File name:

WinSCP-6.3.4-Setup.exe

Full analysis: https://app.any.run/tasks/dc63445f-d49c-473a-b965-82c9c4b467c8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 10, 2024, 05:48:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
stealc
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F670F85CDE59BCB517F4107963EE2ED0

SHA1:

3E76EFF537D037EC09522321191391298CC06CAC

SHA256:

72D64CC003975D22B6F5D1D1E7CB7F70E4D698E2B74A1F0F511B8BA60417FE1F

SSDEEP:

98304:5k5QmFmln/IFga3OzsaZVpoDWhqKhnBsTANh2fSy4k11zHt/fIlO3hHlE5zZcDKM:13Aqxm4KF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected (YARA)

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Stealers network behavior

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • STEALC has been detected (SURICATA)

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Connects to the CnC server

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Actions looks like stealing of personal data

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Steals credentials from Web Browsers

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Windows Defender mutex has been found

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Searches for installed software

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Potential Corporate Privacy Violation

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Contacting a server suspected of hosting an CnC

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Process requests binary or script from the Internet

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Connects to the server without a host name

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • The process drops Mozilla's DLL files

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Executable content was dropped or overwritten

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Process drops legitimate windows executable

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • The process drops C-runtime libraries

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

  • INFO

    • Checks supported languages

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Reads the computer name

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Checks proxy server information

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Creates files or folders in the user directory

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Reads product name

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Reads CPU info

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Reads Environment values

      • WinSCP-6.3.4-Setup.exe (PID: 2180)

    • Creates files in the program directory

      • WinSCP-6.3.4-Setup.exe (PID: 2180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(2180) WinSCP-6.3.4-Setup.exe
C289.208.96.117
Strings (353)INSERT_KEY_HERE
23
10
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://89.208.96.117
aides
|
/c09b893e57f1e9ec.php
/6e258710e091c670/
osiris5
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:09:03 00:16:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 89088
InitializedDataSize: 391680
UninitializedDataSize: -
EntryPoint: 0x7530
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.3.4.14955
ProductVersionNumber: 6.3.4.14955
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Martin Prikryl
FileDescription: Setup for WinSCP 6.3.4 (SFTP, FTP, WebDAV and SCP client)
FileVersion: 6.3.4
LegalCopyright: (c) 2000-2024 Martin Prikryl
OriginalFileName: WinSCP-6.3.4-Setup.exe
ProductName: WinSCP
ProductVersion: 6.3.4
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC winscp-6.3.4-setup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Users\admin\AppData\Local\Temp\WinSCP-6.3.4-Setup.exe" C:\Users\admin\AppData\Local\Temp\WinSCP-6.3.4-Setup.exe
explorer.exe
User:
admin
Company:
Martin Prikryl
Integrity Level:
MEDIUM
Description:
Setup for WinSCP 6.3.4 (SFTP, FTP, WebDAV and SCP client)
Exit code:
0
Version:
6.3.4
Modules
Images
c:\users\admin\appdata\local\temp\winscp-6.3.4-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Stealc
(PID) Process(2180) WinSCP-6.3.4-Setup.exe
C289.208.96.117
Strings (353)INSERT_KEY_HERE
23
10
20
24
GetProcAddress
LoadLibraryA
lstrcatA
OpenEventA
CreateEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
VirtualAlloc
HeapAlloc
GetComputerNameA
lstrcpyA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
advapi32.dll
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
GetUserNameA
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
VMwareVMware
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
http://89.208.96.117
aides
|
/c09b893e57f1e9ec.php
/6e258710e091c670/
osiris5
GetEnvironmentVariableA
GetFileAttributesA
GlobalLock
HeapFree
GetFileSize
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
FreeLibrary
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
GetWindowsDirectoryA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
DeleteFileA
FindNextFileA
LocalFree
FindClose
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
ReadFile
SetFilePointer
WriteFile
CreateFileA
FindFirstFileA
CopyFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
lstrcpynA
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
GlobalAlloc
OpenProcess
TerminateProcess
GetCurrentProcessId
gdiplus.dll
ole32.dll
bcrypt.dll
wininet.dll
shlwapi.dll
shell32.dll
psapi.dll
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMAP
GdiplusStartup
GdiplusShutdown
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
CloseWindow
wsprintfA
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
wsprintfW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegCloseKey
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
ShellExecuteExA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrCmpCA
StrStrA
StrCmpCW
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmGetList
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Init
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
browser:
profile:
url:
login:
password:
Opera
OperaGX
Network
cookies
.txt
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
TRUE
FALSE
autofill
SELECT name, value FROM autofill
history
SELECT url FROM urls LIMIT 1000
cc
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
name:
month:
year:
card:
Cookies
Login Data
Web Data
History
logins.json
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
plugins
Local Extension Settings
Sync Extension Settings
IndexedDB
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
Local State
profiles.ini
chrome
opera
firefox
wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
x32
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayName
DisplayVersion
Network Info:
- IP: IP?
- Country: ISO?
System Summary:
- HWID:
- OS:
- Architecture:
- UserName:
- Computer Name:
- Local Time:
- UTC:
- Language:
- Keyboards:
- Laptop:
- Running Path:
- CPU:
- Threads:
- Cores:
- RAM:
- Display Resolution:
- GPU:
User Agents:
Installed Apps:
All Users:
Current User:
Process List:
system_info.txt
freebl3.dll
mozglue.dll
msvcp140.dll
nss3.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
runas
open
/c start
%DESKTOP%
%APPDATA%
%LOCALAPPDATA%
%USERPROFILE%
%DOCUMENTS%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
*.lnk
files
\discord\
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
key_datas
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Telegram
Tox
*.tox
*.ini
Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
00000001
00000002
00000003
00000004
\Outlook\accounts.txt
Pidgin
\.purple\
accounts.xml
dQw4w9WgXcQ
token:
Software\Valve\Steam
SteamPath
\config\
ssfn*
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
sqlite3.dll
browsers
done
soft
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
https
Content-Type: multipart/form-data; boundary=----
POST
HTTP/1.1
Content-Disposition: form-data; name="
hwid
build
token
file_name
file
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
Total events
342
Read events
339
Write events
3
Delete events
0

