download: | bbfbex5.exe |
Full analysis: | https://app.any.run/tasks/6a6b3d3e-6cb1-4a4f-9030-7f43d7692a7f |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 14:25:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | ED7722AA48E43E5635E76B8E172B7412 |
SHA1: | 8362B9B2BCE0BBB24492AB8CDDD767436438C05B |
SHA256: | 950B9E0DF279EF8207E036A23148295B0FE72365A07A9C88B31C5C9552060E13 |
SSDEEP: | 393216:l78lTxGKwU4uSVTd2Qxpd6o0PJb7GWrWhFW0SHDhrtt70VQYR6xqoKbRrPH7/2MB:lYrwjuMTdlxpd2BT6h7+Dh5J0KVTKtjP |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
ProductVersion: | 5.36.0.4417 |
---|---|
ProductName: | FlashBack Express 5 |
LegalCopyright: | - |
FileVersion: | 5.36.0.4417 |
FileDescription: | - |
CompanyWebsite: | http://www.bbflashback.com/ |
CompanyName: | Blueberry Software (UK) Ltd. |
CharacterSet: | ASCII |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 5.36.0.4417 |
FileVersionNumber: | 5.36.0.4417 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | 6 |
OSVersion: | 5 |
EntryPoint: | 0x39e3 |
UninitializedDataSize: | 16896 |
InitializedDataSize: | 445952 |
CodeSize: | 28672 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2012:02:24 20:19:59+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Feb-2012 19:19:59 |
Detected languages: |
|
CompanyName: | Blueberry Software (UK) Ltd. |
CompanyWebsite: | http://www.bbflashback.com/ |
FileDescription: | - |
FileVersion: | 5.36.0.4417 |
LegalCopyright: | - |
ProductName: | FlashBack Express 5 |
ProductVersion: | 5.36.0.4417 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 24-Feb-2012 19:19:59 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006F10 | 0x00007000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.49788 |
.rdata | 0x00008000 | 0x00002A92 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.39389 |
.data | 0x0000B000 | 0x00067EBC | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.47278 |
.ndata | 0x00073000 | 0x001CD000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00240000 | 0x00008DC0 | 0x00008E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.50454 |
.reloc | 0x00249000 | 0x00000F8A | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 7.85423 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.21712 | 968 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 4.70165 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 3.26807 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 4.47002 | 1384 | UNKNOWN | English - United States | RT_ICON |
5 | 4.48066 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 4.87093 | 872 | UNKNOWN | English - United States | RT_ICON |
103 | 2.66969 | 90 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.73893 | 514 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
107 | 2.52183 | 160 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3356 | "C:\Users\admin\AppData\Local\Temp\bbfbex5.exe" | C:\Users\admin\AppData\Local\Temp\bbfbex5.exe | — | explorer.exe |
User: admin Company: Blueberry Software (UK) Ltd. Integrity Level: MEDIUM Exit code: 3221226540 Version: 5.36.0.4417 | ||||
4004 | "C:\Users\admin\AppData\Local\Temp\bbfbex5.exe" | C:\Users\admin\AppData\Local\Temp\bbfbex5.exe | explorer.exe | |
User: admin Company: Blueberry Software (UK) Ltd. Integrity Level: HIGH Exit code: 0 Version: 5.36.0.4417 | ||||
3444 | "C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\ns65B6.tmp" C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe -add "File Copy" "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\FileCopyPublisher.dll" "FBExpress5" | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\ns65B6.tmp | — | bbfbex5.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
724 | "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe" -add "File Copy" "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\FileCopyPublisher.dll" "FBExpress5" | C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe | — | ns65B6.tmp |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
1928 | "C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\ns67F9.tmp" C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe -add "FTP" "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\FtpPublisher.dll" "FBExpress5" | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\ns67F9.tmp | — | bbfbex5.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2884 | "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe" -add "FTP" "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\FtpPublisher.dll" "FBExpress5" | C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe | — | ns67F9.tmp |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2716 | "C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\ns6A3C.tmp" C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe -add "YouTube" "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\YouTubePublisher.dll" "FBExpress5" | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\ns6A3C.tmp | — | bbfbex5.