File name:	main.exe
Full analysis:	https://app.any.run/tasks/eb3f3025-700a-4169-b8b5-32cbe3cbeb6b
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 21, 2024, 20:41:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer evasion python arch-doc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:	C0E4C8F676E781C9DD3D57FFA4F99111
SHA1:	94A6F60949F38DA538B5227722698DD880961BB2
SHA256:	9C08A9ACA45B1A4E36E0DC907EEBEAD439BFF5B2048B1F2248AFA4F88520812D
SSDEEP:	196608:+AM9P/acOGFCKLkDGckQBObTEo5KMjYEEIjqD624ZRM5Vbg75FJRXY:+AQ3hOGXZqCRKMjYERqDP4ZqV8HbX

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2024:12:21 20:26:43+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.41
CodeSize:	176640
InitializedDataSize:	152576
UninitializedDataSize:	-
EntryPoint:	0xc380
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line


(PID) Process:	(5400) rundll32.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithProgids
Operation:	write	Name:	pngfile
Value:
(PID) Process:	(5400) rundll32.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe%5Cmicrosoft.system.package.metadata%5CS-1-5-21-1693682860-607145093-2874071422-1001-MergedResources-0.pri\1d8b7afeb5c569c\55e3c056
Operation:	write	Name:	@{microsoft.screensketch_10.1907.2471.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.screensketch/files/assets/screensketchsquare44x44logo.png}
Value: C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-black.png

PID	Process	Filename		Type
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_ARC4.pyd		executable
		MD5:BCD8CAAF9342AB891BB1D8DD45EF0098	SHA256:78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_aes.pyd		executable
		MD5:0AB25F99CDAACA6B11F2ECBE8223CAD5	SHA256:6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_chacha20.pyd		executable
		MD5:DC14677EA8A8C933CC41F9CCF2BEDDC1	SHA256:68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_aesni.pyd		executable
		MD5:B6EA675C3A35CD6400A7ECF2FB9530D1	SHA256:76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_pkcs1_decode.pyd		executable
		MD5:C09BB8A30F0F733C81C5C5A3DAD8D76D	SHA256:8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_arc2.pyd		executable
		MD5:F14E1AA2590D621BE8C10321B2C43132	SHA256:FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_cbc.pyd		executable
		MD5:40390F2113DC2A9D6CFAE7127F6BA329	SHA256:6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_cfb.pyd		executable
		MD5:899895C0ED6830C4C9A3328CC7DF95B6	SHA256:18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_cast.pyd		executable
		MD5:2E15AA6F97ED618A3236CFA920988142	SHA256:516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
6848	main.exe	C:\Users\admin\AppData\Local\Temp\_MEI68482\Crypto\Cipher\_raw_ctr.pyd		executable
		MD5:C4C525B081F8A0927091178F5F2EE103	SHA256:4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4328	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4328	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6932	main.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/	unknown	—	—	shared
6932	main.exe	GET	200	208.95.112.1:80	http://ip-api.com/json/94.250.19.232?fields=192511	unknown	—	—	shared
—	—	GET	200	45.112.123.126:443	https://api.gofile.io/servers	unknown	binary	401 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4328	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4328	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 40.127.240.158	whitelisted
www.bing.com	2.23.209.149 2.23.209.161 2.23.209.150 2.23.209.179 2.23.209.158 2.23.209.177 2.23.209.176 2.23.209.140 2.23.209.148	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
api.gofile.io	45.112.123.126	whitelisted
ip-api.com	208.95.112.1	shared
self.events.data.microsoft.com	13.89.178.26	whitelisted

PID	Process	Class	Message
2192	svchost.exe	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
6932	main.exe	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6932	main.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6932	main.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
6932	main.exe	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)

General Info

main.exe

C0E4C8F676E781C9DD3D57FFA4F99111

94A6F60949F38DA538B5227722698DD880961BB2

9C08A9ACA45B1A4E36E0DC907EEBEAD439BFF5B2048B1F2248AFA4F88520812D

196608:+AM9P/acOGFCKLkDGckQBObTEo5KMjYEEIjqD624ZRM5Vbg75FJRXY:+AQ3hOGXZqCRKMjYERqDP4ZqV8HbX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Process drops python dynamic module

The process drops C-runtime libraries

Process drops legitimate windows executable

Executable content was dropped or overwritten

Application launched itself

Starts CMD.EXE for commands execution

Loads Python modules

Uses WMIC.EXE to obtain Windows Installer data

Data upload via CURL

Execution of CURL command

Uses WMIC.EXE to obtain service application data

Accesses product unique identifier via WMI (SCRIPT)

Checks for external IP

Potential Corporate Privacy Violation

Get information on the list of running processes

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

Checks operating system version

Checks proxy server information

Creates files or folders in the user directory

Execution of CURL command

Reads security settings of Internet Explorer

Manual execution by a user

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests