analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0ac34ed854421b48e769858c5c3b5e6a.exe

Full analysis: https://app.any.run/tasks/3331313f-030c-4f49-8ed2-ffb316eddab0
Verdict: Malicious activity
Threats:

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 06:47:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
cryptbot
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0AC34ED854421B48E769858C5C3B5E6A

SHA1:

C3604B794543A1F719F2A31148AC0F5848A2BEF8

SHA256:

863FD040CD49DDF902538A66CD9CBEF63B35F36DA1066CBBA4A51483DDE7113A

SSDEEP:

98304:fX93k2IKK9+pcq9MzpgCEPyJbfZmOpeLfUUWdBbj0yGNk8mURwpVxzJFOzTl2:0joarvfXQo/dBbjACUCjOd2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CRYPTBOT detected by memory dumps

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Application was dropped or rewritten from another process

      • putlog.exe (PID: 3052)
      • DpEditor.exe (PID: 2300)

    • Actions looks like stealing of personal data

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1884)
      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Application launched itself

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1884)

    • Searches for installed software

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Executable content was dropped or overwritten

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)
      • putlog.exe (PID: 3052)

    • Reads the BIOS version

      • putlog.exe (PID: 3052)
      • DpEditor.exe (PID: 2300)

    • Starts CMD.EXE for commands execution

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Starts itself from another location

      • putlog.exe (PID: 3052)

  • INFO

    • The process checks LSA protection

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1884)
      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Reads the computer name

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1884)
      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Checks supported languages

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1884)
      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)
      • putlog.exe (PID: 3052)
      • DpEditor.exe (PID: 2300)

    • Reads Windows Product ID

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1884)
      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Reads Environment values

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Reads CPU info

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Create files in a temporary directory

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Checks proxy server information

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Creates files or folders in the user directory

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)
      • putlog.exe (PID: 3052)

    • Reads the machine GUID from the registry

      • 0ac34ed854421b48e769858c5c3b5e6a.exe (PID: 1368)

    • Process checks are UAC notifies on

      • putlog.exe (PID: 3052)
      • DpEditor.exe (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

CryptBot

(PID) Process(1368) 0ac34ed854421b48e769858c5c3b5e6a.exe
Options
KeyNkB7vazOVtAR2LZ
Prefixmrd-
PasswordFile_AllPasswords.txt
InfoFile_Information.txt
MessageAfterEndtrue
DesktopFolder_Desktop
NTFStrue
UACtrue
EdgeDBFolder_Edge
FilesFolder_Files
UserAgent
ChromeDBFolder_Chrome
CookiesFile_AllCookies.txt
ExternalDownloadhttp://womwuq08.top/putlog.dat
Antifalse
FirefoxDBFolder_Firefox
WalletFolder_Wallet
ScreenFile$CREEN.PNG
DeleteAfterEndtrue
HistoryFile_AllHistory.txt
ChromeExttrue
Desktoptrue
EdgeExttrue
Edgefalse
FirefoxDBtrue
CookiesEdgefalse
Chromefalse
CookiesFirefoxfalse
CookiesOperafalse
ChromeDBtrue
Screenshottrue
Filesfalse
HistoryFirefoxfalse
HistoryEdgefalse
HistoryChromefalse
CookiesChromefalse
EdgeDBtrue
HistoryOperafalse
Operafalse
Infotrue
Wallettrue
Firefoxfalse
C2http://ivyvfd62.top/gate.php;
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

