File name:

OpenBullet.exe

Full analysis: https://app.any.run/tasks/8cb2ce54-f7be-48f6-9199-ec8721e88515
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 09, 2024, 06:11:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B6C34E318FDE72E7AE94DF987BB46732

SHA1:

2432E5EC0D68D05A1A078C9064875B9F24802377

SHA256:

9B3BD3F64EB34FBF4BF24FEBFD6A5B36AC43DBFC05601E2F332B12751B70C9F8

SSDEEP:

49152:9TjqilUTP6itA3JPn5URmZsda1Ak2ZK0xi6bcxcjZcmUjet5:x8dun5AWsAgFiac0Z4jm5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • OpenBullet.exe (PID: 6328)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • OpenBullet.exe (PID: 6328)

    • Executable content was dropped or overwritten

      • OpenBullet.exe (PID: 6328)

    • Executes application which crashes

      • OpenBullet.exe (PID: 6372)

    • Reads the date of Windows installation

      • OpenBullet.exe (PID: 6328)

    • Reads security settings of Internet Explorer

      • OpenBullet.exe (PID: 6328)

    • Mutex name with non-standard characters

      • OpenBullet.exe (PID: 6328)

  • INFO

    • Create files in a temporary directory

      • OpenBullet.exe (PID: 6328)

    • Checks supported languages

      • OpenBullet.exe (PID: 6328)
      • OpenBullet.exe (PID: 6372)

    • Process checks computer location settings

      • OpenBullet.exe (PID: 6328)

    • Reads the computer name

      • OpenBullet.exe (PID: 6328)
      • OpenBullet.exe (PID: 6372)

    • Reads the machine GUID from the registry

      • OpenBullet.exe (PID: 6372)

    • Checks proxy server information

      • WerFault.exe (PID: 6600)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6600)

    • Reads the software policy settings

      • WerFault.exe (PID: 6600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (73.1)
.odttf | Obfuscated subsetted Font (14.4)
.exe | Win32 Executable Delphi generic (3.9)
.scr | Windows screen saver (3.6)
.dll | Win32 Dynamic Link Library (generic) (1.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start openbullet.exe openbullet.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6328"C:\Users\admin\AppData\Local\Temp\OpenBullet.exe" C:\Users\admin\AppData\Local\Temp\OpenBullet.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\openbullet.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6372"C:\Users\admin\AppData\Local\Temp\3582-490\OpenBullet.exe" C:\Users\admin\AppData\Local\Temp\3582-490\OpenBullet.exe
OpenBullet.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OpenBullet
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\openbullet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6600C:\WINDOWS\system32\WerFault.exe -u -p 6372 -s 992C:\Windows\System32\WerFault.exe
OpenBullet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
7 923
Read events
7 915
Write events
8
Delete events
0

Modification events

(PID) Process:(6328) OpenBullet.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6328) OpenBullet.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6328) OpenBullet.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6328) OpenBullet.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
8
Suspicious files
2
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
6600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_OpenBullet.exe_edcb28384ab516cb159e702c68cc72515775a166_117e6e4f_6950f8e0-4bb0-4eb3-8b03-4b010d27d7d3\Report.wer
MD5:
SHA256:
6600WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\OpenBullet.exe.6372.dmp
MD5:
SHA256:
6600WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5C17.tmp.WERInternalMetadata.xmlxml
MD5:5DEE2F4F9BF2BBD3D45E20E8B7702052
SHA256:65991DBC22020F36A4FE35F1BC1EE9FB4F8529446B82A1EDFBD50A67DBC40303
6600WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:FB64A9EBEDF48D3895381D5B7D80743D
SHA256:EA21D495930AD76F267A33A0F593DBF0C7EA75E457FCAE49A29DAAD8BD920F42
6328OpenBullet.exeC:\Users\admin\AppData\Local\Temp\3582-490\OpenBullet.exeexecutable
MD5:6B506488DC793701DD60B2AFE9154C55
SHA256:6C72B6C23683F2C3D22CFF325647579F44E57C8F4E796CC7F9E346E001515741
6328OpenBullet.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exeexecutable
MD5:0C5EC1AE9A301408AF26032B445FBB08
SHA256:3A8010F1E4E028782093877D969EB127B80AE48B7215A8D3F91E8AB9C165AC7A
6328OpenBullet.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:178B773B3FB050FCE26E40A9E8C2EE9A
SHA256:1E03573733F25B44004049A535E7E79366FD86FE953F6DFEDAAD05513B46A6C5
6328OpenBullet.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncHelper.exeexecutable
MD5:1C0BE16E6ED8F5B6F0910650A25F4FA7
SHA256:3028F6A6A7A10DC5D63F256FEEB8275F3818BF3371EAF8B20A2D0BF2FCD5F4A9
6328OpenBullet.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:85A67D34298E33D2D5A9EC789B6AB594
SHA256:1DEE143B4F88F2375B85C6271A58E2E78FED081BEAE4090678CB2DD7A37FB2D4
6600WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:82C30E45BF5F93A5DB1D5E47F913053B
SHA256:2C6BBFF9207065E8800C4AF0CB2748818ABB3CFFC0D6D518FE17F76A232F8967
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
45
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7044
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3900
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6996
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
5028
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4232
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6600
WerFault.exe
52.168.117.173:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:137
whitelisted
5028
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5336
SearchApp.exe
2.23.209.193:443
www.bing.com
Akamai International B.V.
GB
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
  • 52.140.118.28
whitelisted
google.com
  • 142.250.185.206
whitelisted
watson.events.data.microsoft.com
  • 52.168.117.173
whitelisted
www.bing.com
  • 2.23.209.193
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.186
  • 2.23.209.131
  • 2.23.209.130
  • 2.23.209.189
  • 2.23.209.191
  • 2.23.209.188
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.76
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.17
whitelisted
th.bing.com
  • 2.23.209.179
  • 2.23.209.186
  • 2.23.209.189
  • 2.23.209.185
  • 2.23.209.183
  • 2.23.209.178
  • 2.23.209.182
  • 2.23.209.188
  • 2.23.209.181
  • 2.23.209.167
  • 2.23.209.173
  • 2.23.209.162
  • 2.23.209.166
  • 2.23.209.171
  • 2.23.209.169
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenBullet.exe