File name: | browser.jpg.bin |
Full analysis: | https://app.any.run/tasks/85c92e67-ffce-4da2-adbc-8da4999f29ed |
Verdict: | Malicious activity |
Analysis date: | February 18, 2019, 23:19:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 0ECA096DAC2626BE2D000D753EC20765 |
SHA1: | 85CE18597998659DD185A471B68242E6F6FB3BF0 |
SHA256: | 9F202ADD16464EB66990D56CAE7CF2E9763DE3AEAB6148803F0DA22C60DC58A4 |
SSDEEP: | 24576:SlxKKE/JRpD5gmxXV5YgcirByuVzJLITdjgI2uZeQieckF4eKhxV8E:SjKKE/Jb7XV5YEyCtwjRBZeePF4bhxn |
.exe | | | Win64 Executable (generic) (49.4) |
---|---|---|
.scr | | | Windows screen saver (23.4) |
.dll | | | Win32 Dynamic Link Library (generic) (11.7) |
.exe | | | Win32 Executable (generic) (8) |
.exe | | | Generic Win/DOS Executable (3.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:19 00:10:02+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.5 |
CodeSize: | 2474496 |
InitializedDataSize: | 20992 |
UninitializedDataSize: | - |
EntryPoint: | 0x25c4a0 |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 18-Feb-2019 23:10:02 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 18-Feb-2019 23:10:02 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0025C18B | 0x0025C200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.26037 |
.rdata | 0x0025E000 | 0x000003E8 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.71757 |
.data | 0x0025F000 | 0x0019BD54 | 0x00004E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.43234 |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
SHLWAPI.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3136 | "C:\Users\admin\AppData\Local\Temp\browser.jpg.bin.exe" | C:\Users\admin\AppData\Local\Temp\browser.jpg.bin.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (3136) browser.jpg.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Windows\Configuration |
Operation: | write | Name: | i |
Value: D9AF0D9887E39A1955C0 | |||
(PID) Process: | (3136) browser.jpg.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Windows Session Manager |
Value: "C:\ProgramData\services\csrss.exe" | |||
(PID) Process: | (3136) browser.jpg.bin.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Windows Session Manager |
Value: "C:\ProgramData\services\csrss.exe" | |||
(PID) Process: | (3136) browser.jpg.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Resources\Help |
Operation: | write | Name: | id |
Value: 707A5B6776B0796AD9A2 | |||
(PID) Process: | (3136) browser.jpg.bin.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Resources\Help |
Operation: | write | Name: | fs |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\state.tmp | — | |
MD5:— | SHA256:— | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\unverified-microdesc-consensus.tmp | — | |
MD5:— | SHA256:— | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2I8F~1\unverified-microdesc-consensus | — | |
MD5:— | SHA256:— | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\cached-certs.tmp | — | |
MD5:— | SHA256:— | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\cached-microdesc-consensus.tmp | — | |
MD5:— | SHA256:— | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2I8F~1\cached-certs | text | |
MD5:72137B062AC7EF58733859225827C095 | SHA256:7A673D4E68C573D90E7B4B50653C2F0EA857CA19ED89DC70D0BC76D93D20DE8A | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2I8F~1\cached-microdesc-consensus | text | |
MD5:C106BA4D622E53759FE116E23B775383 | SHA256:C03E3ADC2511C4A9376D10CC51CF6FBB8E26A4432A5772DE9BCBE1BD3E69A8C5 | |||
3136 | browser.jpg.bin.exe | C:\ProgramData\services\csrss.exe | executable | |
MD5:0ECA096DAC2626BE2D000D753EC20765 | SHA256:9F202ADD16464EB66990D56CAE7CF2E9763DE3AEAB6148803F0DA22C60DC58A4 | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2i8FeHvz\cached-microdescs.new | text | |
