analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

92

Full analysis: https://app.any.run/tasks/5ad2fcc4-2410-4c6f-877d-4abe4a3c1e27
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 08:53:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

50CB759F3245B25305CCECBEE3EDD769

SHA1:

2164644CB512A943067ECD2060C37D67C55CCD7B

SHA256:

92985CC1975B6F0C6947D6CEB1C069330B64A67E193370D93880B45B29BBD50F

SSDEEP:

98304:ZABkA+ah6nT8IvIKuXSF9ZEt9HJNCzl0TkIAxoO2NfMZL4Qhf/:ZAB40KILHLHTkR0fMZL4m/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 1764)

    • Drops executable file immediately after starts

      • cmd.exe (PID: 3340)

    • Stealing of credential data

      • 92.exe (PID: 3120)

    • Actions looks like stealing of personal data

      • 92.exe (PID: 3120)

  • SUSPICIOUS

    • Checks supported languages

      • cmd.exe (PID: 3340)
      • 92.exe (PID: 3120)
      • cmd.exe (PID: 3196)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 2744)
      • WMIC.exe (PID: 2764)
      • WMIC.exe (PID: 3700)
      • wmic.exe (PID: 3148)
      • cmd.exe (PID: 3580)
      • WMIC.exe (PID: 3172)
      • cmd.exe (PID: 3528)
      • WMIC.exe (PID: 1576)
      • wmic.exe (PID: 3820)

    • Reads the computer name

      • 92.exe (PID: 3120)
      • WMIC.exe (PID: 3700)
      • WMIC.exe (PID: 2764)
      • wmic.exe (PID: 3148)
      • WMIC.exe (PID: 3172)
      • wmic.exe (PID: 3820)
      • WMIC.exe (PID: 1576)

    • Starts CMD.EXE for commands execution

      • 92.exe (PID: 3120)

    • Drops a file with a compile date too recent

      • cmd.exe (PID: 3340)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3340)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3196)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3008)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 3528)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 2744)
      • 92.exe (PID: 3120)
      • cmd.exe (PID: 3580)
      • cmd.exe (PID: 3528)

  • INFO

    • Checks supported languages

      • taskmgr.exe (PID: 1672)
      • reg.exe (PID: 1764)
      • attrib.exe (PID: 1856)
      • nltest.exe (PID: 772)

    • Manual execution by user

      • taskmgr.exe (PID: 1672)

    • Reads the computer name

      • taskmgr.exe (PID: 1672)
      • nltest.exe (PID: 772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.1)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x14a0
UninitializedDataSize: 102400
InitializedDataSize: 8332288
CodeSize: 3936256
LinkerVersion: 2.34
PEType: PE32
TimeStamp: 2022:06:22 19:15:43+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 22-Jun-2022 17:15:43
TLS Callbacks: 2 callback(s) detected.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 22-Jun-2022 17:15:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x003C0E58
0x003C1000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.04492
.data
0x003C2000
0x000DED8C
0x000DEE00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.56018
.rdata
0x004A1000
0x00350EDC
0x00351000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.86653
.bss
0x007F2000
0x00018F28
0x00000000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x0080B000
0x00001010
0x00001200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.49775
.CRT
0x0080D000
0x00000034
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.260086
.tls
0x0080E000
0x00000008
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Imports

KERNEL32.DLL
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 92.exe taskmgr.exe no specs cmd.exe cmd.exe no specs reg.exe cmd.exe no specs attrib.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs nltest.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3120"C:\Users\admin\AppData\Local\Temp\92.exe" C:\Users\admin\AppData\Local\Temp\92.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
1672"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3340cmd /C move /Y C:\Users\admin\AppData\Local\Temp\92.exe C:\Users\admin\AppData\Roaming\Microsoft\NkqlbSfOau.exeC:\Windows\system32\cmd.exe
92.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3196cmd /C "REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V NkqlbSfOau.exe /t REG_SZ /F /D C:\Windows\NkqlbSfOau.exe"C:\Windows\system32\cmd.exe92.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1764REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V NkqlbSfOau.exe /t REG_SZ /F /D C:\Windows\NkqlbSfOau.exeC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3008cmd /C attrib +S +H C:\Users\admin\AppData\Roaming\Microsoft\NkqlbSfOau.exeC:\Windows\system32\cmd.exe92.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1856attrib +S +H C:\Users\admin\AppData\Roaming\Microsoft\NkqlbSfOau.exeC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2380cmd /C "wmic path win32_VideoController get name"C:\Windows\system32\cmd.exe92.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3700wmic path win32_VideoController get nameC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2744cmd /C "wmic cpu get name"C:\Windows\system32\cmd.exe92.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
853
Read events
850
Write events
3
Delete events
0