OLESelfRegister: -
SfLangID: SBCS:409
SfLangName: English (U.S.)
SfCharSet: UNICODE
ProductVersion: Version 1.2.0 (Build 10062) 64-bit
ProductName: Legacy Audio File Format
OriginalFileName: SfLgaPlg.DLL
LegalCopyright: Copyright (c) 2022 MAGIX Software GmbH. All Rights Reserved.
InternalName: SfLgaPlg.DLL
FileVersion: Version 1.2.0 (Build 10062) 64-bit
FileDescription: Microsoft Wave
CompanyName: MAGIX Software GmbH
CharacterSet: Windows, Latin1
LanguageCode: Unknown (04E4)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x30003f
ProductVersionNumber: 1.2.0.10062
FileVersionNumber: 1.2.0.10062
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x7f6163
UninitializedDataSize: -
InitializedDataSize: 516608
CodeSize: 577024
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2023:03:27 16:45:07+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Mar-2023 16:45:07
Detected languages:
  • English - United States
CompanyName: MAGIX Software GmbH
FileDescription: Microsoft Wave
FileVersion: Version 1.2.0 (Build 10062) 64-bit
InternalName: SfLgaPlg.DLL
LegalCopyright: Copyright (c) 2022 MAGIX Software GmbH. All Rights Reserved.
OriginalFilename: SfLgaPlg.DLL
ProductName: Legacy Audio File Format
ProductVersion: Version 1.2.0 (Build 10062) 64-bit
SfCharSet: UNICODE
SfLangName: English (U.S.)
SfLangID: SBCS:409
OLESelfRegister: -

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 9
Time date stamp: 27-Mar-2023 16:45:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0008CCE8
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x0008E000
0x0001CF5E
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.data
0x000AB000
0x00008C00
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.tls
0x000B4000
0x00000009
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.gfids
0x000B5000
0x00000204
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.&I^
0x000B6000
0x00384157
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.C(q
0x0043B000
0x000006C8
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.334631
./2i
0x0043C000
0x00675520
0x00675600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96892
.rsrc
0x00AB2000
0x0004C814
0x0004CA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.62555

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.55706
1136
UNKNOWN
English - United States
RT_VERSION
2
5.0483
364
UNKNOWN
English - United States
RT_MANIFEST
3
4.80992
3240
UNKNOWN
UNKNOWN
RT_ICON
4
4.75066
7336
UNKNOWN
UNKNOWN
RT_ICON
5
4.70322
12840
UNKNOWN
UNKNOWN
RT_ICON
6
4.65323
28840
UNKNOWN
UNKNOWN
RT_ICON
7
4.57873
51240
UNKNOWN
UNKNOWN
RT_ICON
8
4.56921
204840
UNKNOWN
UNKNOWN
RT_ICON
TRDYGHJDJDFGHJD
2.97389
118
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WININET.dll
WS2_32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start 0ac34ed854421b48e769858c5c3b5e6a.exe no specs #CRYPTBOT 0ac34ed854421b48e769858c5c3b5e6a.exe cmd.exe no specs putlog.exe dpeditor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1884"C:\Users\admin\AppData\Local\Temp\0ac34ed854421b48e769858c5c3b5e6a.exe" C:\Users\admin\AppData\Local\Temp\0ac34ed854421b48e769858c5c3b5e6a.exeexplorer.exe
User:
admin
Company:
MAGIX Software GmbH
Integrity Level:
MEDIUM
Description:
Microsoft Wave
Exit code:
0
Version:
Version 1.2.0 (Build 10062) 64-bit
Modules
Images
c:\users\admin\appdata\local\temp\0ac34ed854421b48e769858c5c3b5e6a.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\gdi32.dll
1368"C:\Users\admin\AppData\Local\Temp\0ac34ed854421b48e769858c5c3b5e6a.exe" C:\Users\admin\AppData\Local\Temp\0ac34ed854421b48e769858c5c3b5e6a.exe
0ac34ed854421b48e769858c5c3b5e6a.exe
User:
admin
Company:
MAGIX Software GmbH
Integrity Level:
HIGH
Description:
Microsoft Wave
Version:
Version 1.2.0 (Build 10062) 64-bit
Modules
Images
c:\users\admin\appdata\local\temp\0ac34ed854421b48e769858c5c3b5e6a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
CryptBot
(PID) Process(1368) 0ac34ed854421b48e769858c5c3b5e6a.exe
Options
KeyNkB7vazOVtAR2LZ
Prefixmrd-
PasswordFile_AllPasswords.txt
InfoFile_Information.txt
MessageAfterEndtrue
DesktopFolder_Desktop
NTFStrue
UACtrue
EdgeDBFolder_Edge
FilesFolder_Files
UserAgent
ChromeDBFolder_Chrome
CookiesFile_AllCookies.txt
ExternalDownloadhttp://womwuq08.top/putlog.dat
Antifalse
FirefoxDBFolder_Firefox
WalletFolder_Wallet
ScreenFile$CREEN.PNG
DeleteAfterEndtrue
HistoryFile_AllHistory.txt
ChromeExttrue
Desktoptrue
EdgeExttrue
Edgefalse
FirefoxDBtrue
CookiesEdgefalse
Chromefalse
CookiesFirefoxfalse
CookiesOperafalse
ChromeDBtrue
Screenshottrue
Filesfalse
HistoryFirefoxfalse
HistoryEdgefalse
HistoryChromefalse
CookiesChromefalse
EdgeDBtrue
HistoryOperafalse
Operafalse
Infotrue
Wallettrue
Firefoxfalse
C2http://ivyvfd62.top/gate.php;
2852"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Roaming\0D445946394EFC3C\putlog.exeC:\Windows\SysWOW64\cmd.exe0ac34ed854421b48e769858c5c3b5e6a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
3052C:\Users\admin\AppData\Roaming\0D445946394EFC3C\putlog.exeC:\Users\admin\AppData\Roaming\0D445946394EFC3C\putlog.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\0d445946394efc3c\putlog.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2300"C:\Users\admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeputlog.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\roaming\nch software\drawpad\dpeditor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
3 150
Read events
3 110
Write events
40
Delete events
0

