File name:

7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N

Full analysis: https://app.any.run/tasks/f7df4811-3622-4977-9225-0098ef3439b4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 22, 2024, 23:01:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
stealer
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

575693116284170DB8C94839277FD920

SHA1:

8FC7A3FD8E9D125702BB5633CC911D88AE7DF53F

SHA256:

7BD3DF09124D199B38C9CF3A2B766E367B1F5D738409A057826433D3C3B08E37

SSDEEP:

24576:uTrcT9LT7LhrkYCwZw9q9MyFqsQQDqQE6j:u/cT9H3hrkYCwZw9qCyFqsQQDdtj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • passwordfox.exe (PID: 6892)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe (PID: 5592)

  • INFO

    • Checks supported languages

      • 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe (PID: 5592)
      • iepv.exe (PID: 6516)
      • passwordfox.exe (PID: 6892)

    • Reads the computer name

      • iepv.exe (PID: 6516)
      • passwordfox.exe (PID: 6892)
      • 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe (PID: 5592)

    • Create files in a temporary directory

      • 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe (PID: 5592)
      • iepv.exe (PID: 6516)

    • Reads the machine GUID from the registry

      • iepv.exe (PID: 6516)

    • NirSoft software is detected

      • iepv.exe (PID: 6516)
      • passwordfox.exe (PID: 6892)

    • .NET Reactor protector has been detected

      • 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe (PID: 5592)

    • UPX packer has been detected

      • 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe (PID: 5592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe | Win32 Executable MS Visual C++ (generic) (19.2)
.exe | Win64 Executable (generic) (17)
.scr | Windows screen saver (8)
.dll | Win32 Dynamic Link Library (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:08:28 16:33:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 428544
InitializedDataSize: 119296
UninitializedDataSize: -
EntryPoint: 0x6a81e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: Stub
FileVersion: 0.0.0.0
InternalName: Stub.exe
LegalCopyright:
OriginalFileName: Stub.exe
ProductName: Stub
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT 7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37n.exe iepv.exe no specs passwordfox.exe

Process information

PID
CMD
Path
Indicators
Parent process
5592"C:\Users\admin\Desktop\7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe" C:\Users\admin\Desktop\7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Stub
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6516C:\Users\admin\AppData\Local\Temp\iepv.exe /stext C:\Users\admin\AppData\Local\Temp\iepv.txtC:\Users\admin\AppData\Local\Temp\iepv.exe7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
Internet Explorer Passwords Viewer
Exit code:
0
Version:
1.17
Modules
Images
c:\users\admin\appdata\local\temp\iepv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6892C:\Users\admin\AppData\Local\Temp\passwordfox.exe /stext C:\Users\admin\AppData\Local\Temp\firefox.txtC:\Users\admin\AppData\Local\Temp\passwordfox.exe
7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
PasswordFox
Exit code:
0
Version:
1.15
Modules
Images
c:\users\admin\appdata\local\temp\passwordfox.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
196
Read events
196
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6892passwordfox.exeC:\Users\admin\AppData\Local\Temp\firefox.txttext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
55927bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exeC:\Users\admin\AppData\Local\Temp\passwordfox.exeexecutable
MD5:A1D6A37917DCF4471486BC5A0E725CC6
SHA256:8A06ACD1158060A54D67098F07C1FF7895F799BC5834179B8AAE04D28FB60E17
55927bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N.exeC:\Users\admin\AppData\Local\Temp\iepv.exeexecutable
MD5:28C110B8D0AD095131C8D06043678086
SHA256:DBC2216D5F31F5218E940E3D802998DEE90EEB69AF69CBEB063C69C6A5A3F1E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
27
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7032
RUXIMICS.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7032
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7032
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.163:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7032
RUXIMICS.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.170
  • 104.126.37.128
  • 104.126.37.162
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7bd3df09124d199b38c9cf3a2b766e367b1f5d738409a057826433d3c3b08e37N