Modification events

(PID) Process:(2180) WinSCP-6.3.4-Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2180) WinSCP-6.3.4-Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2180) WinSCP-6.3.4-Setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
12
Suspicious files
9
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\AAAKEBGDAFHIIDHIIECFBKFIJKbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\HIDHIEGIbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\JKJDHDBKEBGHJJJJKEHDHJJEGH
MD5:
SHA256:
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\KKJJEBFCsqlite
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\KKJEBAAECBGDHIECAKJKbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\JKJKJJDBKEGIECAAECFHCFBGIJsqlite
MD5:46D41A1929939B3AD11C639CC2347541
SHA256:AD30E08D89E9460B5DF8D9CD1E9DA068FB201E06303CCD449E197C739C9EFF5B
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\KJKKKJJJKJKFHJJJJECBsqlite
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
2180WinSCP-6.3.4-Setup.exeC:\ProgramData\nss3.dllexecutable
MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
SHA256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
2180WinSCP-6.3.4-Setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\freebl3[1].dllexecutable
MD5:550686C0EE48C386DFCB40199BD076AC
SHA256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
2180WinSCP-6.3.4-Setup.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\mozglue[1].dllexecutable
MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
33
DNS requests
14
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2180
WinSCP-6.3.4-Setup.exe
POST
200
89.208.96.117:80
http://89.208.96.117/c09b893e57f1e9ec.php
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
GET
200
89.208.96.117:80
http://89.208.96.117/6e258710e091c670/freebl3.dll
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
POST
200
89.208.96.117:80
http://89.208.96.117/c09b893e57f1e9ec.php
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
GET
200
89.208.96.117:80
http://89.208.96.117/6e258710e091c670/mozglue.dll
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
GET
200
89.208.96.117:80
http://89.208.96.117/6e258710e091c670/msvcp140.dll
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
POST
200
89.208.96.117:80
http://89.208.96.117/c09b893e57f1e9ec.php
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
GET
200
89.208.96.117:80
http://89.208.96.117/
unknown
malicious
6652
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2180
WinSCP-6.3.4-Setup.exe
POST
200
89.208.96.117:80
http://89.208.96.117/c09b893e57f1e9ec.php
unknown
unknown
2180
WinSCP-6.3.4-Setup.exe
POST
200
89.208.96.117:80
http://89.208.96.117/c09b893e57f1e9ec.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6652
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6380
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6652
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6652
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2180
WinSCP-6.3.4-Setup.exe
89.208.96.117:80
Line Group Ltd.
RU
unknown
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
52.140.118.28:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IN
whitelisted
2032
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 52.140.118.28
whitelisted
google.com
  • 142.250.186.142
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.75
  • 40.126.31.71
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

PID
Process
Class
Message
2180
WinSCP-6.3.4-Setup.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc HTTP POST Request
2180
WinSCP-6.3.4-Setup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
2180
WinSCP-6.3.4-Setup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2180
WinSCP-6.3.4-Setup.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
2180
WinSCP-6.3.4-Setup.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Submitting System Information to C2
2180
WinSCP-6.3.4-Setup.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting browsers Config from C2
2180
WinSCP-6.3.4-Setup.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting plugins Config from C2
2180
WinSCP-6.3.4-Setup.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2180
WinSCP-6.3.4-Setup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2180
WinSCP-6.3.4-Setup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WinSCP-6.3.4-Setup.exe