analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2019-04-15_22-28-55.exe

Full analysis: https://app.any.run/tasks/4e14c926-79dc-403a-8b42-1aa253143c50
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 13:37:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

27D3C127168F23ECDBCFF9D5BBCCB59E

SHA1:

60C474295DFBD40025ED2975B36D34C4A19E545D

SHA256:

9296B210B782FAECCA8394B2BD7BF720FFA5C122B83C4ED462BA25D3E1B8CE9A

SSDEEP:

12288:PPIpWTdeg3q/87OZnoFEO4smiQFB+9VrbP+Tmak0V9XyyY:PPwWlGZstQj+zbP+T5yyY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • transactionservices.exe (PID: 3872)
      • transactionservices.exe (PID: 2676)

    • Changes the autorun value in the registry

      • 2019-04-15_22-28-55.exe (PID: 3956)

    • Downloads executable files from the Internet

      • 2019-04-15_22-28-55.exe (PID: 3956)

    • Downloads executable files from IP

      • 2019-04-15_22-28-55.exe (PID: 3956)

    • Loads dropped or rewritten executable

      • transactionservices.exe (PID: 2676)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2019-04-15_22-28-55.exe (PID: 3956)
      • transactionservices.exe (PID: 3872)

    • Application launched itself

      • transactionservices.exe (PID: 3872)

    • Loads Python modules

      • transactionservices.exe (PID: 2676)

    • Starts CMD.EXE for commands execution

      • transactionservices.exe (PID: 2676)

  • INFO

    • Dropped object may contain TOR URL's

      • transactionservices.exe (PID: 3872)

    • Dropped object may contain Bitcoin addresses

      • transactionservices.exe (PID: 3872)
      • transactionservices.exe (PID: 2676)
      • 2019-04-15_22-28-55.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x4dd6b
UninitializedDataSize: -
InitializedDataSize: 99840
CodeSize: 326144
LinkerVersion: 14
PEType: PE32
TimeStamp: 2019:04:08 00:52:16+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Apr-2019 22:52:16
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 07-Apr-2019 22:52:16
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0004F923
0x0004FA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.38553
.rdata
0x00051000
0x00012D98
0x00012E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.34878
.data
0x00064000
0x00000F78
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.8491
.tls
0x00065000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.gfids
0x00066000
0x0000012C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.85875
.rsrc
0x00067000
0x000001E0
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.71768
.reloc
0x00068000
0x000040D8
0x00004200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.66022

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
CRYPT32.dll
KERNEL32.dll
Normaliz.dll
SHELL32.dll
VCRUNTIME140.dll
WLDAP32.dll
WS2_32.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-environment-l1-1-0.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2019-04-15_22-28-55.exe transactionservices.exe transactionservices.exe cmd.exe no specs fsutil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3956"C:\Users\admin\AppData\Local\Temp\2019-04-15_22-28-55.exe" C:\Users\admin\AppData\Local\Temp\2019-04-15_22-28-55.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3872"C:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe"C:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe
2019-04-15_22-28-55.exe
User:
admin
Integrity Level:
MEDIUM
2676"C:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe"C:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe
transactionservices.exe
User:
admin
Integrity Level:
MEDIUM
4040C:\Windows\system32\cmd.exe /c fsutil sparse setflag "C:\Users\admin\Documents\TransactionServices Inc\electrum_data\blockchain_headers" 1C:\Windows\system32\cmd.exetransactionservices.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2668fsutil sparse setflag "C:\Users\admin\Documents\TransactionServices Inc\electrum_data\blockchain_headers" 1C:\Windows\system32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
fsutil.exe
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
426
Read events
423
Write events
3
Delete events
0

Modification events

(PID) Process:(3956) 2019-04-15_22-28-55.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:transactionservices
Value:
C:\Users\admin\Documents\TransactionServices Inc\transactionserviceshelper.exe
(PID) Process:(3956) 2019-04-15_22-28-55.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:transactionservicesmain
Value:
C:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe.lnk
(PID) Process:(2676) transactionservices.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
transactionservices.exe
Executable files
201
Suspicious files
412
Text files
948
Unknown types
86