MD5:6C180EE0C46B3AE7FE4B9E66CDE4B8A5 | SHA256:BC2AFFA21385B42048DC032C9E8A1A2CF6699272727C47BEAD34C638A04A8026 | |||
3136 | browser.jpg.bin.exe | C:\Users\admin\AppData\Local\Temp\9P2I8F~1\state | text | |
MD5:FD5870DDFD397499FAFC1DED82C66837 | SHA256:2B3E1EFF7C61D0BB83DD443353B60ACB5519BB05240A74C95D255A3783F84A58 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3136 | browser.jpg.bin.exe | GET | 503 | 104.31.93.104:80 | http://www.anti-abuse.org/multi-rbl-check-results/?host=85.203.44.80 | US | html | 7.40 Kb | suspicious |
3136 | browser.jpg.bin.exe | GET | 200 | 185.134.245.113:80 | http://xtron.se/ | NO | html | 1.60 Kb | malicious |
3136 | browser.jpg.bin.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 107 b | shared |
3136 | browser.jpg.bin.exe | GET | 503 | 104.31.93.104:80 | http://www.anti-abuse.org/multi-rbl-check-results/?host=85.203.44.80 | US | html | 8.71 Kb | suspicious |
3136 | browser.jpg.bin.exe | GET | 503 | 104.31.93.104:80 | http://www.anti-abuse.org/multi-rbl-check-results/?host=85.203.44.80 | US | html | 6.18 Kb | suspicious |
3136 | browser.jpg.bin.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 107 b | shared |
3136 | browser.jpg.bin.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 107 b | shared |
3136 | browser.jpg.bin.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 107 b | shared |
3136 | browser.jpg.bin.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 107 b | shared |
3136 | browser.jpg.bin.exe | GET | 403 | 104.16.154.36:80 | http://whatismyipaddress.com/ | US | text | 107 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3136 | browser.jpg.bin.exe | 76.73.17.194:9090 | — | Cogent Communications | US | malicious |
3136 | browser.jpg.bin.exe | 171.25.193.9:80 | — | Foreningen for digitala fri- och rattigheter | SE | malicious |
3136 | browser.jpg.bin.exe | 104.18.35.131:80 | whatsmyip.net | Cloudflare Inc | US | shared |
3136 | browser.jpg.bin.exe | 178.18.122.109:4433 | — | Ai Networks Limited | GB | suspicious |
3136 | browser.jpg.bin.exe | 94.100.180.160:465 | smtp.mail.ru | Limited liability company Mail.Ru | RU | malicious |
3136 | browser.jpg.bin.exe | 163.172.53.84:443 | — | Online S.a.s. | FR | suspicious |
3136 | browser.jpg.bin.exe | 104.16.154.36:80 | whatismyipaddress.com | Cloudflare Inc | US | shared |
3136 | browser.jpg.bin.exe | 104.31.93.104:80 | www.anti-abuse.org | Cloudflare Inc | US | shared |
3136 | browser.jpg.bin.exe | 173.73.88.202:9001 | — | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
3136 | browser.jpg.bin.exe | 94.100.180.160:25 | smtp.mail.ru | Limited liability company Mail.Ru | RU | malicious |
Domain | IP | Reputation |
---|---|---|
whatismyipaddress.com |
| shared |
whatsmyip.net |
| shared |
2.0.0.127.zen.spamhaus.org |
| unknown |
www.anti-abuse.org |
| suspicious |
smtp.mail.ru |
| shared |
buildawebpage.com |
| malicious |
stockholmfoto.se |
| malicious |
northregion.com |
| unknown |
xn--lgenhetuthyresibenalmadena-ghc.se |
| malicious |
domainwebhost.se |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3136 | browser.jpg.bin.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178 |
3136 | browser.jpg.bin.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
3136 | browser.jpg.bin.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |
3136 | browser.jpg.bin.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172 |
3136 | browser.jpg.bin.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 203 |
3136 | browser.jpg.bin.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
3136 | browser.jpg.bin.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 188 |
3136 | browser.jpg.bin.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |
3136 | browser.jpg.bin.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |
3136 | browser.jpg.bin.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |