File name:

Napse.exe

Full analysis: https://app.any.run/tasks/d1621575-5573-462d-b3af-0e49f54366d1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 22, 2024, 17:11:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
trox
stealer
themida
python
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:

6FB806600045B4AE326029267CF91AC9

SHA1:

0361FF522619A64B1E9035E9CD0989F09A4AB92E

SHA256:

8317745200AE99653276548E8A6499C2A9A668F328299735B84AE54CE6A52741

SSDEEP:

393216:AudLkWxpVrGvKmRKKI1BMaSapGSZe8CDK:lLRj7+K7MapGSZedD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TROX has been detected

      • Napse.exe (PID: 3608)
      • Napse.exe (PID: 3208)

  • SUSPICIOUS

    • Reads the BIOS version

      • Napse.exe (PID: 3208)

    • Reads security settings of Internet Explorer

      • Napse.exe (PID: 3208)

    • Loads Python modules

      • Napse.exe (PID: 3608)

    • Process drops python dynamic module

      • Napse.exe (PID: 3208)

    • Executable content was dropped or overwritten

      • Napse.exe (PID: 3208)
      • Napse.exe (PID: 3608)

    • Process drops legitimate windows executable

      • Napse.exe (PID: 3208)

    • The process drops C-runtime libraries

      • Napse.exe (PID: 3208)

  • INFO

    • Checks supported languages

      • Napse.exe (PID: 3208)
      • Napse.exe (PID: 3608)

    • Create files in a temporary directory

      • Napse.exe (PID: 3208)
      • Napse.exe (PID: 3608)

    • Process checks whether UAC notifications are on

      • Napse.exe (PID: 3208)

    • The sample compiled with english language support

      • Napse.exe (PID: 3208)

    • Themida protector has been detected

      • Napse.exe (PID: 3208)

    • Checks proxy server information

      • Napse.exe (PID: 3608)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Napse.exe (PID: 3608)

    • Reads the computer name

      • Napse.exe (PID: 3608)
      • Napse.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:15 18:44:46+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 130048
InitializedDataSize: 28585472
UninitializedDataSize: -
EntryPoint: 0x29cd058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 8.0.3.3
ProductVersionNumber: 8.0.3.3
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Napse
ProductName: Napse
FileDescription: Napse
LegalCopyright: Napse
ProductVersion: 8.0.3.3
FileVersion: 8.0.3.3
OriginalFileName: Napse.exe
InternalName: Napse
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #TROX napse.exe #TROX napse.exe napse.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3208"C:\Users\admin\Desktop\Napse.exe" C:\Users\admin\Desktop\Napse.exe
explorer.exe
User:
admin
Company:
Napse
Integrity Level:
HIGH
Description:
Napse
Exit code:
1
Version:
8.0.3.3
Modules
Images
c:\users\admin\desktop\napse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3224"C:\Users\admin\Desktop\Napse.exe" C:\Users\admin\Desktop\Napse.exeexplorer.exe
User:
admin
Company:
Napse
Integrity Level:
MEDIUM
Description:
Napse
Exit code:
3221226540
Version:
8.0.3.3
Modules
Images
c:\users\admin\desktop\napse.exe
c:\windows\system32\ntdll.dll
3608C:\Users\admin\Desktop\Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\Napse.exe
Napse.exe
User:
admin
Company:
Napse
Integrity Level:
HIGH
Description:
Napse
Exit code:
1
Version:
8.0.3.3
Modules
Images
c:\users\admin\appdata\local\temp\onefile_3208_133793611401825948\napse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\onefile_3208_133793611401825948\python312.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\bcrypt.dll
Total events
911
Read events
911
Write events
0
Delete events
0

Modification events

No data
Executable files
46
Suspicious files
519
Text files
932
Unknown types
86

Dropped files

PID
Process
Filename
Type
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\Napse.exe
MD5:
SHA256:
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\chr2.gif
MD5:
SHA256:
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_ctypes.pydexecutable
MD5:302DDF5F83B5887AB9C4B8CC4E40B7A6
SHA256:8250B4C102ABD1DBA49FC5B52030CAA93CA34E00B86CEE6547CC0A7F22326807
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_hashlib.pydexecutable
MD5:0ABFEE1DB6C16E8DDAFF12CD3E86475B
SHA256:B4CEC162B985D34AB768F66E8FA41ED28DC2F273FDE6670EEACE1D695789B137
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_lzma.pydexecutable
MD5:E3E7E99B3C2EA56065740B69F1A0BC12
SHA256:B095FA2EAC97496B515031FBEA5737988B18DEEE86A11F2784F5A551732DDC0C
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_cffi_backend.pydexecutable
MD5:FCB71CE882F99EC085D5875E1228BDC1
SHA256:86F136553BA301C70E7BADA8416B77EB4A07F76CCB02F7D73C2999A38FA5FA5B
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_elementtree.pydexecutable
MD5:57130733D8CBD090BE211B8A193BED34
SHA256:C07F2827542A392FDE5FA9FE4D079C41D108C2B36C53C4035D1209F67C73E8D2
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_bz2.pydexecutable
MD5:FE499B0A9F7F361FA705E7C81E1011FA
SHA256:160B5218C2035CCCBAAB9DC4CA26D099F433DCB86DBBD96425C933DC796090DF
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_decimal.pydexecutable
MD5:82321FB8245333842E1C31F874329170
SHA256:B7F9603F98EF232A2C5BCE7001D842C01D76ED35171AFBD898E6D17FACF38B56
3208Napse.exeC:\Users\admin\AppData\Local\Temp\onefile_3208_133793611401825948\_queue.pydexecutable
MD5:941A3757931719DD40898D88D04690CB
SHA256:BBE7736CAED8C17C97E2B156F686521A788C25F2004AAE34AB0C282C24D57DA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2548
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2548
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2548
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3608
Napse.exe
188.114.96.3:443
www.napse.ac
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.napse.ac
  • 188.114.96.3
  • 188.114.97.3
unknown
self.events.data.microsoft.com
  • 51.104.15.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Napse.exe