File name:

a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9

Full analysis: https://app.any.run/tasks/779f763a-507a-4bb1-9d39-b8b513966756
Verdict: Malicious activity
Analysis date: December 06, 2022, 00:21:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
hiloti
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4FCEC68C8CBC78DFA9D54FC8488D6FA6

SHA1:

87FCA627A9A1C5470037F8E1EE2A9EAC1133055B

SHA256:

A1BDD00B183DB8618183E8E0FF087ED777E7944C17FD1517C9BC5620AFCD46B9

SSDEEP:

6144:Ga7eSobo7K4zUeT1+yLRaEuc6HvzJXocR6RjrxERF/FvS:Ga74b34onBrVR6R3WxvS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
    • HILOTI was detected

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
    • Drops a file with too old compile date

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
    • Reads the Internet Settings

      • lBbHl01819.exe (PID: 3136)
      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
    • Connects to the server without a host name

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
  • INFO

    • Checks supported languages

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
      • lBbHl01819.exe (PID: 3136)
    • Reads the computer name

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
      • lBbHl01819.exe (PID: 3136)
    • Creates files in the program directory

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
      • lBbHl01819.exe (PID: 3136)
    • Checks proxy server information

      • a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe (PID: 1328)
      • lBbHl01819.exe (PID: 3136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2007-Dec-19 01:44:03
Detected languages:
  • Russian - Russia

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2007-Dec-19 01:44:03
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
18272
18432
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.27426
.data
24576
1482752
9728
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.38525
.tls
1507328
4096
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.147365
.rsrc
1511424
37164
37376
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.27942
.rdata
1552384
270280
270336
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.85212

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.90326
9640
UNKNOWN
Russian - Russia
RT_ICON
2
4.94815
1128
UNKNOWN
Russian - Russia
RT_ICON
1 (#2)
2.40927
34
UNKNOWN
Russian - Russia
RT_GROUP_ICON
1 (#3)
3.58734
892
UNKNOWN
Russian - Russia
RT_VERSION

Imports

ADVAPI32.dll
KERNEL32.dll
MSASN1.dll
NTDLL.dll
Secur32.dll
USER32.dll
cryptdll.dll
msvcrt.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #HILOTI a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe lbbhl01819.exe

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe" C:\Users\admin\AppData\Local\Temp\a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
3136"C:\ProgramData\lBbHl01819\lBbHl01819.exe" "C:\Users\admin\AppData\Local\Temp\a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe"C:\ProgramData\lBbHl01819\lBbHl01819.exe
a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\programdata\lbbhl01819\lbbhl01819.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
646
Read events
598
Write events
47
Delete events
1

Modification events

(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1328) a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
Executable files
1
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3136lBbHl01819.exeC:\ProgramData\lBbHl01819\lBbHl01819binary
MD5:03A7E7E7C049B795470416860B5EB148
SHA256:E9B759F927097A19F3044061F0FFC77F37B38F7BB4E256451493BF66006C3268
1328a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeC:\Users\admin\AppData\Local\Temp\a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9binary
MD5:A92559EC3B747D9395A3394E1D9B9517
SHA256:7E793642CD3E3DE96E5D95DF1B1CA8123E59529B24369676DA66C04A82A5AB51
1328a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exeC:\ProgramData\lBbHl01819\lBbHl01819.exeexecutable
MD5:4FCEC68C8CBC78DFA9D54FC8488D6FA6
SHA256:A1BDD00B183DB8618183E8E0FF087ED777E7944C17FD1517C9BC5620AFCD46B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
0
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1328
a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
GET
91.193.194.40:80
http://91.193.194.40/lurl.php?affid=01819
unknown
malicious
3136
lBbHl01819.exe
GET
91.193.194.40:80
http://91.193.194.40/install.php?affid=01819
unknown
malicious
1328
a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
GET
91.193.194.40:80
http://91.193.194.40/lurl.php?affid=01819
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1328
a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
91.193.194.40:80
LIMANET Ltd.
UA
malicious
3136
lBbHl01819.exe
91.193.194.40:80
LIMANET Ltd.
UA
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
1328
a1bdd00b183db8618183e8e0ff087ed777e7944c17fd1517c9bc5620afcd46b9.exe
A Network Trojan was detected
ET TROJAN Hiloti loader requesting payload URL
No debug info