| File name: | Build.exe |
| Full analysis: | https://app.any.run/tasks/1f72f2a5-f87d-4632-9c1e-4c515a977ea7 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 25, 2025, 01:39:33 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 0FFAB76692F3B272D65457EF64BE9BB6 |
| SHA1: | 9BC253E6039C2E7191B6486329BF1DF1840392BE |
| SHA256: | 92DF7ED4566008F0D59D658CF64BDA9715F7EDC1BD37BB2CB2427D07F54CA7C3 |
| SSDEEP: | 3072:mpZIuaIvGovq7Nutw3cyTzS8F7YoBzZvC3lEwtCjQJAxywpTxtyFjdpbi5Ezu+KI:WrGovcNuZS4oyCq9bdUwbz |
MALICIOUS
Steals credentials from Web Browsers
- Build.exe (PID: 7424)
Actions looks like stealing of personal data
- Build.exe (PID: 7424)
SUSPICIOUS
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 7768)
- cmd.exe (PID: 7548)
Starts CMD.EXE for commands execution
- Build.exe (PID: 7424)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 7548)
Starts application with an unusual extension
- cmd.exe (PID: 7548)
- cmd.exe (PID: 7768)
Checks for external IP
- svchost.exe (PID: 2196)
- Build.exe (PID: 7424)
Loads DLL from Mozilla Firefox
- Build.exe (PID: 7424)
Multiple wallet extension IDs have been found
- Build.exe (PID: 7424)
INFO
Checks proxy server information
- Build.exe (PID: 7424)
- slui.exe (PID: 8128)
Disables trace logs
- Build.exe (PID: 7424)
Reads the computer name
- Build.exe (PID: 7424)
Reads the machine GUID from the registry
- Build.exe (PID: 7424)
Reads the software policy settings
- Build.exe (PID: 7424)
- slui.exe (PID: 8128)
Checks supported languages
- chcp.com (PID: 7596)
- Build.exe (PID: 7424)
- chcp.com (PID: 7808)
Changes the display of characters in the console
- cmd.exe (PID: 7548)
- cmd.exe (PID: 7768)
Create files in a temporary directory
- Build.exe (PID: 7424)
Reads CPU info
- Build.exe (PID: 7424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2085:10:17 16:47:36+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 253440 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3fc8e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | ZeroTrace |
| FileVersion: | 1.0.0.0 |
| InternalName: | ZeroTrace.exe |
| LegalCopyright: | Copyright © 2024 |
| LegalTrademarks: | - |
| OriginalFileName: | ZeroTrace.exe |
| ProductName: | ZeroTrace |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
131
Monitored processes
12
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7424 | "C:\Users\admin\Desktop\Build.exe" | C:\Users\admin\Desktop\Build.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: ZeroTrace Version: 1.0.0.0 Modules
| |||||||||||||||
| 7548 | "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All | C:\Windows\SysWOW64\cmd.exe | — | Build.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7556 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7596 | chcp 65001 | C:\Windows\SysWOW64\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7616 | netsh wlan show profile | C:\Windows\SysWOW64\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7624 | findstr All | C:\Windows\SysWOW64\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7768 | "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid | C:\Windows\SysWOW64\cmd.exe | — | Build.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7776 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7808 | chcp 65001 | C:\Windows\SysWOW64\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
10 682
Read events
10 668
Write events
14
Delete events
0
Modification events
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7424) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Build_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
0
Suspicious files
22
Text files
11
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD582.tmp.db | — | |
MD5:— | SHA256:— | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\119.160.141.51\Messenger\Skype\Local Storage\leveldb\MANIFEST-000001 | binary | |
MD5:5AF87DFD673BA2115E2FCF5CFDB727AB | SHA256:F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4 | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD670.tmp.db | binary | |
MD5:F6C33AC5E1032A0873BE7BFC65169287 | SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83 | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD5A2.tmp.db | binary | |
MD5:A45465CDCDC6CB30C8906F3DA4EC114C | SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209 | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\119.160.141.51\System\Process.txt | text | |
MD5:316ADEF76B9BADAA2ABEA8F91EC032CC | SHA256:2CDB6F04D0C018A2C7BB03C2395613687AD08C8BBD3E9522DAB20EC2F55E7B16 | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD631.tmp.db | binary | |
MD5:FDDE63730E15DD2E18C540BA52B6A945 | SHA256:40740EAABD14FC0E08D3B5EE340C1E1B372E158F61EF58AEED1EE4B3A3F4492E | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD77F.tmp.db | binary | |
MD5:19BA68C3ECBCA72C2B90AFADDE745DC6 | SHA256:8B3758EE2D2C0A07EE7003F902F0667ABE5D9667941F8617EDA3CDF94C78E7B8 | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD74E.tmp | binary | |
MD5:46D9FCA6032297F8AEE08D73418312BA | SHA256:865856FA4C33C4AEE52E15FBB370B6611468FE947E76E197F0E50D0AD62CB1B4 | |||
| 7424 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpD74D.tmp | binary | |
MD5:95FFD778940E6DF4846B0B12C8DD5821 | SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F | |||
| 7424 | Build.exe | C:\Users\Public\9kie7cg6.default-release\logins.json | binary | |
MD5:DC9ADB7DE19A6753CE90AE94738BFDEF | SHA256:884B04032E2E70A002956218E8EC3491F2B753C4596CEE6E4894DC49AFA0A681 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
6
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 172.67.70.233:443 | https://get.geojs.io/v1/ip/geo.json | unknown | binary | 379 b | whitelisted |
— | — | GET | 200 | 34.117.59.81:443 | https://ipinfo.io/ | unknown | binary | 293 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7424 | Build.exe | 34.117.59.81:443 | ipinfo.io | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
7424 | Build.exe | 172.67.70.233:443 | get.geojs.io | CLOUDFLARENET | US | whitelisted |
1072 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8128 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
ipinfo.io |
| whitelisted |
get.geojs.io |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
7424 | Build.exe | Device Retrieving External IP Address Detected | ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
7424 | Build.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup SSL Cert Observed (ipinfo .io) |
— | — | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ipinfo.io |
2196 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Address Lookup Domain (get .geojs .io) in DNS Lookup |
7424 | Build.exe | Device Retrieving External IP Address Detected | ET INFO External IP Address Lookup Domain (get .geojs .io) in TLS SNI |