| File name: | stopabit.exe |
| Full analysis: | https://app.any.run/tasks/7d777114-5038-4528-a165-e91baf96fc9b |
| Verdict: | Malicious activity |
| Analysis date: | June 15, 2024, 18:43:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | F48B8DCA81A54EE64C43A1DB389636D1 |
| SHA1: | CAFE60B0A29AFDFF230A367F34D29BB574213970 |
| SHA256: | 9397BF27C48BE348EF2DB687475BA5AA44DFC3A85E8AFF2F891123C44A34FE55 |
| SSDEEP: | 98304:l+cD4dnE+zc4rAG/xKN2sPGE9IPDVAAWXHUFcTdNuKKkQFuUoYepyk2dqBXOrasG:5BiMbzRJyJs |
MALICIOUS
Drops the executable file immediately after the start
- stopabit.exe (PID: 3992)
- stopabit.tmp (PID: 4008)
- unins000.exe (PID: 1936)
Changes the autorun value in the registry
- Stopabit.exe (PID: 4076)
SUSPICIOUS
Reads the Windows owner or organization settings
- stopabit.tmp (PID: 4008)
- _unins.tmp (PID: 2524)
Reads settings of System Certificates
- stopabit.tmp (PID: 4008)
- Stopabit.exe (PID: 4076)
- _unins.tmp (PID: 2524)
Executable content was dropped or overwritten
- stopabit.tmp (PID: 4008)
Process drops legitimate windows executable
- stopabit.tmp (PID: 4008)
Reads security settings of Internet Explorer
- Stopabit.exe (PID: 4076)
Checks Windows Trust Settings
- Stopabit.exe (PID: 4076)
Reads the Internet Settings
- Stopabit.exe (PID: 4076)
Reads Microsoft Outlook installation path
- Stopabit.exe (PID: 4076)
Reads Internet Explorer settings
- Stopabit.exe (PID: 4076)
Starts CMD.EXE for commands execution
- _unins.tmp (PID: 2524)
Get information on the list of running processes
- _unins.tmp (PID: 2524)
- cmd.exe (PID: 2340)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 2556)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 2340)
Starts application with an unusual extension
- unins000.exe (PID: 1936)
Starts itself from another location
- unins000.exe (PID: 1936)
Reads the date of Windows installation
- _unins.tmp (PID: 2524)
INFO
Checks supported languages
- stopabit.exe (PID: 3992)
- stopabit.tmp (PID: 4008)
- Stopabit.exe (PID: 4076)
- _unins.tmp (PID: 2524)
- unins000.exe (PID: 1936)
Reads the computer name
- stopabit.tmp (PID: 4008)
- Stopabit.exe (PID: 4076)
- _unins.tmp (PID: 2524)
- unins000.exe (PID: 1936)
Create files in a temporary directory
- stopabit.exe (PID: 3992)
- stopabit.tmp (PID: 4008)
- unins000.exe (PID: 1936)
Reads the machine GUID from the registry
- stopabit.tmp (PID: 4008)
- Stopabit.exe (PID: 4076)
- _unins.tmp (PID: 2524)
Reads the software policy settings
- stopabit.tmp (PID: 4008)
- Stopabit.exe (PID: 4076)
- _unins.tmp (PID: 2524)
Creates files or folders in the user directory
- stopabit.tmp (PID: 4008)
- Stopabit.exe (PID: 4076)
Creates a software uninstall entry
- stopabit.tmp (PID: 4008)
Disables trace logs
- Stopabit.exe (PID: 4076)
Reads Environment values
- Stopabit.exe (PID: 4076)
Reads the time zone
- Stopabit.exe (PID: 4076)
Reads product name
- Stopabit.exe (PID: 4076)
Checks proxy server information
- Stopabit.exe (PID: 4076)
Manual execution by a user
- unins000.exe (PID: 1936)
- control.exe (PID: 2060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (65.1) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (24.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (3.9) |
| .exe | | | Win32 Executable (generic) (2.6) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:04:14 16:10:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 74240 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.9.0 |
| ProductVersionNumber: | 1.0.9.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Globalhop |
| FileDescription: | Stopabit installer |
| FileVersion: | 1.0.9.0 |
| LegalCopyright: | © Globalhop |
| OriginalFileName: | Stopabit.exe |
| ProductName: | Stopabit |
| ProductVersion: | 1.0.9.0 |
Total processes
48
Monitored processes
11
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1936 | "C:\Users\admin\AppData\Local\Programs\Stopabit\unins000.exe" | C:\Users\admin\AppData\Local\Programs\Stopabit\unins000.exe | — | explorer.exe | |||||||||||
User: admin Company: Globalhop Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2060 | "C:\Windows\System32\control.exe" | C:\Windows\System32\control.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Control Panel Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2340 | "C:\Windows\system32\cmd.exe" /C tasklist | findstr Stopabit.exe | C:\Windows\System32\cmd.exe | — | _unins.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2468 | tasklist | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2524 | "C:\Users\admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Users\admin\AppData\Local\Programs\Stopabit\unins000.exe" /FIRSTPHASEWND=$10212 | C:\Users\admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp | unins000.exe | ||||||||||||
