File name: | 2.bin |
Full analysis: | https://app.any.run/tasks/ac7eea3e-1440-4e63-9bec-6e4ebaa19c19 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 06, 2022, 02:18:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C446EE98C9E32B2E74297AD71AB05182 |
SHA1: | 5004A79D3D49B339D8B5248CE59C68E43C616BE7 |
SHA256: | A36EBD8A548DB06BACD9BDC7F5C71619CA17C30C0A349AD62997A49CEA714001 |
SSDEEP: | 12288:nu+NX43o5MK4ypyQkiHK/MNv75JHjeJdcbm8CmTy1Dc7VS:nuCXaYawyQkiq/MNjrydcbm+W147U |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Dec-10 18:23:41 |
Debug artifacts: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 224 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2021-Dec-10 18:23:41 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 106604 | 107008 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.34312 |
.data | 114688 | 711432 | 600576 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99271 |
.rsrc | 827392 | 102488 | 102912 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.51886 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.33895 | 1736 | UNKNOWN | UNKNOWN | RT_ICON |
2 | 5.47765 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 5.08275 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 5.44877 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 5.72523 | 2216 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 5.98694 | 1736 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 5.89149 | 1384 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 5.11653 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 4.66394 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
10 | 4.73079 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
GDI32.dll |
KERNEL32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1752 | "C:\Users\admin\Desktop\2.bin.exe" | C:\Users\admin\Desktop\2.bin.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
928 | "C:\Users\admin\Desktop\2.bin.exe" | C:\Users\admin\Desktop\2.bin.exe | 2.bin.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
3740 | icacls "C:\Users\admin\AppData\Local\9855fbd7-a07d-4cee-9a4a-f22e2e0924f3" /deny *S-1-1-0:(OI)(CI)(DE,DC) | C:\Windows\system32\icacls.exe | — | 2.bin.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2772 | "C:\Users\admin\Desktop\2.bin.exe" --Admin IsNotAutoStart IsNotTask | C:\Users\admin\Desktop\2.bin.exe | 2.bin.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1812 | "C:\Users\admin\Desktop\2.bin.exe" --Admin IsNotAutoStart IsNotTask | C:\Users\admin\Desktop\2.bin.exe | 2.bin.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
3932 | "C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe" | C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe | — | 2.bin.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2084 | "C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe" | C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe | build2.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
2272 | "C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build3.exe" | C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build3.exe | 2.bin.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 4294967295 Modules
| |||||||||||||||
3100 | /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Network\mstsca.exe" | C:\Windows\System32\schtasks.exe | — | build3.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1400 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
928 | 2.bin.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02 | der | |
MD5:7B8060B571D2A875D91B7D1CDA11BB30 | SHA256:21537AFE7D8FFCCA1788F5446A819DA45747EC5E0BC53C767EAE013DD67CC76A | |||
1812 | 2.bin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].json | binary | |
MD5:B4D45C480058D08F9A042E5441513E28 | SHA256:6AA178C9C7B0E58CCAC7442D7D151D280395F22A879482CB7C70471E97F666A3 | |||
928 | 2.bin.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E | der | |
MD5:C51850A96D359A09A3A3A2249C52A92D | SHA256:D66175EC867BEE8F450F2F3AD05D9D161384241244E6D5CF791A608DD31EF175 | |||
2084 | build2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30 | der | |
MD5:E4FD10C588A13A7F8482D95E13DE3B15 | SHA256:C0D03C7EC2A9782ACFAC7D0C31249475FAEB8AEC71970DDC2CBE1734EC01B80F | |||
928 | 2.bin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\geo[1].json | binary | |