Dropped files

PID
Process
Filename
Type
39562019-04-15_22-28-55.exeC:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe
MD5:
SHA256:
39562019-04-15_22-28-55.exeC:\Users\admin\Documents\TransactionServices Inc\transactionservices.exe.lnklnk
MD5:38DEB7D5469AA076FB2D2270887C8845
SHA256:DB147423B6C04AAB8240E8B32FED7FC700682D15B3F373538DD982E1238FC20B
3872transactionservices.exeC:\Users\admin\AppData\Local\Temp\_MEI38722\Cryptodome\Cipher\_raw_aes.cp36-win32.pydexecutable
MD5:9DE1C671DFDB6F403D92129B91F90EC9
SHA256:CD664094FCC22D3BC218416004C3E0BC0335A9CC975B81857F93CC932EDC71E1
39562019-04-15_22-28-55.exeC:\Users\admin\Documents\TransactionServices Inc\electrum_data\recent_serverstext
MD5:43065D4F2568C3619BEB08484830D19F
SHA256:E230FC7C2438AF941E036A9D5B9F220EA136EECB918B1F6E1BE8F38D78B859D1
3872transactionservices.exeC:\Users\admin\AppData\Local\Temp\_MEI38722\Cryptodome\Cipher\_raw_blowfish.cp36-win32.pydexecutable
MD5:83A9ADCC450D5938F576750018470932
SHA256:03EC70658A3814E994C0DAC3EAC3FF57B8C7B630AB14549CC80E24184B9233C3
3872transactionservices.exeC:\Users\admin\AppData\Local\Temp\_MEI38722\Cryptodome\Cipher\_raw_aesni.cp36-win32.pydexecutable
MD5:637CA4D38EFA36DAC9D91A5DD99F70D2
SHA256:AD50AEDE3A7F838AB9BBFD99D68044A23DAE015EA12F35D8241D092FCAC84304
3872transactionservices.exeC:\Users\admin\AppData\Local\Temp\_MEI38722\Cryptodome\Cipher\_ARC4.cp36-win32.pydexecutable
MD5:9B5AC175E22E825C0C82D60CEA5D130E
SHA256:B8741FE88D423B089651450B95A110B0400D8E93C7B9620DAAF7C3A9547063A8
39562019-04-15_22-28-55.exeC:\Users\admin\Documents\TransactionServices Inc\electrum_data\wallets\1text
MD5:A9D8DD0221823289CE873B9E53EACD46
SHA256:59C179345F955A39DF7FB4DB8EB9A784406723D67331AC6424614643A60C9D68
39562019-04-15_22-28-55.exeC:\Users\admin\Documents\TransactionServices Inc\transactionservices.sigtext
MD5:B73A4D1C6CFFBA186121CDF517FD855F
SHA256:AF53A178343B091FFA5C39605088C48D9BE0FF1242E11526A1AC40F5FE32EE5E
3872transactionservices.exeC:\Users\admin\AppData\Local\Temp\_MEI38722\Cryptodome\Cipher\_chacha20.cp36-win32.pydexecutable
MD5:F8C41FD4D445F14D88D94AA81BDA9538
SHA256:D02FAE4CD24C7BB8794BB6644DA0EFF92D742FA220469ADD85CC3464ED72B907
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
212
DNS requests
130
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3956
2019-04-15_22-28-55.exe
GET
200
188.214.135.174:80
http://188.214.135.174/pingtransaction.php?ver=4391
LT
unknown
3956
2019-04-15_22-28-55.exe
GET
200
217.147.169.179:80
http://217.147.169.179/transactionservices.sig
UA
text
2.21 Kb
suspicious
3956
2019-04-15_22-28-55.exe
GET
200
178.159.37.113:80
http://178.159.37.113/transactionservices.sig
RU
text
2.21 Kb
suspicious
3956
2019-04-15_22-28-55.exe
GET
200
178.159.37.113:80
http://178.159.37.113/serviceaddresses.php
RU
text
8.56 Kb
suspicious
3956
2019-04-15_22-28-55.exe
GET
200
194.63.143.226:80
http://194.63.143.226/transactionservices.ver
RU
text
20 b
suspicious
3956
2019-04-15_22-28-55.exe
GET
200
194.63.143.226:80
http://194.63.143.226/transactionservices.recent
RU
text
5.58 Kb
suspicious
3956
2019-04-15_22-28-55.exe
GET
200
217.147.169.179:80
http://217.147.169.179/transactionservices.exe
UA
executable
44.2 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3956
2019-04-15_22-28-55.exe
194.63.143.226:80
MediaServicePlus LLC
RU
suspicious
176.31.252.219:50002
rbx.curalle.ovh
OVH SAS
FR
unknown
3956
2019-04-15_22-28-55.exe
188.214.135.174:80
UAB Cherry Servers
LT
unknown
69.64.46.27:50002
dragon085.startdedicated.de
server4you Inc.
US
suspicious
2676
transactionservices.exe
37.187.20.59:50002
ks3354561.kimsufi.com
OVH SAS
FR
suspicious
3956
2019-04-15_22-28-55.exe
178.159.37.113:80
Slobozhenyuk B.Y. PE
RU
suspicious
3956
2019-04-15_22-28-55.exe
217.147.169.179:80
UA
suspicious
2676
transactionservices.exe
37.187.141.73:50002
OVH SAS
FR
unknown
2676
transactionservices.exe
13.80.67.162:50002
Microsoft Corporation
NL
suspicious
78.143.214.223:50002
Gigaclear PLC
GB
unknown

DNS requests

Domain
IP
Reputation
electrum.qtornado.com
  • 88.99.162.199
suspicious
yuio.top
  • 127.0.0.1
suspicious
electrumx.bot.nu
  • 173.91.90.62
unknown
orannis.com
  • 50.35.67.146
unknown
electrum-server.ninja
  • 220.233.178.199
suspicious
ks3354561.kimsufi.com
  • 37.187.20.59
suspicious
enodeduckdns.org
unknown
electrum.leblancnet.us
  • 205.197.210.30
unknown
bitcoins.sk
  • 46.229.238.187
unknown
electrum.dragonzone.net
  • 149.56.79.70
unknown

Threats

PID
Process
Class
Message
3956
2019-04-15_22-28-55.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3956
2019-04-15_22-28-55.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3956
2019-04-15_22-28-55.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3956
2019-04-15_22-28-55.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2676
transactionservices.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2676
transactionservices.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
2676
transactionservices.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 665
2676
transactionservices.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 617
2676
transactionservices.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194
2676
transactionservices.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
Process
Message
transactionservices.exe
QWindowsEGLStaticContext::create: When using ANGLE, check if d3dcompiler_4x.dll isÐ
transactionservices.exe
QWindowsEGLStaticContext::create: When using ANGLE, check if d3dcompiler_4x.dll is available
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2019-04-15_22-28-55.exe