Modification events

(PID) Process:(1884) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1884) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1884) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1884) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1368) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1368) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1368) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1368) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1368) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1368) 0ac34ed854421b48e769858c5c3b5e6a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
4
Suspicious files
0
Text files
44
Unknown types
6

Dropped files

PID
Process
Filename
Type
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C163.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C195.tmpsqlite
MD5:B6AC860E0B054140F65635EE09CCBC18
SHA256:1A6F576BFEBB88FE0E466014032BBD070268D11EB431E9106EE9CA5795A2EF44
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C174.tmpsqlite
MD5:C72DB02959D2F97D090B0051EE963AD7
SHA256:6D8285E102CD46A9379778B223651ECEE043321E436DD15C2354EC59F5EB22A5
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C2C3.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C2B2.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C3F4.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C2E3.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C123.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C281.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
13680ac34ed854421b48e769858c5c3b5e6a.exeC:\Users\admin\AppData\Local\Temp\C3A4.tmptext
MD5:2975D9FA9480B36C59F897319EB3B19F
SHA256:EA498F399C04CCD0A2734010D72F895040D93FDB5D55040EEAB8BF7CE6FC19EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
GET
200
185.246.220.246:80
http://womwuq08.top/putlog.dat
BG
binary
2.84 Mb
suspicious
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
POST
200
185.246.221.151:80
http://ivyvfd62.top/gate.php
BG
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
185.246.220.246:80
womwuq08.top
Delis LLC
BG
suspicious
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
185.246.221.151:80
ivyvfd62.top
Enes Koken
BG
malicious

DNS requests

Domain
IP
Reputation
ivyvfd62.top
  • 185.246.221.151
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
womwuq08.top
  • 185.246.220.246
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no referer
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
A Network Trojan was detected
ET MALWARE Trojan Generic - POST To gate.php with no accept headers
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
A Network Trojan was detected
ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt
1368
0ac34ed854421b48e769858c5c3b5e6a.exe
Potentially Bad Traffic
ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0ac34ed854421b48e769858c5c3b5e6a.exe