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2664 | "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe" -add "YouTube" "C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\YouTubePublisher.dll" "FBExpress5" | C:\Program Files\Blueberry Software\FlashBack Express 5\UploadProfiles\DefConfig.exe | — | ns6A3C.tmp |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2204 | "C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\nsA4A7.tmp" C:\Program Files\Blueberry Software\FlashBack Express 5\RunNonElevated.exe FlashBack Recorder.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\nsA4A7.tmp | — | bbfbex5.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2092 | "C:\Program Files\Blueberry Software\FlashBack Express 5\RunNonElevated.exe" FlashBack Recorder.exe | C:\Program Files\Blueberry Software\FlashBack Express 5\RunNonElevated.exe | — | nsA4A7.tmp |
User: admin Integrity Level: HIGH Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\RemPendingFileOp.dll | executable | |
MD5:A06945198BDFAF5925DDE537AFCEAAE6 | SHA256:B7057BB7065B54F674455D1059116CB7ED1F49AC93CB1EE72602CDC2CD82C514 | |||
4004 | bbfbex5.exe | C:\Program Files\Blueberry Software\FlashBack Express 5\borlndmm.dll | executable | |
MD5:DA71A64295EC6C8CC2EB46E8883CA650 | SHA256:AB75F5FE353FF19488EECA57A73A4AEE29B6EEE3FB0FF2E364149C5B0B30C169 | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\Processes.dll | executable | |
MD5:3E2DB704D739F69D564FDFCB376B4761 | SHA256:456235015EDD824ADA4469138D97BCC0B3A774A2DDEE06C2E922F65AA00F3A53 | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\modern-wizard.bmp | image | |
MD5:CBE40FD2B1EC96DAEDC65DA172D90022 | SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2 | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\AdvSplash.dll | executable | |
MD5:4C2048FAB3E88D65B1186DE260751D1B | SHA256:B08D6797848EE8EEF5393391A7318E10720D55D03C910A2127C03B074C4966AF | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\InstallOptions.dll | executable | |
MD5:89351A0A6A89519C86C5531E20DAB9EA | SHA256:F530069EF87A1C163C4FD63A3D5B053420CE3D7A98739C70211B4A99F90D6277 | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\System.dll | executable | |
MD5:BF712F32249029466FA86756F5546950 | SHA256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\links.ini | text | |
MD5:F3FBBFF673BBB0D1EE62FA77BCFBD88E | SHA256:664B69A2C207B89130BA3F934A85E06CB943983DAC2E5622BC5282DE603F1FD8 | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\nsDialogs.dll | executable | |
MD5:4CCC4A742D4423F2F0ED744FD9C81F63 | SHA256:416133DD86C0DFF6B0FCAF1F46DFE97FDC85B37F90EFFB2D369164A8F7E13AE6 | |||
4004 | bbfbex5.exe | C:\Users\admin\AppData\Local\Temp\nscF8D2.tmp\UserInfo.dll | executable | |
MD5:C7CE0E47C83525983FD2C4C9566B4AAD | SHA256:6293408A5FA6D0F55F0A4D01528EB5B807EE9447A75A28B5986267475EBCD3AE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3184 | FlashBack Recorder.exe | POST | 200 | 176.34.137.58:80 | http://updates.bbconsult.co.uk/Updates.asmx | IE | xml | 428 b | suspicious |
3184 | FlashBack Recorder.exe | POST | 200 | 176.34.137.58:80 | http://updates.bbconsult.co.uk/Updates.asmx | IE | xml | 514 b | suspicious |
3184 | FlashBack Recorder.exe | POST | 200 | 104.27.151.13:80 | http://regsys.ws.bbsoftware.co.uk/regsys.svc | US | text | 1.64 Kb | malicious |
3184 | FlashBack Recorder.exe | POST | 200 | 176.34.137.58:80 | http://stats.ws.bbsoftware.co.uk/stats.asmx | IE | xml | 399 b | suspicious |
3184 | FlashBack Recorder.exe | POST | 200 | 176.34.137.58:80 | http://updates.bbconsult.co.uk/Updates.asmx | IE | xml | 506 b | suspicious |
3184 | FlashBack Recorder.exe | POST | 200 | 176.34.137.58:80 | http://updates.bbconsult.co.uk/Updates.asmx | IE | xml | 428 b | suspicious |
1040 | FTSUploadAgent.exe | GET | 200 | 91.199.212.52:80 | http://crt.comodoca.com/COMODORSAAddTrustCA.crt | GB | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3184 | FlashBack Recorder.exe | 176.34.137.58:80 | stats.ws.bbsoftware.co.uk | Amazon.com, Inc. | IE | unknown |
— | — | 130.159.196.117:123 | ntp.cis.strath.ac.uk | Jisc Services Limited | GB | unknown |
3184 | FlashBack Recorder.exe | 104.27.151.13:80 | regsys.ws.bbsoftware.co.uk | Cloudflare Inc | US | shared |
1040 | FTSUploadAgent.exe | 91.199.212.52:80 | crt.comodoca.com | Comodo CA Ltd | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
ntp.cis.strath.ac.uk |
| unknown |
regsys.ws.bbsoftware.co.uk |
| malicious |
stats.ws.bbsoftware.co.uk |
| suspicious |
updates.bbconsult.co.uk |
| suspicious |
crt.comodoca.com |
| whitelisted |