File name:

8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87

Full analysis: https://app.any.run/tasks/872bbc71-0fad-4c00-ad14-4b9925cb4135
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 18:13:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

C759322828B728B406066F7D04170334

SHA1:

99A3B91E0BFBA32C4884C6ACC167DA53EBB580DB

SHA256:

8944DE6CA208C12DC7086AE70FC0375635BEA9AE1B671FB1E54885F8B51B9C87

SSDEEP:

24576:f84s2mRsIb2qIfNEITgIW8UfrGm55em+GDvXwJ3ddGcIXU5A0ENL+b2T:f8emRsIb2qIfiITgIW8UfrGm55emLvXd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6444)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
    • Starts POWERSHELL.EXE for commands execution

      • 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6444)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6444)
  • INFO

    • Checks supported languages

      • 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
    • The sample compiled with english language support

      • 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
    • Reads the computer name

      • 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
    • The process uses the downloaded file

      • powershell.exe (PID: 6444)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6444)
    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6444)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6444)
    • Create files in a temporary directory

      • 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6444)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductName: sykes forlse
LegalTrademarks: outblunder
LegalCopyright: cassoni chirologies uncompliable
InternalName: ryge orkesterets.exe
FileDescription: marg
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.5.0.0
FileVersionNumber: 3.5.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x3532
UninitializedDataSize: 2048
InitializedDataSize: 184832
CodeSize: 27136
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2023:07:02 02:09:48+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
2 483
Monitored processes
2 359
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe powershell.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs