analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

soft.exe

Full analysis: https://app.any.run/tasks/341fcdca-5511-4bf3-bc3b-fe70253a26db
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: February 22, 2020, 05:11:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7A4CC505757F609561E278F228437FE0

SHA1:

F315FEADD70591F5D8156B50928E9BE821620D53

SHA256:

7CF2B32638FCBDA6150D60ABEE591024502A0B27808D704C51752CA24625465E

SSDEEP:

768:tDRaWPyrCeEv9mEiaeCslOCLdedoBwWJ:tDfqZEiaeCsMCLdl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • soft.exe (PID: 3112)
    • Changes settings of System certificates

      • soft.exe (PID: 3112)
  • SUSPICIOUS

    • Starts CMD.EXE for self-deleting

      • soft.exe (PID: 3112)
    • Application launched itself

      • soft.exe (PID: 1832)
    • Reads Internet Cache Settings

      • soft.exe (PID: 3112)
    • Starts CMD.EXE for commands execution

      • soft.exe (PID: 3112)
    • Creates files in the user directory

      • soft.exe (PID: 3112)
    • Adds / modifies Windows certificates

      • soft.exe (PID: 3112)
  • INFO

    • Reads settings of System Certificates

      • soft.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (90.6)
.exe | Win32 Executable (generic) (4.9)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:05:23 11:34:04+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 36864
InitializedDataSize: 8192
UninitializedDataSize: -
EntryPoint: 0x1248
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: paatrn
FileDescription: DUMFOUN
ProductName: TALEFILMSR
FileVersion: 1
ProductVersion: 1
InternalName: stumble
OriginalFileName: stumble.exe

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-May-2009 09:34:04
Detected languages:
  • English - United States
CompanyName: paatrn
FileDescription: DUMFOUN
ProductName: TALEFILMSR
FileVersion: 1.00
ProductVersion: 1.00
InternalName: stumble
OriginalFilename: stumble.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 23-May-2009 09:34:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00008998
0x00009000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.61065
.data
0x0000A000
0x00000A50
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0000B000
0x00000908
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.95794

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.21162
584
Unicode (UTF 16LE)
English - United States
RT_VERSION
30001
2.57965
304
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30002
1.76987
744
Unicode (UTF 16LE)
UNKNOWN
RT_ICON
30003
2.07177
296
Unicode (UTF 16LE)
UNKNOWN
RT_ICON

Imports

MSVBVM60.DLL
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start soft.exe no specs soft.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1832"C:\Users\admin\AppData\Local\Temp\soft.exe" C:\Users\admin\AppData\Local\Temp\soft.exeexplorer.exe
User:
admin
Company:
paatrn
Integrity Level:
MEDIUM
Description:
DUMFOUN
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\soft.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3112"C:\Users\admin\AppData\Local\Temp\soft.exe" C:\Users\admin\AppData\Local\Temp\soft.exe
soft.exe
User:
admin
Company:
paatrn
Integrity Level:
MEDIUM
Description:
DUMFOUN
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\system32\msvbvm60.dll
c:\users\admin\appdata\local\temp\soft.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3852"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\admin\AppData\Local\Temp\soft.exe"C:\Windows\system32\cmd.exesoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2012ping 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
Total events
3 624
Read events
68
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3112soft.exeC:\Users\admin\AppData\Local\Temp\CabE392.tmp
MD5:
SHA256:
3112soft.exeC:\Users\admin\AppData\Local\Temp\TarE393.tmp
MD5:
SHA256:
3112soft.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:E550DA03AEE5B546B436CD553D3233B9
SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7
3112soft.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_375B7F179C25C4C237293A604A6DE85Cder
MD5:FE390189A4CF6F11012F41B3EFFFEBEC
SHA256:3FF86D9812DFC9B0799D40AB47FAEB3C6AAA0328A353F2D00A11489E9C3C7234
3112soft.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\RJZ1B09B.txttext
MD5:A684C0FD75B5773650C88621DA59AE31
SHA256:D2FE361631662C77EA4A982FA9D7C8C65A47386432D34C9CD0A808D495444B99
3112soft.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:5579AEB3AA2D2C81A739BECF27A45D65
SHA256:C9E6B0C349048A9DD5813E9C701070D46D5089859AFB4A409E6A99C6436F319E
3112soft.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_A8AC87EA2942457E2A4DD25C4A2E1487der
MD5:496BD5A723294B62A993653AEF8163C8
SHA256:1C0B83D2223D3911BD8E155BA6C09E37D5B0E982E62EC015731642BCCAF041AA
3112soft.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_A8AC87EA2942457E2A4DD25C4A2E1487binary
MD5:A49C4791B253F236DECB2810E0C2B25C
SHA256:968CBB00AC77C2E2A7F9375C13EB432E851D4AD2E0592B69746CAF1849F2C783
3112soft.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_375B7F179C25C4C237293A604A6DE85Cbinary
MD5:42557E72887E91BB15BCA49D147839A7
SHA256:5D6C7A182F0AF13D8DF9B931CEEB0F92BCEEA4E4CAADCE13BE883DD0E5337226
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
soft.exe
GET
200
47.241.6.78:80
http://nenengdsa.ug/
US
html
3.05 Kb
malicious
3112
soft.exe
GET
200
47.241.6.78:80
http://nenengdsa.ug/QnSrw25SkhlxsF5P/conf.php
US
text
8 b
malicious
3112
soft.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3112
soft.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCaKXJiibI7zAgAAAAALC6E
US
der
472 b
whitelisted
3112
soft.exe
GET
200
172.217.23.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDu3mVgzTXArwIAAAAAWXG3
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
soft.exe
172.217.23.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3112
soft.exe
47.241.6.78:80
nenengdsa.ug
US
malicious
3112
soft.exe
172.217.23.161:443
doc-0c-28-docs.googleusercontent.com
Google Inc.
US
whitelisted
3112
soft.exe
172.217.16.174:443
drive.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.16.174
shared
ocsp.pki.goog
  • 172.217.23.99
whitelisted
doc-0c-28-docs.googleusercontent.com
  • 172.217.23.161
shared
nenengdsa.ug
  • 47.241.6.78
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info