File name:

tuxboot-0.8.3.exe

Full analysis: https://app.any.run/tasks/5575bd59-99e8-479a-99cf-0333b68094c7
Verdict: Malicious activity
Analysis date: December 11, 2024, 16:13:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 3 sections
MD5:

622E64D40114647AD507E3822D0AA09B

SHA1:

A7D09203F9A58BF052284CF8913562350B979889

SHA256:

7C7149929F5DD28AB32BA96A7C966A3727A9ACCE9AC70731187CFD05D0C3C7FA

SSDEEP:

98304:NmFFIJkGJFC62LEddMdrMd0JD3OrLLzKz3rYv4NfwbtHUNFqu8UvGFH/tPj/F5fs:tV76vApY9Wx9O+9z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • tuxboot-0.8.3.exe (PID: 6440)

  • SUSPICIOUS

    • Searches for installed software

      • tuxboot-0.8.3.exe (PID: 6440)

    • Executable content was dropped or overwritten

      • tuxboot-0.8.3.exe (PID: 6440)

    • Drops 7-zip archiver for unpacking

      • tuxboot-0.8.3.exe (PID: 6440)

  • INFO

    • Create files in a temporary directory

      • tuxboot-0.8.3.exe (PID: 6440)

    • Checks supported languages

      • tuxboot-0.8.3.exe (PID: 6440)

    • Reads the computer name

      • tuxboot-0.8.3.exe (PID: 6440)

    • Reads the machine GUID from the registry

      • tuxboot-0.8.3.exe (PID: 6440)

    • The sample compiled with english language support

      • tuxboot-0.8.3.exe (PID: 6440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (43.5)
.exe | Win32 EXE Yoda's Crypter (42.7)
.exe | Win32 Executable (generic) (7.2)
.exe | Generic Win/DOS Executable (3.2)
.exe | DOS Executable Generic (3.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:06:24 15:23:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.25
CodeSize: 7778304
InitializedDataSize: 8192
UninitializedDataSize: 13217792
EntryPoint: 0x1406ca0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.1.1
ProductVersionNumber: 1.1.1.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Thomas Tsai
FileVersion:
FileDescription: tuxboot - http://tuxboot.sourceforge.net
InternalName: Tuxboot
LegalCopyright: Copyright - Geza Kovacs+Thomas Tsai - License - GNU GPL v2+
LegalTrademarks:
OriginalFileName: tuxboot.exe
ProductName: Tuxboot
ProductVersion:
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start tuxboot-0.8.3.exe tuxboot-0.8.3.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6244"C:\Users\admin\Desktop\tuxboot-0.8.3.exe" C:\Users\admin\Desktop\tuxboot-0.8.3.exeexplorer.exe
User:
admin
Company:
Thomas Tsai
Integrity Level:
MEDIUM
Description:
tuxboot - http://tuxboot.sourceforge.net
Exit code:
3221226540
Version:
Modules
Images
c:\users\admin\desktop\tuxboot-0.8.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6440"C:\Users\admin\Desktop\tuxboot-0.8.3.exe" C:\Users\admin\Desktop\tuxboot-0.8.3.exe
explorer.exe
User:
admin
Company:
Thomas Tsai
Integrity Level:
HIGH
Description:
tuxboot - http://tuxboot.sourceforge.net
Version:
Modules
Images
c:\users\admin\desktop\tuxboot-0.8.3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
2 203
Read events
2 201
Write events
2
Delete events
0

Modification events

(PID) Process:(6440) tuxboot-0.8.3.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:/Users/admin/Desktop/tuxboot-0.8.3.exe
Value:
VISTARTM
(PID) Process:(6440) tuxboot-0.8.3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:writeName:C:/Users/admin/Desktop/tuxboot-0.8.3.exe
Value:
1
Executable files
6
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\sevnz.exeexecutable
MD5:A51D90F2F9394F5EA0A3ACAE3BD2B219
SHA256:AC9674FEB8F2FAD20C1E046DE67F899419276AE79A60E8CC021A4BF472AE044F
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\cygwin1.dllexecutable
MD5:AF9801D354C3AED2A14034D7DA2A949C
SHA256:77B93AB10CEBE802EF48FFBB2CF30405959315D74A5A9CEE2E20A020F59430DB
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\md5sum.exeexecutable
MD5:C66EE52BB9EFFBB6B5F085643602D95B
SHA256:77B0879EF0C2321404777C1FD281713624BFBC88353EC099A35FE9B7F45D8A94
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\cygintl-8.dllexecutable
MD5:2C9168FFF113931ED0CCCDEA85137DE7
SHA256:67818B5FA50BE343E7D1B07D441F7B0FABA0AC3914505B1970825118CEE4E86F
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\cygiconv-2.dllexecutable
MD5:98602C8C1FEB722867AC2DFE9E083DF7
SHA256:DA3AA90F86BD664CC02DB8F8D707A9E7303EC552455ACD5AF9AEBDA199ADEC26
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\7z.dllexecutable
MD5:04AD4B80880B32C94BE8D0886482C774
SHA256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\un20073.htmlhtml
MD5:6A366F82A8377F8F3FCFED05D021784B
SHA256:25CDAA82E73B35D3406117A2B296AA5C00A27512163D325ECBC8B1D8F6DBA4FA
6440tuxboot-0.8.3.exeC:\Users\admin\AppData\Local\Temp\un20056.htmlhtml
MD5:6A366F82A8377F8F3FCFED05D021784B
SHA256:25CDAA82E73B35D3406117A2B296AA5C00A27512163D325ECBC8B1D8F6DBA4FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
36
DNS requests
18
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6440
tuxboot-0.8.3.exe
GET
200
140.110.240.80:80
http://140.110.240.80:80/clonezilla-live/stable/
unknown
unknown
6440
tuxboot-0.8.3.exe
GET
200
140.110.240.80:80
http://140.110.240.80:80/clonezilla-live/stable/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.175:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.218.209.163
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 2.23.209.175
  • 2.23.209.182
  • 2.23.209.183
  • 2.23.209.156
  • 2.23.209.177
  • 2.23.209.185
  • 2.23.209.162
  • 2.23.209.179
  • 2.23.209.154
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.140
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.133
  • 20.190.160.22
whitelisted
free.nchc.org.tw
  • 140.110.240.80
unknown
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
6440
tuxboot-0.8.3.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.tw domain
6440
tuxboot-0.8.3.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.tw domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tuxboot-0.8.3.exe