File name:

a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc

Full analysis: https://app.any.run/tasks/98abef73-8b5e-409c-bf5d-efd3a3e284da
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 19:15:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
floxif
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

C62F172C3B59196D73B8A8BA0BE84BFA

SHA1:

09D83E5578EDA48C72CFAD84579B9CDB7F09E77B

SHA256:

A4F9BC6D511E630A8629557F5B79BA9CD8FCD23BDC8786EE5EBE15D1F61A40FC

SSDEEP:

49152:ZHjgcDLEqUfkLY6npOHwWLm9MeSwpIplLcOUKA3lVBZqx8r9Qlf0dAe1Gg5j:5jgcD3UfkLyHwWvCCplQ13lrZqm2lfOJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Executing a file with an untrusted certificate

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Actions looks like stealing of personal data

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • FLOXIF has been detected (SURICATA)

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Connects to the CnC server

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Executable content was dropped or overwritten

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads security settings of Internet Explorer

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Checks Windows Trust Settings

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Contacting a server suspected of hosting an CnC

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

  • INFO

    • Creates files in the program directory

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • The sample compiled with english language support

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Checks supported languages

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads the computer name

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Creates files or folders in the user directory

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads the machine GUID from the registry

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Checks proxy server information

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Process checks computer location settings

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Create files in a temporary directory

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • Reads the software policy settings

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)

    • UPX packer has been detected

      • a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe (PID: 3224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:10 07:59:42+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 637440
InitializedDataSize: 519680
UninitializedDataSize: -
EntryPoint: 0x85c1e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.7710
ProductVersionNumber: 3.0.0.7710
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: CyberLink
FileDescription: CyberLink Downloader
FileVersion: 3.0.0.7710
InternalName: CLDownloader
LegalCopyright: Copyright (C) CyberLink Corporation. All rights reserved
OriginalFileName: CLDownloader.exe
ProductName: CLDownloader
ProductVersion: 3.0.0.7710
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost.exe #FLOXIF a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3224"C:\Users\admin\Desktop\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe" C:\Users\admin\Desktop\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
explorer.exe
User:
admin
Company:
CyberLink
Integrity Level:
MEDIUM
Description:
CyberLink Downloader
Version:
3.0.0.7710
Modules
Images
c:\users\admin\desktop\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
Total events
3 649
Read events
3 645
Write events
4
Delete events
0

Modification events

(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3224) a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeKey:HKEY_CURRENT_USER\SOFTWARE\CyberLink\CBE
Operation:writeName:UUID
Value:
S-1-5-21-1693682860-607145093-2874071422-1001-74ACAE95-BA92-4139-92FD-E69F4CE3D61D
Executable files
2
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\ProgramData\CyberLink\Downloader\Item0.initext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe_v2\cc956974-8cbf-41a5-b25a-e64711173977.jsonbinary
MD5:349C19CD058EA7C4993D1691BD64C757
SHA256:8B712F7C7322EFF850786E8100F5BBAB8CD09E0B7FA24B85810E0333D53DCD50
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe_v2\UNO.initext
MD5:BE9D6EFBD8632E482C64618F00A701FA
SHA256:D94FD0C7E43DF0A03014A44D79653C0845ADB29E6222CA47718C46AF90847B84
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4EA555947766F67C3BB52DEDFD509C5binary
MD5:AE1D19E9D91BA267832F4A0329AB6F5C
SHA256:6136F04FA73E55D1851DC15689F7833C726F80D3C1DE7B566CFCED838923F489
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\sendlog[1].htmbinary
MD5:7A09946D151CAEBC4D91B5A06B05241C
SHA256:304CF9093677DF800F1D7EDBC164E36C98F3DC7F2C94F56C1FEF09E1F4507151
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\ProgramData\CyberLink\CBE\D8D760AC-ACA2-493e-9623-61E9D47DE89C\a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe_v2\4ba0c5d1-4057-42ca-8333-d3d067066de2.jsonbinary
MD5:54E2CAC673C373CC4E68C4C49D9448E3
SHA256:242786F25AFBBEE93C5B898C99875B0B4E327525250C9793BBD62940A3F84744
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Temp\ade40243-d2cc-46c1-bf40-a812145798d0.jsonbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Temp\4ba0c5d1-4057-42ca-8333-d3d067066de2.jsonbinary
MD5:99914B932BD37A50B983C5E7C90AE93B
SHA256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\get-link[1].htmtext
MD5:45882C251C7E03EB42C449A846EA7D6C
SHA256:45B24EB31B46BC71A3DD046E3D8911756597E3513B7374DC6C5DA9D01FE103B5
3224a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\get-link[1].htmtext
MD5:45882C251C7E03EB42C449A846EA7D6C
SHA256:45B24EB31B46BC71A3DD046E3D8911756597E3513B7374DC6C5DA9D01FE103B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
32
DNS requests
20
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
RUXIMICS.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
75.2.35.53:443
https://downloader.cyberlink.com/prog/util/downloader/update-info.jsp?TokenID=27A95FB3-3D5D-4177-B113-DDD330F7027D&PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64&Locale=USA&UUID=S-1-5-21-1693682860-607145093-2874071422-1001-74ACAE95-BA92-4139-92FD-E69F4CE3D61D&url=
unknown
GET
200
99.83.161.79:443
https://downloader.cyberlink.com/prog/util/downloader/update-status.jsp?TokenID=27A95FB3-3D5D-4177-B113-DDD330F7027D&status=Launch&detail_status=
unknown
GET
44.232.16.209:443
https://dna.cyberlink.com/dna/getconfig.jsp
unknown
3416
svchost.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
GET
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAoI02AWNjePCn1k%2FQnkoTs%3D
unknown
whitelisted
GET
200
75.2.35.53:443
https://downloader.cyberlink.com/prog/util/downloader/get-link.jsp?PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64
unknown
GET
200
75.2.35.53:443
https://downloader.cyberlink.com/prog/util/downloader/get-link.jsp?PRODUCTNAME=YouCam&PRODUCTVERSION=10.0&VERSIONTYPE=Subscription&SR=YUC220317-02&VID=3.0.0.7710&LANGUAGE=ENU&platform=x64
unknown
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
GET
45.33.18.44:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3416
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1488
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
35.85.142.113:443
dna.cyberlink.com
AMAZON-02
US
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
99.83.161.79:443
downloader.cyberlink.com
AMAZON-02
US
whitelisted
1488
RUXIMICS.exe
184.24.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3224
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
dna.cyberlink.com
  • 35.85.142.113
  • 35.82.193.44
  • 44.232.16.209
whitelisted
downloader.cyberlink.com
  • 99.83.161.79
  • 75.2.35.53
whitelisted
crl.microsoft.com
  • 184.24.77.30
  • 184.24.77.34
  • 184.24.77.11
  • 184.24.77.42
  • 184.24.77.14
  • 184.24.77.23
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 45.33.18.44
  • 45.33.23.183
  • 45.33.30.197
  • 45.56.79.23
  • 173.255.194.134
  • 72.14.185.43
  • 96.126.123.244
  • 45.79.19.196
  • 72.14.178.174
  • 45.33.2.79
  • 198.58.118.167
  • 45.33.20.235
malicious
crl3.digicert.com
  • 192.229.221.95
whitelisted

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a4f9bc6d511e630a8629557f5b79ba9cd8fcd23bdc8786ee5ebe15d1f61a40fc