User: admin Company: Globalhop Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2556 | "C:\Windows\system32\cmd.exe" /C taskkill /T /IM Stopabit.exe | C:\Windows\System32\cmd.exe | — | _unins.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2620 | taskkill /T /IM Stopabit.exe | C:\Windows\System32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2648 | findstr Stopabit.exe | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3992 | "C:\Users\admin\Desktop\stopabit.exe" | C:\Users\admin\Desktop\stopabit.exe | — | explorer.exe | |||||||||||
User: admin Company: Globalhop Integrity Level: MEDIUM Description: Stopabit installer Exit code: 0 Version: 1.0.9.0 Modules
| |||||||||||||||
| 4008 | "C:\Users\admin\AppData\Local\Temp\is-5MCK6.tmp\stopabit.tmp" /SL5="$20138,3291176,817152,C:\Users\admin\Desktop\stopabit.exe" | C:\Users\admin\AppData\Local\Temp\is-5MCK6.tmp\stopabit.tmp | stopabit.exe | ||||||||||||
User: admin Company: Globalhop Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
17 869
Read events
17 610
Write events
248
Delete events
11
Modification events
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: A80F0000B6E4B1E153BFDA01 | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: F0615175FBD98034042CDA1A1FCDA4781CECEA44363F0314D5DE87BEC5E7F16B | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Local\Programs\Stopabit\Stopabit.exe | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 962CA330C3B08E7E7ACC9E612B441D7F6226FDF5F66565053235D06A6669944F | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\SlowJobber |
| Operation: | write | Name: | version |
Value: 1.0.9.0 | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.2.1 | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Users\admin\AppData\Local\Programs\Stopabit | |||
| (PID) Process: | (4008) stopabit.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FD04524F-249D-425E-81DF-1A30526751D1}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Programs\Stopabit\ | |||
Executable files
20
Suspicious files
3
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\is-AMRDI.tmp | executable | |
MD5:C52DA72F8D82116756F30B6FBD2B18C1 | SHA256:25BC7911BFAB63D64FD722937260FE3240608277CF90FE5859DE041DB63674E4 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\unins000.exe | executable | |
MD5:115968165DEAF7D78BFE2FD013955198 | SHA256:E6B67DF4F83ADE3042E6BA7C6CC5DD64E5C4A06818013BE0B82A178A17F74823 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\Modules\classic.dll | executable | |
MD5:EE6B93C13EC66A61FE85120E3932727E | SHA256:34F6FB8B54AD939F6833B9A915A56222925B2BCF1141C943558E2450DC4CAA71 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\Modules\is-F409M.tmp | executable | |
MD5:EE6B93C13EC66A61FE85120E3932727E | SHA256:34F6FB8B54AD939F6833B9A915A56222925B2BCF1141C943558E2450DC4CAA71 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\Stopabit.exe | executable | |
MD5:C52DA72F8D82116756F30B6FBD2B18C1 | SHA256:25BC7911BFAB63D64FD722937260FE3240608277CF90FE5859DE041DB63674E4 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\is-9IPMM.tmp | xml | |
MD5:3E8F51C2B6FD8149C32819EADEC0CA72 | SHA256:0E7ACBB755E5161D596D65BC357EC09EE0F82017D15F65504E4EEC47DAC927BD | |||
| 3992 | stopabit.exe | C:\Users\admin\AppData\Local\Temp\is-5MCK6.tmp\stopabit.tmp | executable | |
MD5:115968165DEAF7D78BFE2FD013955198 | SHA256:E6B67DF4F83ADE3042E6BA7C6CC5DD64E5C4A06818013BE0B82A178A17F74823 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\is-ESJOI.tmp | executable | |
MD5:115968165DEAF7D78BFE2FD013955198 | SHA256:E6B67DF4F83ADE3042E6BA7C6CC5DD64E5C4A06818013BE0B82A178A17F74823 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\is-8EBA2.tmp | executable | |
MD5:83222120C8095B8623FE827FB70FAF6B | SHA256:EFF79DE319CA8941A2E62FB573230D82B79B80958E5A26AB1A4E87193EB13503 | |||
| 4008 | stopabit.tmp | C:\Users\admin\AppData\Local\Programs\Stopabit\is-74T06.tmp | executable | |
MD5:E1129D3DFD0E6A932B2776658135B90C | SHA256:346B9AB2515995475699021C381B1AC93114F437BC49010EE6E9B5424CCBCC67 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
8
Threats
1
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4008 | stopabit.tmp | 104.21.82.170:443 | stats.stopabit.com | CLOUDFLARENET | — | unknown |
4008 | stopabit.tmp | 172.67.159.214:443 | stats.stopabit.com | CLOUDFLARENET | US | unknown |
4076 | Stopabit.exe | 104.21.82.170:443 | stats.stopabit.com | CLOUDFLARENET | — | unknown |
4076 | Stopabit.exe | 46.4.79.62:5001 | quickyapongia.org | — | — | unknown |
4076 | Stopabit.exe | 136.243.130.37:5001 | trippinglyfast.com | — | — | unknown |
4076 | Stopabit.exe | 104.16.123.96:443 | www.cloudflare.com | CLOUDFLARENET | — | unknown |
4076 | Stopabit.exe | 104.16.60.8:443 | speed.cloudflare.com | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
stats.stopabit.com |
| unknown |
track.stopabit.com |
| unknown |
trippinglyfast.com |
| unknown |
quickyapongia.org |
| unknown |
www.cloudflare.com |
| whitelisted |
speed.cloudflare.com |
| unknown |
api6.ipify.org |
| unknown |
www.vrbo.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1088 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |