File name: | psiphon3.exe |
Full analysis: | https://app.any.run/tasks/ecbf1831-64f1-41e8-83ad-8a8e219face7 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 15:07:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 16B965CB5539F58B273CB327C88524D8 |
SHA1: | 54CCC518F4C032909211229DED7A7B63F19B28E0 |
SHA256: | 7D364BB999BD7CF126F5AE35C7CC80DE32A112BAFB8CFA7D4F0533348949B994 |
SSDEEP: | 98304:T5XQQR6sdk08XmikVoyr3ob7qMK+Mg7kgFbMQptxiBmiKj8uuYZT+hBJ:T5XQQR6ok8ikgb6XqbXxamisuY9CBJ |
.exe | | | UPX compressed Win32 Executable (43.5) |
---|---|---|
.exe | | | Win32 EXE Yoda's Crypter (42.7) |
.exe | | | Win32 Executable (generic) (7.2) |
.exe | | | Generic Win/DOS Executable (3.2) |
.exe | | | DOS Executable Generic (3.2) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x11467e0 |
UninitializedDataSize: | 11902976 |
InitializedDataSize: | 90112 |
CodeSize: | 6209536 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:08:09 02:59:44+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 09-Aug-2019 00:59:44 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000120 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 09-Aug-2019 00:59:44 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00B5A000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00B5B000 | 0x005EC000 | 0x005EBC00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.9305 |
.rsrc | 0x01147000 | 0x00016000 | 0x00015C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.48738 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.91161 | 381 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.0192 | 744 | UNKNOWN | English - United States | RT_ICON |
3 | 5.62289 | 1384 | UNKNOWN | English - United States | RT_ICON |
4 | 5.86281 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 5.32737 | 3752 | UNKNOWN | English - United States | RT_ICON |
6 | 5.87817 | 1128 | UNKNOWN | English - United States | RT_ICON |
7 | 5.80197 | 66 | UNKNOWN | English - United States | RT_STRING |
8 | 4.79539 | 9640 | UNKNOWN | English - United States | RT_ICON |
9 | 7.96592 | 19543 | UNKNOWN | English - United States | RT_ICON |
10 | 7.94804 | 41745 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
CRYPT32.dll |
GDI32.dll |
KERNEL32.DLL |
OLEAUT32.dll |
RASAPI32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3724 | "C:\Users\admin\AppData\Local\Temp\psiphon3.exe" | C:\Users\admin\AppData\Local\Temp\psiphon3.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
2952 | C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe --config "C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config" --serverList "C:\Users\admin\AppData\Roaming\Psiphon3\server_list.dat" | C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe | psiphon3.exe | |
User: admin Integrity Level: MEDIUM | ||||
3840 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | psiphon3.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2308 | "C:\Program Files\Internet Explorer\iexplore.exe" https://ipfounder.net/?sponsor_id=1BC527D3D09985CF&sponsor=psiphon&client_region=SE&client_platform=windows&secret=580EfjEI29xL3hoyU6dgP4vSEVxdcGI7JDFkxgjds7PHulSEF0wmORpvzbqxyTwYtpowsY4xMFnfWEnTghe6l8jiV9K5QSZoir2i6fDeKJD6EhL6DkoYTEMu2EE9YJvy3LdCUZ7ncdVC6ipgWx06wznvDLbY1ajfcfRGCpfsQJei2q6tb0GSFh1QK3x3qXKwyjmNPc5J | C:\Program Files\Internet Explorer\iexplore.exe | psiphon3.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2260 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2308 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3460 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2308 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2308 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2260 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@ipfounder[1].txt | — | |
MD5:— | SHA256:— | |||
3724 | psiphon3.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\main[1] | html | |
MD5:29FA264CB54DF50DF777F2F4F6154A1C | SHA256:8CAAAAE2AA224FFEC4F598A7AD44236B3F65BC4089C3CC0492C31D5A448D3DA0 | |||
3724 | psiphon3.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\flag_unknown_32[1] | image | |
MD5:0E23864908AA82DCFA6CF76BD308A498 | SHA256:2BF319D0025D275DF9DA396E238377460D9B562BB2F11BB0D9DAB23981E79CFD | |||
3724 | psiphon3.exe | C:\Users\admin\AppData\Local\Temp\psiphon-tunnel-core.exe | executable | |
MD5:A33148C5FF0767F91BFBAF81418FC81F | SHA256:AD17FAA17E65E4F0ED96B557754E005B78B18528D54A166D2275E5B39115AACD | |||
3840 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:E794DD27A837F3D2213C647C0817C1CB | SHA256:FC2514DF7505402DDDD4BE9A0A7152E68280CB8B2EEB82489886379B0729040E | |||
2260 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C8DHAWGK\psiphon1[1].txt | — | |
MD5:— | SHA256:— | |||
3724 | psiphon3.exe | C:\Users\admin\AppData\Roaming\Psiphon3\psiphon.config | text | |
MD5:C122C17B48F04D3E6A28A6B218A451E5 | SHA256:920C1C27F9D670B7D89DACC8F23F0F9ECBF4833F3291157C743A2E880B1847EC | |||
2260 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:B25AFFD3769B9A008F53F3CD4B5337F0 | SHA256:D73823CCEBAF7CF731C5A8A272E4EAB026FB48E507F2A20AD603BB980B44F294 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | psiphon-tunnel-core.exe | 178.62.40.168:53 | — | Digital Ocean, Inc. | GB | suspicious |
2952 | psiphon-tunnel-core.exe | 195.206.104.236:53 | — | — | — | suspicious |
2952 | psiphon-tunnel-core.exe | 139.59.25.93:80 | — | Digital Ocean, Inc. | IN | unknown |
2952 | psiphon-tunnel-core.exe | 212.227.200.149:443 | — | 1&1 Internet SE | DE | unknown |
2952 | psiphon-tunnel-core.exe | 185.217.69.100:22 | — | M247 Ltd | US | suspicious |
2952 | psiphon-tunnel-core.exe | 37.46.114.17:53 | — | AltusHost B.V. | BG | suspicious |
— | — | 213.108.110.57:22 | — | Greenhost BV | NL | unknown |
2952 | psiphon-tunnel-core.exe | 2.16.186.115:443 | a852.gd.akamai.net | Akamai International B.V. | — | whitelisted |
2952 | psiphon-tunnel-core.exe | 2.16.186.107:443 | a1300.gd.akamai.net | Akamai International B.V. | — | whitelisted |
2952 | psiphon-tunnel-core.exe | 104.18.151.190:443 | — | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
a408.b.akamai.net |
| whitelisted |
a1300.gd.akamai.net |
| whitelisted |
| unknown | |
a852.gd.akamai.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2952 | psiphon-tunnel-core.exe | Potential Corporate Privacy Violation | ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set |
2952 | psiphon-tunnel-core.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
Process | Message |
---|---|
psiphon3.exe | Client Version: 145 |
psiphon3.exe | |
psiphon3.exe | |
psiphon3.exe | |
psiphon3.exe | ":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/bifurcation/mint/syntax":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/cheekybits/genny/generic":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/golang/protobuf/proto":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/grafov/m3u8":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/hashicorp/golang-lru":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/hashicorp/golang-lru/simplelru":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/juju/ratelimit":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/aes12":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go-certificates":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/h2quic":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/ackhandler":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/congestion":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/crypto":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/flowcontrol":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/handshake":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/protocol":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/utils":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/internal/wire":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/lucas-clemente/quic-go/qerr":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/refraction-networking/utls":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/refraction-networking/utls/cpu":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/sergeyfrolov/bsbuffer":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/sergeyfrolov/gotapdance/protobuf":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/sergeyfrolov/gotapdance/tapdance":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/sirupsen/logrus":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/github.com/zach-klippenstein/goregen":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/chacha20poly1305":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/cryptobyte":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/cryptobyte/asn1":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/curve25519":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/hkdf":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/internal/chacha20":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/internal/subtle":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/poly1305":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/crypto/ssh/terminal":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/net/http/httpguts":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/net/http2":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/net/http2/hpack":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/net/idna":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang |
psiphon3.exe | .org/x/net/proxy":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/sys/cpu":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/sys/windows":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/secure/bidirule":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/transform":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/unicode/bidi":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/unicode/norm":"3119fa5"},"goVersion":"go1.11.5"}},"noticeType":"BuildInfo","showUser":false,"timestamp":"2019-08-13T15:08:01.439Z"},"msg":"CoreNotice","timestamp!!timestamp":"2019-08-13T15:08:01.517Z"}
|
psiphon3.exe | .org/x/net/proxy":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/sys/cpu":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/sys/windows":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/secure/bidirule":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/transform":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/unicode/bidi":"3119fa5","github.com/Psiphon-Labs/psiphon-tunnel-core/vendor/golang.org/x/text/unicode/norm":"3119fa5"},"goVersion":"go1.11.5"}},"noticeType":"BuildInfo","showUser":false,"timestamp":"2019-08-13T15:08:01.439Z"},"msg":"CoreNotice","timestamp!!timestamp":"2019-08-13T15:08:01.517Z"}
|
psiphon3.exe | |
psiphon3.exe | |
psiphon3.exe | |