File name:	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe
Full analysis:	https://app.any.run/tasks/fb93b604-f529-4e5d-912f-f5f0254a3c8b
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 16, 2025, 13:14:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	ducdun vilsel stealer upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:	83279AA52253D38DA3AF590E2A17B493
SHA1:	BE1D79EE8572BD99B3A745E99B532860D8A15A34
SHA256:	930E73095D727048299674859DD4C9B5ADCAFE742C98ACF8AC83ED50D0244DF7
SSDEEP:	1536:1Xmr1zQgnmW/1estc6hAGjhuOc7IAf6zG71E8cNdWut:tmrhQdkwstc6hRjhu4AfAG71DzE

.exe	\|	Win32 Executable Microsoft Visual Basic 6 (46.5)
.exe	\|	Win32 Executable MS Visual C++ (generic) (17.6)
.exe	\|	Win64 Executable (generic) (15.6)
.exe	\|	UPX compressed Win32 Executable (15.3)
.exe	\|	Win32 Executable (generic) (2.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:01:06 04:02:14+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	16384
InitializedDataSize:	24576
UninitializedDataSize:	65536
EntryPoint:	0x1150
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.57
ProductVersionNumber:	1.0.0.57
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	SBC
ProductName:	Microsoft Windows
FileVersion:	1.00.0057
ProductVersion:	1.00.0057
InternalName:	musicvn
OriginalFileName:	musicvn.exe


(PID) Process:	(6372) 930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoFolderOptions
Value: 1
(PID) Process:	(6372) 930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams
Operation:	delete value	Name:	Settings
Value:

PID	Process	Filename		Type
6372	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	C:\Users\admin\Desktop\backup.exe		executable
		MD5:F1E749695FDE4268D52DB6AAEAB2653C	SHA256:9A66A5644F3B7A983316BB642DC88C4837BB3D7711839D41E8A4774E536FC9B2
6372	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	C:\Users\admin\Desktop\temp.zip~RF1393c7.TMP		compressed
		MD5:76CDB2BAD9582D23C1F6F4D868218D6C	SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
6372	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	C:\Users\admin\Desktop\930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.zip		binary
		MD5:F97262B2FB4DF269C8E17084CA7E9E83	SHA256:2E10A12CD6A43E0D77258BD45A796C04773C0AA1BE72246E2928258EB0920FBD
6372	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	C:\Users\admin\Desktop\temp.zip		compressed
		MD5:76CDB2BAD9582D23C1F6F4D868218D6C	SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
6372	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	C:\Users\admin\AppData\Local\Temp\JPa06420		compressed
		MD5:58D8FDD141A64172D5C1A24CC80BAE88	SHA256:E7CDD78DBF4164FB7691767B456E5AB2BA321C3D3CAE1EA6E2633E8261210DF9
6372	930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe	C:\Users\admin\Desktop\930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.dat		binary
		MD5:5C30A60A6BBE07D9341F2ACB8E6C241A	SHA256:7EEE8345787059EF98CCAE9BD4B1DA5704281EADD735EBBC080818976A96A4A0

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.158:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	204	92.123.104.43:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.158:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2624	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5064	SearchApp.exe	92.123.104.28:443	www.bing.com	Akamai International B.V.	DE	whitelisted
3976	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	23.48.23.158 23.48.23.150 23.48.23.190 23.48.23.193 23.48.23.166 23.48.23.173 23.48.23.159 23.48.23.169 23.48.23.156	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
www.bing.com	92.123.104.28 92.123.104.53 92.123.104.33 92.123.104.64 92.123.104.61 92.123.104.18 92.123.104.19 92.123.104.65 92.123.104.43	whitelisted
self.events.data.microsoft.com	40.79.173.41	whitelisted

General Info

930e73095d727048299674859dd4c9b5adcafe742c98acf8ac83ed50d0244df7.exe

83279AA52253D38DA3AF590E2A17B493

BE1D79EE8572BD99B3A745E99B532860D8A15A34

930E73095D727048299674859DD4C9B5ADCAFE742C98ACF8AC83ED50D0244DF7

1536:1Xmr1zQgnmW/1estc6hAGjhuOc7IAf6zG71E8cNdWut:tmrhQdkwstc6hRjhu4AfAG71DzE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DUCDUN mutex has been found

DUCDUN has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

INFO

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

UPX packer has been detected

Reads the computer name

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings