General Info

File name

panhunt.exe

Full analysis
https://app.any.run/tasks/08ae47f6-9420-47e2-b90c-5d33741ff55c
Verdict
Malicious activity
Analysis date
5/15/2019, 10:32:52
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5

16bbd59a99553e10cfee6494de25df30

SHA1

04f1171091b3faa340c4ea15ca3dc3ac8d3659d4

SHA256

a3495519ff7160e4ee89868e7c69dc276c83490fc435798e0cfd2a6c3e370d83

SSDEEP

98304:4cM96QF33YiVuCsaLgXYRY2zluD4bl5RPtYQeIXyehmbuJJ:NE6G3YeupaPRY2zluDsp1PXFmbuJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Actions looks like stealing of personal data
  • panhunt.exe (PID: 3952)
Loads dropped or rewritten executable
  • panhunt.exe (PID: 3952)
Application launched itself
  • panhunt.exe (PID: 1012)
Executable content was dropped or overwritten
  • panhunt.exe (PID: 1012)
Loads Python modules
  • panhunt.exe (PID: 3952)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.1%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
0000:00:00 00:00:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
40960
InitializedDataSize:
127488
UninitializedDataSize:
51200
EntryPoint:
0x14f0
OSVersion:
4
ImageVersion:
1
SubsystemVersion:
4
Subsystem:
Windows command line
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
01-Jan-1970 00:00:00
Detected languages
English - United States
TLS Callbacks:
2 callback(s) detected.
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
01-Jan-1970 00:00:00
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00009FF4 0x0000A000 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_CODE,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.21798
.data 0x0000B000 0x00000034 0x00000200 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.541159
.rdata 0x0000C000 0x00004EA8 0x00005000 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.97064
.bss 0x00011000 0x0000C6A4 0x00000000 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_2048BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_8BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x0001E000 0x00000C2C 0x00000E00 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.84633
.CRT 0x0001F000 0x00000034 0x00000200 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.267208
.tls 0x00020000 0x00000020 0x00000200 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.175526
.rsrc 0x00021000 0x0000EC4C 0x0000EE00 IMAGE_SCN_ALIGN_1024BYTES,IMAGE_SCN_ALIGN_16BYTES,IMAGE_SCN_ALIGN_1BYTES,IMAGE_SCN_ALIGN_256BYTES,IMAGE_SCN_ALIGN_2BYTES,IMAGE_SCN_ALIGN_32BYTES,IMAGE_SCN_ALIGN_4096BYTES,IMAGE_SCN_ALIGN_4BYTES,IMAGE_SCN_ALIGN_512BYTES,IMAGE_SCN_ALIGN_64BYTES,IMAGE_SCN_ALIGN_8192BYTES,IMAGE_SCN_ALIGN_MASK,IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 7.30073
Resources
1

2

3

4

5

6

7

101

Imports
    KERNEL32.dll

    msvcr100.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start panhunt.exe panhunt.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1012
CMD
"C:\Users\admin\AppData\Local\Temp\panhunt.exe"
Path
C:\Users\admin\AppData\Local\Temp\panhunt.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\panhunt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\apphelp.dll

PID
3952
CMD
"C:\Users\admin\AppData\Local\Temp\panhunt.exe"
Path
C:\Users\admin\AppData\Local\Temp\panhunt.exe
Indicators
Parent process
panhunt.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\panhunt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\users\admin\appdata\local\temp\_mei10122\python27.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\users\admin\appdata\local\temp\_mei10122\msvcr90.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\_mei10~1\_ctypes.pyd
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\users\admin\appdata\local\temp\_mei10~1\_hashlib.pyd
c:\users\admin\appdata\local\temp\_mei10~1\unicodedata.pyd
c:\users\admin\appdata\local\temp\_mei10~1\_socket.pyd
c:\users\admin\appdata\local\temp\_mei10~1\_ssl.pyd
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll

Registry activity

Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No registry activity.