MD5:B4D45C480058D08F9A042E5441513E28 | SHA256:6AA178C9C7B0E58CCAC7442D7D151D280395F22A879482CB7C70471E97F666A3 | |||
2084 | build2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | der | |
MD5:E564CAB61E382406F4D7E9EBDCA3F2CA | SHA256:9B67206021B63E35A55FE2B95B9263FD514099F4E4BD0E3FEF0F4A33D1C69028 | |||
2084 | build2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | der | |
MD5:54D389C97E4B56C4FD5F7FD2EE75CAD8 | SHA256:805A905D72FAE55AAC2B424472B641568599C61294507C608B0523BCAB10FBBD | |||
1812 | 2.bin.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\build2[1].exe | executable | |
MD5:B9212DED69FAE1FA1FB5D6DB46A9FB76 | SHA256:7A087C1BCD038C61DDB0F634F9B21E6DB9BED59842F19ADEDA48B49ACB20E16F | |||
1812 | 2.bin.exe | C:\Users\admin\AppData\Local\bf122f0a-2a50-4bd1-8cd0-9c7d20bab55e\build2.exe | executable | |
MD5:B9212DED69FAE1FA1FB5D6DB46A9FB76 | SHA256:7A087C1BCD038C61DDB0F634F9B21E6DB9BED59842F19ADEDA48B49ACB20E16F | |||
2084 | build2.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30 | binary | |
MD5:E8B0BD03DFCB4912369F9DBE17975EB0 | SHA256:0C1AD9C94D3B8A49B0D64E85D5DDAAE2605BE9E5EB0C18BDC701291E4E6C2A39 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2084 | build2.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D | US | der | 1.74 Kb | whitelisted |
2084 | build2.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
2084 | build2.exe | GET | 200 | 168.119.167.188:80 | http://168.119.167.188/517 | DE | text | 233 b | malicious |
1812 | 2.bin.exe | GET | 200 | 211.59.14.90:80 | http://uaery.top/dl/build2.exe | KR | executable | 258 Kb | malicious |
2084 | build2.exe | GET | 200 | 168.119.167.188:80 | http://168.119.167.188/567493352647.zip | DE | compressed | 3.47 Mb | malicious |
2084 | build2.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
928 | 2.bin.exe | GET | 200 | 104.18.32.68:80 | http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl | US | der | 978 b | whitelisted |
928 | 2.bin.exe | GET | 200 | 172.64.155.188:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | US | der | 1.42 Kb | whitelisted |
1812 | 2.bin.exe | GET | 200 | 200.46.66.71:80 | http://fresherlights.com/files/1/build3.exe | PA | executable | 9.50 Kb | malicious |
928 | 2.bin.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?068e6a04bf60b030 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
928 | 2.bin.exe | 172.64.155.188:80 | ocsp.comodoca.com | CLOUDFLARENET | US | suspicious |
928 | 2.bin.exe | 162.0.217.254:443 | api.2ip.ua | NAMECHEAP-NET | NL | suspicious |
1812 | 2.bin.exe | 162.0.217.254:443 | api.2ip.ua | NAMECHEAP-NET | NL | suspicious |
3276 | 2.bin.exe | 162.0.217.254:443 | api.2ip.ua | NAMECHEAP-NET | NL | suspicious |
2084 | build2.exe | 192.124.249.24:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
928 | 2.bin.exe | 104.18.32.68:80 | ocsp.comodoca.com | CLOUDFLARENET | — | suspicious |
1812 | 2.bin.exe | 31.167.245.32:80 | fresherlights.com | Etihad Etisalat, a joint stock company | SA | malicious |
2084 | build2.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | malicious |
2084 | build2.exe | 168.119.167.188:80 | — | Hetzner Online GmbH | DE | malicious |
928 | 2.bin.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | STACKPATH-CDN | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
api.2ip.ua |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
crl.usertrust.com |
| whitelisted |
uaery.top |
| malicious |
fresherlights.com |
| malicious |
t.me |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET POLICY External IP Address Lookup DNS Query (2ip .ua) |
928 | 2.bin.exe | Potentially Bad Traffic | ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) |
1812 | 2.bin.exe | Potentially Bad Traffic | ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
1812 | 2.bin.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
1812 | 2.bin.exe | A Network Trojan was detected | ET TROJAN Potential Dridex.Maldoc Minimal Executable Request |
1812 | 2.bin.exe | A Network Trojan was detected | ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
1812 | 2.bin.exe | A Network Trojan was detected | ET TROJAN Win32/Vodkagats Loader Requesting Payload |
1812 | 2.bin.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
1812 | 2.bin.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|