Malware analysis Youtube Bot.exe Malicious activity | ANY.RUN

Add for printing

File name:	Youtube Bot.exe
Full analysis:	https://app.any.run/tasks/f4ba68fc-f1bf-4de8-a77d-b78fa242c2db
Verdict:	Malicious activity
Analysis date:	September 01, 2024, 11:44:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	1E7178EF935673DE04BEB1EAD6F0B0B7
SHA1:	23401BA36DCB4EBA9985BBEA10A31F577369FA67
SHA256:	78C4EC6FE019CF13F910FCFE2EFBA1495C54D195B10B86DF9556B65718419C70
SSDEEP:	98304:DpVIVrkUBasBpVb3UeDT4WO9kLvPMCaqfV81hJUNN5aUud2epJc2PPLktcj5Y4bz:KT+dhj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - Youtube Bot.exe (PID: 5732)
- The process drops C-runtime libraries
  - Youtube Bot.exe (PID: 5732)
- Drops the executable file immediately after the start
  - Youtube Bot.exe (PID: 5732)
- Creates a software uninstall entry
  - Youtube Bot.exe (PID: 5732)
- Executable content was dropped or overwritten
  - Youtube Bot.exe (PID: 5732)
- Reads security settings of Internet Explorer
  - YoutubeCommenterAndRater.exe (PID: 3328)
- There is functionality for communication over UDP network (YARA)
  - YoutubeCommenterAndRater.exe (PID: 3328)
- There is functionality for taking screenshot (YARA)
  - YoutubeCommenterAndRater.exe (PID: 3328)
INFO
- Checks supported languages
  - Youtube Bot.exe (PID: 5732)
  - YoutubeCommenterAndRater.exe (PID: 3328)
- Create files in a temporary directory
  - Youtube Bot.exe (PID: 5732)
- Creates files in the program directory
  - Youtube Bot.exe (PID: 5732)
  - YoutubeCommenterAndRater.exe (PID: 3328)
- Reads the computer name
  - Youtube Bot.exe (PID: 5732)
  - YoutubeCommenterAndRater.exe (PID: 3328)
- Creates files or folders in the user directory
  - Youtube Bot.exe (PID: 5732)
- Checks proxy server information
  - YoutubeCommenterAndRater.exe (PID: 3328)
- Reads the software policy settings
  - slui.exe (PID: 2112)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	NSIS - Nullsoft Scriptable Install System (91.9)
.exe	\|	Win32 Executable MS Visual C++ (generic) (3.3)
.exe	\|	Win64 Executable (generic) (3)
.dll	\|	Win32 Dynamic Link Library (generic) (0.7)
.exe	\|	Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2008:08:16 20:26:20+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	23552
InitializedDataSize:	164864
UninitializedDataSize:	1024
EntryPoint:	0x30e3
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

134

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2112

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3328

"C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\YoutubeCommenterAndRater.exe"

C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\YoutubeCommenterAndRater.exe

Youtube Bot.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\program files (x86)\captcha-hacker youtube rater and commenter\youtubecommenterandrater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

4980

"C:\Users\admin\AppData\Local\Temp\Youtube Bot.exe"

C:\Users\admin\AppData\Local\Temp\Youtube Bot.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\youtube bot.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5112

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

5732

"C:\Users\admin\AppData\Local\Temp\Youtube Bot.exe"

C:\Users\admin\AppData\Local\Temp\Youtube Bot.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\youtube bot.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6484

