specs #TONESHELL gsw32.exe gsw32.exe gsw32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1364"C:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXE" C:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXE
explorer.exe
User:
admin
Company:
Bits Per Second Ltd
Integrity Level:
MEDIUM
Description:
Graphics Server
Exit code:
3221225477
Version:
5.10.0000
Modules
Images
c:\users\admin\appdata\local\temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\gsw32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\gswdll32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2332"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6c5ef4f45285b6ed376fd71357fa443a6b69cb290d172d2b20a11f608cfff44f.iso"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2516"C:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXE" C:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXE
explorer.exe
User:
admin
Company:
Bits Per Second Ltd
Integrity Level:
MEDIUM
Description:
Graphics Server
Exit code:
3221225477
Version:
5.10.0000
Modules
Images
c:\users\admin\appdata\local\temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\gsw32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\gswdll32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2856"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\AppData\Local\Temp\6c5ef4f45285b6ed376fd71357fa443a6b69cb290d172d2b20a11f608cfff44f.bin.iso" C:\Users\admin\AppData\Local\Temp\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3200"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3416"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\6c5ef4f45285b6ed376fd71357fa443a6b69cb290d172d2b20a11f608cfff44f.bin.isoC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3556"C:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXE" C:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXE
explorer.exe
User:
admin
Company:
Bits Per Second Ltd
Integrity Level:
MEDIUM
Description:
Graphics Server
Version:
5.10.0000
Modules
Images
c:\users\admin\appdata\local\temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\gsw32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\gswdll32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
8 184
Read events
8 122
Write events
62
Delete events
0

Modification events

(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3416) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\6c5ef4f45285b6ed376fd71357fa443a6b69cb290d172d2b20a11f608cfff44f.bin.iso
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3416) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
4
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3556GSW32.EXEC:\Users\Public\GSWDLL32.dllexecutable
MD5:A9B16E05A1D39241F710F1C686B85036
SHA256:9ECADDDBF2AB65692155DC9C0B8FC5FB10A2AD66009B6667CA477939F5C376B3
3416WinRAR.exeC:\Users\admin\Documents\19th APPSMO National Defence Policy.lnklnk
MD5:3A668342F41E13C73EAB81C3E3ADC8F3
SHA256:3BE11693611810F7068B039DD239EC1ECCE049BD6A8EC601FAE1F1CC340B2F32
2332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2332.23794\19th APPSMO National Defence Policy.lnklnk
MD5:3A668342F41E13C73EAB81C3E3ADC8F3
SHA256:3BE11693611810F7068B039DD239EC1ECCE049BD6A8EC601FAE1F1CC340B2F32
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\19th APPSMO National Defence Policy.lnklnk
MD5:3A668342F41E13C73EAB81C3E3ADC8F3
SHA256:3BE11693611810F7068B039DD239EC1ECCE049BD6A8EC601FAE1F1CC340B2F32
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSW32.EXEexecutable
MD5:654CEC588E2D9E45F3C516C209372BEF
SHA256:EEB679AEF5DF250CECA2D7BE8BBBD3B754CCDE5713766EEC80D5F067C23A4609
3416WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3416.12035\19th APPSMO National Defence Policy.lnklnk
MD5:3A668342F41E13C73EAB81C3E3ADC8F3
SHA256:3BE11693611810F7068B039DD239EC1ECCE049BD6A8EC601FAE1F1CC340B2F32
3556GSW32.EXEC:\users\public\description.initext
MD5:4693DDAB5E299AA7F4F3FA6DBD61DE76
SHA256:FFAD589D4EC859D1785C735F635736DADFB3CCBBE51F0E5090A2CC2C74E70B57
3556GSW32.EXEC:\Users\Public\GSW32.EXEexecutable
MD5:654CEC588E2D9E45F3C516C209372BEF
SHA256:EEB679AEF5DF250CECA2D7BE8BBBD3B754CCDE5713766EEC80D5F067C23A4609
2856WinRAR.exeC:\Users\admin\AppData\Local\Temp\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\GSWDLL32.dllexecutable
MD5:A9B16E05A1D39241F710F1C686B85036
SHA256:9ECADDDBF2AB65692155DC9C0B8FC5FB10A2AD66009B6667CA477939F5C376B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
9
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
213.155.157.219:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
23.40.125.183:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
213.155.157.219:80
crl.microsoft.com
Telia Company AB
SE
unknown
1372
svchost.exe
23.40.125.183:80
www.microsoft.com
Telia Company AB
SE
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3556
GSW32.EXE
103.159.132.80:443
Gigabit Hosting Sdn Bhd
MY
unknown
3556
GSW32.EXE
37.120.222.19:443
M247 Ltd
DE
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 213.155.157.219
  • 213.155.157.176
whitelisted
www.microsoft.com
  • 23.40.125.183
whitelisted
www.domains4bitcoins.com
  • 172.66.40.71
  • 172.66.43.185
unknown

Threats

PID
Process
Class
Message
3556
GSW32.EXE
Generic Protocol Command Decode
SURICATA HTTP URI terminated by non-compliant character
3556
GSW32.EXE
Generic Protocol Command Decode
SURICATA HTTP METHOD terminated by non-compliant character
3556
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
3556
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6c5ef4f45285b6ed376fd71357fa443a6b69cb290d172d2b20a11f608cfff44f.bin