Modification events

(PID) Process:(1672) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Operation:writeName:UsrColumnSettings
Value:
1C0C0000340400000000000050000000010000001D0C0000350400000000000023000000010000001E0C000036040000000000003C000000010000001F0C000039040000000000004E00000001000000200C000037040000000000004E00000001000000
(PID) Process:(1672) taskmgr.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
30030000E803000001000000010000004503000086000000DD0400006C0200000100000001000000000000000000000001000000000000000100000000000000000000000200000004000000090000001D000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009C00000040000000210000004600000052000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000002000000010000000300000004000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0500000000000000FFFFFFFF00000000020000000300000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000630060003C005A00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000010000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0400000000000000FFFFFFFF00000000FFFFFFFF4F00000028000000500000003400000050000000000000000100000002000000030000000400000000000000FFFFFFFF43000000000000000000000001000000
(PID) Process:(1764) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NkqlbSfOau.exe
Value:
C:\Windows\NkqlbSfOau.exe
Executable files
1
Suspicious files
2
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
312092.exeC:\Users\admin\AppData\Local\Temp\[MIX]Logs.tarcompressed
MD5:6175A8837129A1F302C2F17610454BAA
SHA256:4ED09F68BA963C2F245D680FB1198CD568C4BC3711C0F5607702F747548F3910
312092.exeC:\Users\admin\AppData\Local\Temp\75c3ed907c097b760fa9aad8b7226bed.datbinary
MD5:4EF75DE619F22A3CEB8ED6B8BF3E473D
SHA256:D561FFE189BF74E12F961C11BA50510F33A0F6B0193CEA221C77273746E7F202
312092.exeC:\Users\admin\AppData\Local\Temp\[MIX]Logs\Password\Google.txttext
MD5:D878C2DCF8D84AFCC04D3CF124686F7C
SHA256:6E16585BFAE53418F4E9B8022D1CC0E9E943051CE9EF48EC2008E9E3C723A659
312092.exeC:\Users\admin\AppData\Local\Temp\[MIX]Logs\ScreenShot.pngimage
MD5:44E4342B1019056D9ECB1A7FDF98EB18
SHA256:2D681DDC26C9A8515A2AB198C5398767326508E6CF4D9E1A8E50AA061E09E5C8
312092.exeC:\Users\admin\AppData\Local\Temp\[MIX]Logs\info.txttext
MD5:D2F10083F38CC8D27C50371F592EAF26
SHA256:32714DC65AC17F47610C424CE892ABA3FE03F4D88EE7FD4E9E718CD77561F4C5
3340cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\NkqlbSfOau.exeexecutable
MD5:50CB759F3245B25305CCECBEE3EDD769
SHA256:92985CC1975B6F0C6947D6CEB1C069330B64A67E193370D93880B45B29BBD50F
312092.exeC:\Users\admin\AppData\Local\Temp\cyhrOkj8ZFqq.dbtext
MD5:736F7579F0521DAF5695CD8A3B3CDA6A
SHA256:10A24B1012BEF30456C31ABB66DF14CE66BAAA78C450A87E3E647A9E44E31E8E
312092.exeC:\Users\admin\AppData\Local\Temp\cyhrOkj8ZF.dbsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3120
92.exe
193.233.48.50:8082
OOO FREEnet Group
RU
unknown
3120
92.exe
193.233.48.50:777
OOO FREEnet Group
RU
unknown
3120
92.exe
104.26.0.100:443
get.geojs.io
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
get.geojs.io
  • 104.26.0.100
suspicious

Threats

PID
Process
Class
Message
3120
92.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
92