analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

88888.com

Full analysis: https://app.any.run/tasks/bd5906ed-2018-4471-ac16-74649f1ccce2
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: July 13, 2020, 02:44:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
pcrat
gh0st
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

34C2FBA9046803A12A01A18962A31900

SHA1:

86ABE298FC49616F10FBD2B0F6E5951314F26623

SHA256:

8503CD98012FC76F0F3F4727DC3F9EF8300FF9A3B2811D360D816D6DBCDCB50F

SSDEEP:

24576:jX52uaVD2lHV4a/G9x1UhjU+EwhrrngwmsemZEqda78ph5jdrPKARqbbkk7S:NMGHV477/bornT9xZddlHjdrsv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • AliyunService.exe (PID: 1780)
    • Application was dropped or rewritten from another process

      • AliyunService.exe (PID: 1780)
      • 7z.exe (PID: 916)
    • GH0ST was detected

      • AliyunService.exe (PID: 1780)
    • Writes to a start menu file

      • 7z.exe (PID: 916)
    • Connects to CnC server

      • AliyunService.exe (PID: 1780)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • 88888.com.exe (PID: 1196)
    • Creates files in the user directory

      • 88888.com.exe (PID: 1196)
      • 7z.exe (PID: 916)
      • powershell.exe (PID: 4044)
    • Creates files in the program directory

      • 88888.com.exe (PID: 1196)
    • Executable content was dropped or overwritten

      • 88888.com.exe (PID: 1196)
  • INFO

    • Manual execution by user

      • AliyunService.exe (PID: 1780)
      • 7z.exe (PID: 916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (15.3)
.exe | Win64 Executable (generic) (13.5)
.scr | Windows screen saver (6.4)
.dll | Win32 Dynamic Link Library (generic) (3.2)

EXIF

EXE

ProductVersion: 1, 0, 0, 1
ProductName: Test 应用程序
OriginalFileName: Test.EXE
LegalTrademarks: -
LegalCopyright: 版权所有 (C) 2020
InternalName: Test
FileVersion: 1, 0, 0, 1
FileDescription: Test Microsoft 基础类应用程序
CompanyName: -
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.1
FileVersionNumber: 1.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xa056
UninitializedDataSize: -
InitializedDataSize: 1617920
CodeSize: 135168
LinkerVersion: 6
PEType: PE32
TimeStamp: 2020:07:12 11:44:58+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 12-Jul-2020 09:44:58
Detected languages:
  • Chinese - PRC
CompanyName: -
FileDescription: Test Microsoft 基础类应用程序
FileVersion: 1, 0, 0, 1
InternalName: Test
LegalCopyright: 版权所有 (C) 2020
LegalTrademarks: -
OriginalFilename: Test.EXE
ProductName: Test 应用程序
ProductVersion: 1, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 12-Jul-2020 09:44:58
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00020F37
0x00021000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.61358
.rdata
0x00022000
0x000085E4
0x00009000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.55634
.data
0x0002B000
0x0017DBE8
0x0017A000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.52462
.rsrc
0x001A9000
0x00003068
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.67445

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.54258
716
UNKNOWN
Chinese - PRC
RT_VERSION
2
2.55844
296
UNKNOWN
Chinese - PRC
RT_ICON
3
2.82395
744
UNKNOWN
Chinese - PRC
RT_ICON
4
2.55844
296
UNKNOWN
Chinese - PRC
RT_ICON
5
2.82395
744
UNKNOWN
Chinese - PRC
RT_ICON
6
2.55844
296
UNKNOWN
Chinese - PRC
RT_ICON
7
1.90549
60
UNKNOWN
Chinese - PRC
RT_STRING
8
2.74274
180
UNKNOWN
Chinese - PRC
RT_CURSOR
100
3.51881
206
UNKNOWN
Chinese - PRC
RT_DIALOG
102
3.51321
188
UNKNOWN
Chinese - PRC
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
OLEPRO32.DLL
SHELL32.dll
USER32.dll
WINSPOOL.DRV
comdlg32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 88888.com.exe powershell.exe no specs 7z.exe #GH0ST aliyunservice.exe

Process information

PID
CMD
Path
Indicators
Parent process
1196"C:\Users\admin\Desktop\88888.com.exe" C:\Users\admin\Desktop\88888.com.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Test Microsoft 基础类应用程序
Exit code:
0
Version:
1, 0, 0, 1
4044"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -File C:\ProgramData\run.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe88888.com.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
916"C:\Users\admin\AppData\Roaming\Microsoft\Windows\7z.exe" x 1.zipC:\Users\admin\AppData\Roaming\Microsoft\Windows\7z.exe
explorer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
1780"C:\ProgramData\AliyunService.exe" C:\ProgramData\AliyunService.exe
explorer.exe
User:
admin
Company:
杭州顺网科技股份有限公司
Integrity Level:
MEDIUM
Description:
APlus Module
Version:
2020,03,11,1
Total events
456
Read events
183
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
3
Unknown types
3

Dropped files

PID
Process
Filename
Type
4044powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L78BMUVV9AZQBJVB5YBJ.temp
MD5:
SHA256:
119688888.com.exeC:\ProgramData\run.ps1text
MD5:E09979739C0BEB9564369BC2F7370909
SHA256:2674FB88EB2C761848BECF4E3883FE908C12CF452E137F6A2D9C484DB0FB9A36
119688888.com.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\7z.exeexecutable
MD5:42E83BB2537A79B17E13DD936EC2FEF4
SHA256:00F85BEB322FE51AB3A3B88ABCBBBE40F019A7EE53498E27A507DA6824ADAF76
119688888.com.exeC:\ProgramData\run001.lnklnk
MD5:BB12E97EA8F21D5A758DD7AB76BB4905
SHA256:E083F3EE4F72BC71B41FF9CBBE1E7628B4EED643F9C3EB2B938FF03C8D6DEE8A
119688888.com.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\1.zipcompressed
MD5:CD9E140B4EE432DD250BF39023BFA1DA
SHA256:9632D2281698340EE11EFEA53C13A1E3CC17B7E5A4A4FD7234E14EDF13B20417
4044powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b6975a233ce469bf.customDestinations-msbinary
MD5:36BD361C43786B2667A93867DC3172A2
SHA256:AD954933DF9E4E5C3C640B650DC6A8CA9825E8D88D8199726C8D98F9CFB09B5B
119688888.com.exeC:\ProgramData\run002.urltext
MD5:5E8813E99578CDA8342F8E33F83C2154
SHA256:FACD5B7A6BC5E3B79710186251DFBDE8673B25CA32F48372D05A669B0FC1F10B
119688888.com.exeC:\ProgramData\log.dllexecutable
MD5:3D17DD6C0184E697C82304088F41ECCB
SHA256:44679ABB0F3D94EA8833859C1D22BA123C6D5C6ADD760423F8C1D77693608FB4
119688888.com.exeC:\ProgramData\run.urltext
MD5:44FA9C1FAEBE27CE912361F335A7DF68
SHA256:603E1D85038648C83DDF4EEA698206C015EAB1895F6AE9F5E41C33CAB1C03AD1
119688888.com.exeC:\ProgramData\powershell.lnklnk
MD5:AB8D076B0A689AD993507A24F3957B22
SHA256:D129C29DD6D89B247C691A01F9F88D8F0C372814EC883F6DF0A174A78CEDEA70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1780
AliyunService.exe
216.83.57.64:1024
NETSEC NOC
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1780
AliyunService.exe
A Network Trojan was detected
MALWARE [PTsecurity] ServStart
1 ETPRO signatures available at the full report
No debug info