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

4 676

Read events

4 666

Write events

Delete events

Modification events


(PID) Process:	(5732) Youtube Bot.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Captcha-Hacker Youtube Rater and Commenter
Operation:	write	Name:	DisplayName
Value: Captcha-Hacker Youtube Rater and Commenter
(PID) Process:	(5732) Youtube Bot.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Captcha-Hacker Youtube Rater and Commenter
Operation:	write	Name:	UninstallString
Value: "C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\uninstall.exe"
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	UseProxy
Value: 0
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	ProxyType
Value: 0
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	ProxyAddr
Value:
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	ProxyPort
Value: 0
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	ProxyUser
Value:
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	ProxyPass
Value:
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	UpdateType
Value: 0
(PID) Process:	(3328) YoutubeCommenterAndRater.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\captchahacker\chytcndr\Updates
Operation:	write	Name:	UpdateDays
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\aliases.conf		text
		MD5:DB0423CFE1D6FEB73B7F4817C0F9B211	SHA256:4A3E18693809DCDE89724CF9164392010D5DB935D701B8137FCFCABC2EDFBCD8
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\gds32.dll		executable
		MD5:0BF2344409390DC1F152CEE44A67C4C2	SHA256:2B6BFF39AB95CE04AF4187D4090C335C6EC9E018C56DAC8F57BFF4CE2B25368B
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\locations_html.txt		text
		MD5:8E5DFD81417A65485E70C99DE029369D	SHA256:0E2BCF9C91BF5948E953B38E43B0962C3E394757EC6A5A21FEB118BC0C3FBA70
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\msvcr80.dll		executable
		MD5:16D7DDF3B659F7CF1CB9F4DCFF4219F0	SHA256:120CD25F5D6002FFD9069CF9550BC16C682BCD3323053B95146E7CD3BA2215AC
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\useragents.txt		text
		MD5:8A6A2C5EF6B2B1AC68E11E8885FA5156	SHA256:AD3410A09EF51099D18956CE95E7A223CE37F97D5CEDF8BE464EB295EBB3B197
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\icudt30.dll		executable
		MD5:C9B5E4AD62B47867CB345B4761D5F0D4	SHA256:69696D5ED77BAA76A6E2319391E3C1A53B9088039E7E131976217899CB9D1632
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\msvcp80.dll		executable
		MD5:2BC650257FB0867ABD54FD460EC2BAFC	SHA256:9FC2E85BA84CF0459AAB0DC2EFAC734AD7B5B4C99BA19871FE8F6E35D0191838
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\Microsoft.VC80.CRT.manifest		xml
		MD5:9EDF5EB3D091D4823C96A00B6B45DF45	SHA256:9964E296C171B8A395150DC93FDCEC7589244A88B6EEE3D974D6187B5148681B
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\updater.exe		executable
		MD5:D8CB1A4B1C319D1D8BC2FEE5BFF21A09	SHA256:CB680AC5D3C1678BB4EEC185C93D48032EF6FBA4071EA20E906640DE34D80C61
5732	Youtube Bot.exe	C:\Program Files (x86)\Captcha-Hacker Youtube Rater and Commenter\yt_categories.txt		text
		MD5:FF8C3D48D061B1415AD67937AF839FA3	SHA256:5FB39A598B1EF733174EDF2D9DBAC04DD18BD2FCE46186D4D604E65359BBBF82

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1764	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2400	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2400	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3328	YoutubeCommenterAndRater.exe	GET	200	13.248.169.48:80	http://www.foocs.com/chytcndr/update.xml	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6192	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6252	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1764	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1764	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2400	SIHClient.exe	40.127.169.103:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2400	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.186.142	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
login.live.com	20.190.159.23 20.190.159.0 20.190.159.2 20.190.159.4 20.190.159.75 40.126.31.67 20.190.159.64 40.126.31.73	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	40.127.169.103	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted
www.foocs.com	13.248.169.48 76.223.54.146	unknown
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Youtube Bot.exe

1E7178EF935673DE04BEB1EAD6F0B0B7

23401BA36DCB4EBA9985BBEA10A31F577369FA67

78C4EC6FE019CF13F910FCFE2EFBA1495C54D195B10B86DF9556B65718419C70

98304:DpVIVrkUBasBpVb3UeDT4WO9kLvPMCaqfV81hJUNN5aUud2epJc2PPLktcj5Y4bz:KT+dhj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

The process drops C-runtime libraries

Drops the executable file immediately after the start

Creates a software uninstall entry

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

There is functionality for communication over UDP network (YARA)

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

Reads the computer name

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings