File name:

Sirus.exe

Full analysis: https://app.any.run/tasks/6f93684b-2cdc-4bb6-8445-08a57a59c302
Verdict: Malicious activity
Analysis date: June 26, 2024, 04:00:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

86313E675D039D89D70464D0AD5217AC

SHA1:

B52EB8FF52AEDA58A624CE67F7BF4CD5AF0B8DBF

SHA256:

91D8FDFE516A4776A16BE916BC3943D0833114F73FAABFD9A34BF0412CA20D06

SSDEEP:

6144:Y1+zZfX08GzfAEZPXpE1ttDBttttdsVM:jZfX08GbAEZ/pE1ttDBttttd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Sirus.exe (PID: 3384)

    • Steals credentials from Web Browsers

      • Sirus.exe (PID: 3384)

    • Actions looks like stealing of personal data

      • Sirus.exe (PID: 3384)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • Sirus.exe (PID: 3384)

    • Reads the Internet Settings

      • Sirus.exe (PID: 3384)

    • Connects to unusual port

      • Sirus.exe (PID: 3384)

    • Searches for installed software

      • Sirus.exe (PID: 3384)

    • Checks for external IP

      • Sirus.exe (PID: 3384)

    • Potential Corporate Privacy Violation

      • Sirus.exe (PID: 3384)

    • Reads browser cookies

      • Sirus.exe (PID: 3384)

  • INFO

    • Reads the computer name

      • Sirus.exe (PID: 3384)

    • Checks supported languages

      • Sirus.exe (PID: 3384)

    • Reads the machine GUID from the registry

      • Sirus.exe (PID: 3384)

    • Reads Environment values

      • Sirus.exe (PID: 3384)

    • Reads the software policy settings

      • Sirus.exe (PID: 3384)

    • Create files in a temporary directory

      • Sirus.exe (PID: 3384)

    • Disables trace logs

      • Sirus.exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:25 21:18:28+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 276992
InitializedDataSize: 3584
UninitializedDataSize: -
EntryPoint: 0x4583e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 31.42.34.0
ProductVersionNumber: 31.42.34.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Latitats App
CompanyName: Sphalerite
FileDescription: Sphalerite
FileVersion: 31.42.34
InternalName: Bibation.exe
LegalCopyright: Sphalerite Corp. 2008
OriginalFileName: Bibation.exe
ProductName: -
ProductVersion: 31.42.34
AssemblyVersion: 79.6.51.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sirus.exe

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Users\admin\AppData\Local\Temp\Sirus.exe" C:\Users\admin\AppData\Local\Temp\Sirus.exe
explorer.exe
User:
admin
Company:
Sphalerite
Integrity Level:
MEDIUM
Description:
Sphalerite
Exit code:
0
Version:
31.42.34
Modules
Images
c:\users\admin\appdata\local\temp\sirus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
8 749
Read events
8 723
Write events
26
Delete events
0

Modification events

(PID) Process:(3384) Sirus.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3384) Sirus.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Sirus_RASMANCS
Operation:writeName:FileTracingMask
Value:
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3384Sirus.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3384Sirus.exeC:\Users\admin\AppData\Local\Temp\Cab130.tmpcompressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
3384Sirus.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:A4ACF879B9B1D44D84A453E4175A59C8
SHA256:B4F2EDF901D89DC4FD238AE6A6D792F35C8C84B379599FD60B4F3A0493F0503E
3384Sirus.exeC:\Users\admin\AppData\Local\Temp\Tar131.tmpcat
MD5:4EA6026CF93EC6338144661BF1202CD1
SHA256:8EFBC21559EF8B1BCF526800D8070BAAD42474CE7198E26FA771DBB41A76B1D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
7
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
Sirus.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?35de9676173ddd2f
unknown
unknown
1372
svchost.exe
GET
304
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1060
svchost.exe
GET
304
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1372
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
3384
Sirus.exe
91.92.240.220:81
Natskovi & Sie Ltd.
BG
unknown
3384
Sirus.exe
23.32.238.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3384
Sirus.exe
104.26.12.31:443
api.ip.sb
CLOUDFLARENET
US
unknown
1372
svchost.exe
23.32.238.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
whitelisted
api.ip.sb
  • 104.26.12.31
  • 104.26.13.31
  • 172.67.75.172
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
3384
Sirus.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 13
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sirus.exe