File name: | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe |
Full analysis: | https://app.any.run/tasks/964ef1c6-edf0-407f-863f-91db2a92fe60 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 10:20:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 69625BFFC746A143FAB6DF74E6386E67 |
SHA1: | BE10778B0DE5EA98C130A371B136FD84252463B9 |
SHA256: | 797AF44F179DB68BC9B17577E2CDB5C409F17EF3403A02931B933E9EA6B881DF |
SSDEEP: | 12288:pl+o3SimMgvNehOkhjNha47pqioB1GVZyk1GeWfAhfMtkyVTp20S5WZNdBc:p0tigvNeRhaFFBgVZyAmfAk7OaNdK |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
ProductVersion: | 3.2.0.8 |
---|---|
ProductName: | 软件下载器 |
OriginalFileName: | FastDownloader.exe |
LegalCopyright: | Copyright (C) 2018 |
InternalName: | FastDownloader.exe |
FileVersion: | 3.2.0.8 |
FileDescription: | |
CompanyName: | - |
CharacterSet: | Unicode |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 3.2.0.8 |
FileVersionNumber: | 3.2.0.8 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1f27e0 |
UninitializedDataSize: | 1245184 |
InitializedDataSize: | 28672 |
CodeSize: | 794624 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
TimeStamp: | 2020:09:23 10:49:24+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Sep-2020 08:49:24 |
Detected languages: |
|
CompanyName: | - |
FileDescription: | - |
FileVersion: | 3.2.0.8 |
InternalName: | FastDownloader.exe |
LegalCopyright: | Copyright (C) 2018 |
OriginalFilename: | FastDownloader.exe |
ProductName: | 软件下载器 |
ProductVersion: | 3.2.0.8 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000130 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 23-Sep-2020 08:49:24 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00130000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00131000 | 0x000C2000 | 0x000C1C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.92221 |
.rsrc | 0x001F3000 | 0x00007000 | 0x00006C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.02901 |
.data | 0x001FA000 | 0x00000003 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.051876 |
.textbss\x03 | 0x001FB000 | 0x00000003 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.051876 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.06216 | 651 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.24731 | 296 | UNKNOWN | Chinese - PRC | RT_ICON |
3 | 3.27183 | 3752 | UNKNOWN | Chinese - PRC | RT_ICON |
4 | 3.91452 | 2216 | UNKNOWN | Chinese - PRC | RT_ICON |
5 | 3.47417 | 1384 | UNKNOWN | Chinese - PRC | RT_ICON |
6 | 3.02843 | 9640 | UNKNOWN | Chinese - PRC | RT_ICON |
7 | 2.82055 | 4264 | UNKNOWN | Chinese - PRC | RT_ICON |
8 | 2.44525 | 1128 | UNKNOWN | Chinese - PRC | RT_ICON |
9 | 7.85065 | 16936 | UNKNOWN | Chinese - PRC | RT_ICON |
10 | 7.49067 | 1128 | UNKNOWN | Chinese - PRC | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.DLL |
MSIMG32.dll |
OLEACC.dll |
OLEAUT32.dll |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2900 | "C:\Users\admin\AppData\Local\Temp\797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe" | C:\Users\admin\AppData\Local\Temp\797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | — | explorer.exe |
User: admin Company: - Integrity Level: MEDIUM Description: Exit code: 3221226540 Version: 3.2.0.8 | ||||
4088 | "C:\Users\admin\AppData\Local\Temp\797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe" | C:\Users\admin\AppData\Local\Temp\797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | explorer.exe | |
User: admin Company: - Integrity Level: HIGH Description: Version: 3.2.0.8 | ||||
2952 | "C:\Windows\explorer.exe" /select,"C:\Download\\360safe_oemjmxt.exe" | C:\Windows\explorer.exe | — | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2232 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | C:\Download\360safe_oemjmxt.exe | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/l5G1LSzDTLRJTyEkIxIWfzIzuWEyPWYSFg7Km9IO.png | CN | image | 3.26 Kb | suspicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/kKrrLCMtNhJoI2XqH3Zb1QIzKxIfZVB1vi3WjNCY.png | CN | image | 3.37 Kb | suspicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/uKhixdbpTvJaU9uO8Llw5bqqGQnqbJ1ic80OCRum.png | CN | image | 11.7 Kb | suspicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 58.49.193.225:80 | http://static.downerapi.com/upload/xml/360.xml?webid=28&channelid=&softid=5&token=5ea18bb987d01d0beaf4c9a9f23a1024 | CN | xml | 1.54 Kb | unknown |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/AUjswRZD5Qbw7cc8qnyy2WU215yx2qStSCxAh9T6.png | CN | image | 5.40 Kb | suspicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 60.205.177.239:80 | http://downloader.aldtop.com/client/ad/28?winver=6.1&sdsoft=0&webid=28&channelid=&softid=5&ver=4.5.4.38&usesnum=1&mac=86b1dd8a4431c07a7a10d921f83ac4f6&filename=797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe&errcode=0&userev=0&encry=1&rnd=40939 | CN | text | 39.3 Kb | malicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/fdsyGQzNvnvbvXBfyZFkTGuZqanVEgLGW9azxxDF.png | CN | image | 2.45 Kb | suspicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/hXxVxYrv4nOXUeTspFukV4lo1xWDwGHKYHsZKb8L.png | CN | image | 1.98 Kb | suspicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 60.205.177.239:80 | http://downloader.aldtop.com/client/error?step=0&theme=-1&softid=&webid=&channelid=&error=1&errorcode=1&user=86b1dd8a4431c07a7a10d921f83ac4f6&session=&city=0 | CN | text | 3 b | malicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | GET | 200 | 116.207.118.44:80 | http://img.aldtop.com/storage/upload/yo5jWQwgDDlXlD9TM6X9J3g4p8r32gFupyWGVM7W.png | CN | image | 5.15 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | 120.52.95.242:80 | resource.aldtop.com | China Unicom IP network | CN | malicious |
— | — | 218.12.76.150:80 | resource.aldtop.com | CHINA UNICOM China169 Backbone | CN | malicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | 218.12.76.150:80 | resource.aldtop.com | CHINA UNICOM China169 Backbone | CN | malicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | 58.49.193.225:80 | static.downerapi.com | No.31,Jin-rong Street | CN | unknown |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | 104.192.108.21:443 | dl.360safe.com | Beijing Qihu Technology Company Limited | US | malicious |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | 116.207.118.44:80 | img.aldtop.com | No.31,Jin-rong Street | CN | unknown |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | 60.205.177.239:80 | downloader.aldtop.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
Domain | IP | Reputation |
---|---|---|
downloader.aldtop.com |
| unknown |
static.downerapi.com |
| unknown |
resource.aldtop.com |
| suspicious |
img.aldtop.com |
| suspicious |
dl.360safe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | Potentially Bad Traffic | ET MALWARE Downer.B Variant Checkin |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/RiskWare.Downer.A |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/RiskWare.Downer.A |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/RiskWare.Downer.A |
4088 | 797af44f179db68bc9b17577e2cdb5c409f17ef3403a02931b933e9ea6b881df.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/RiskWare.Downer.A |