Files activity

Executable files
14
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\_ctypes.pyd
executable
MD5: d4e63d37bd2e2e4c8d411f213d1a0e03
SHA256: 00bb1ba68511d690024a76fad1770a13cf74e4552aaabf80384a07aba680d8d4
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\select.pyd
executable
MD5: 36e15944667b148005f41efd28144d46
SHA256: d4b43ff835ce0b42019d1d2722c44678d223837483d2d62455232b6c211274d0
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\msvcp90.dll
executable
MD5: 9928e1b8853c8d8a35fbfeb9e45957a8
SHA256: ea0325b1b61db1759d3692bcf80eef9b69e8e599a49e79ddac551f53138b6e23
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\msvcm90.dll
executable
MD5: 96c7b7470abe61bbc6f6e39fa06427db
SHA256: b6691a3fef03c385641d2ffd56bebdbc19950750571c31c01383fa78c637dc57
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\pyexpat.pyd
executable
MD5: 8af50a8478a1512a0876b8f14ae0b0b3
SHA256: 9ac61bea4cf0e80bbfb22a71f97080d292539f93696d52b97def069a0f4cafed
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\bz2.pyd
executable
MD5: 4d3eb772ad838ed7589bc5a331be2e33
SHA256: b0f5148a00da5ecf6a90144cdd05d9908202bc083b13f543042170d1b3d181f9
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\win32pipe.pyd
executable
MD5: 0d4a1785aa8f949cfa2a19278cbe3c81
SHA256: 2efc1764b23e02b2e91016ea331e68207cb5c2579166ca305a196fe343719d4d
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\pywintypes27.dll
executable
MD5: fbedcace76621787f22e14875f1bbb27
SHA256: ed50a725cec9c4ac26e90df2bb7a68b48ab17d5af2b3ebaad2e9d392d9b4e1c1
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\_socket.pyd
executable
MD5: 36df5c04156580d8114e902fe7701d9f
SHA256: a7f11ef22074d69409eddf7bde7e8d533c31a6f8c1711f768173371004a64299
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\unicodedata.pyd
executable
MD5: 5826bdb72dda19092b31b4585aed9863
SHA256: a77c21a3e108deed313858a1f8ebd554b41c3597486e2f707064e9bb5dc33c0b
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\msvcr90.dll
executable
MD5: 5bc75d03abf8ebaf9c5ea4e354dfb840
SHA256: 92281334cf905c35e7c93dd526b5c199ea9823cd52922f55f14e3008f98cd4e1
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\python27.dll
executable
MD5: bbb57215056964c743d4a82bcc83bbcd
SHA256: c7897b7d419e79ecb189df25180eccfc3a263541b9b3212d2bad8eadb67850a7
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\_hashlib.pyd
executable
MD5: 156409497d403c0b52a6336652493f61
SHA256: 2ce1b5393e6ff69e12d2b3c1ce226f67095ea872342ae3d118778d9c4f021bf4
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\_ssl.pyd
executable
MD5: 101b2bd45f0e1a1e5c16e795608abc0b
SHA256: 9b7ed8f848d4b2d24dabb69b241d03961c4ce417ed566fb7527dc44ecb8096fa
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\panhunt.exe.manifest
xml
MD5: 5cd6f470bd2504cb126b147a495575e0
SHA256: 90024ce598349cdc55482a5808ef95f20979620ae2a0676365be1479ee9f4e36
3952
panhunt.exe
C:\Users\admin\AppData\Local\Temp\panhunt_2019-05-15-093309.txt
text
MD5: 423c130dceaf7815b8280249c4fb59b8
SHA256: a82e1bf65bfaf925401162d356f7bcf8aa6534fba5d17b9ef45292cc6663fffd
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\Include\pyconfig.h
text
MD5: bc185de8b2437963368a85fdd9852951
SHA256: 8b130d901e0f83b55699d565f103f2f8f1b3a51712ebb4b9646ea517cc1f04d6
1012
panhunt.exe
C:\Users\admin\AppData\Local\Temp\_MEI10122\Microsoft.VC90.CRT.manifest
xml
MD5: 241a0ec0580005e5fee986afc78f6864
SHA256: 3993e65e8bcd38caa3dd1cb8cc6507b4d98558a3fead96671fd00bfb3985cee7

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.