File name:

Binancewalletsflashv1.0.zip

Full analysis: https://app.any.run/tasks/dad7c446-bb9c-4b45-9f12-d2d04af3a514
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 29, 2025, 20:24:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
svcstealer
stealer
auto-reg
auto
arch-doc
crypto-regex
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

DAD0E5C7284A389805E7BCE8C6D1DE55

SHA1:

1C36E7BE7754EDC2E7F85E2107D57EBD8E597FD3

SHA256:

A56253D0DBEAAF082D64931A5F82A8344632B29502359AFC67AF37442FE3BE1F

SSDEEP:

98304:0Is02tFwZS1ODMOZVAfCiNfFForEapv7Zebj4Mt2KvEhLPiPGi1f5q1NT+gBhvm+:2RmFSSR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7292)

    • SVCSTEALER has been found (auto)

      • Binance Flash.exe (PID: 7428)

    • SVCSTEALER mutex has been found

      • syxxbsxtccx.exe (PID: 7464)
      • syxxbsxtccx.exe (PID: 7752)
      • winsvc.exe (PID: 7780)

    • Changes the autorun value in the registry

      • syxxbsxtccx.exe (PID: 7464)

    • Actions looks like stealing of personal data

      • sysxxcchceck.exe (PID: 7456)

    • Connects to the CnC server

      • sysxxcchceck.exe (PID: 7456)

    • SVCSTEALER has been detected (YARA)

      • sysxxcchceck.exe (PID: 7456)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Binance Flash.exe (PID: 7428)
      • syxxbsxtccx.exe (PID: 7464)

    • Process drops legitimate windows executable

      • Binance Flash.exe (PID: 7428)
      • syxxbsxtccx.exe (PID: 7464)

    • Reads security settings of Internet Explorer

      • syssxavvpcp.exe (PID: 7448)
      • sysxxcchceck.exe (PID: 7456)

    • Potential Corporate Privacy Violation

      • sysxxcchceck.exe (PID: 7456)

    • There is functionality for taking screenshot (YARA)

      • sysxxcchceck.exe (PID: 7456)

    • Connects to the server without a host name

      • syssxavvpcp.exe (PID: 7448)
      • sysxxcchceck.exe (PID: 7456)

    • Found regular expressions for crypto-addresses (YARA)

      • syxxbsxtccx.exe (PID: 7464)

  • INFO

    • Checks supported languages

      • Binance Flash.exe (PID: 7428)
      • syxxbsxtccx.exe (PID: 7464)
      • sysxxcchceck.exe (PID: 7456)
      • syssxavvpcp.exe (PID: 7448)
      • syxxbsxtccx.exe (PID: 7752)
      • winsvc.exe (PID: 7780)

    • Manual execution by a user

      • Binance Flash.exe (PID: 7428)
      • syxxbsxtccx.exe (PID: 7752)
      • winsvc.exe (PID: 7780)
      • notepad.exe (PID: 7848)
      • notepad.exe (PID: 7992)
      • notepad.exe (PID: 7948)
      • notepad.exe (PID: 8032)
      • rundll32.exe (PID: 8104)

    • The sample compiled with english language support

      • Binance Flash.exe (PID: 7428)
      • syxxbsxtccx.exe (PID: 7464)

    • Creates files or folders in the user directory

      • Binance Flash.exe (PID: 7428)
      • sysxxcchceck.exe (PID: 7456)

    • Launch of the file from Registry key

      • syxxbsxtccx.exe (PID: 7464)

    • Reads the computer name

      • syssxavvpcp.exe (PID: 7448)
      • sysxxcchceck.exe (PID: 7456)

    • Creates files in the program directory

      • sysxxcchceck.exe (PID: 7456)
      • syxxbsxtccx.exe (PID: 7464)

    • Checks proxy server information

      • syssxavvpcp.exe (PID: 7448)
      • sysxxcchceck.exe (PID: 7456)
      • slui.exe (PID: 6192)

    • Create files in a temporary directory

      • sysxxcchceck.exe (PID: 7456)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7992)
      • notepad.exe (PID: 7848)
      • notepad.exe (PID: 7948)
      • notepad.exe (PID: 8032)
      • rundll32.exe (PID: 8104)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 8104)

    • Reads the software policy settings

      • slui.exe (PID: 6192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:01:29 05:53:14
ZipCRC: 0x40d5d245
ZipCompressedSize: 772568
ZipUncompressedSize: 1529344
ZipFileName: Binance Flash.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
13
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs #SVCSTEALER binance flash.exe syssxavvpcp.exe #SVCSTEALER sysxxcchceck.exe #SVCSTEALER syxxbsxtccx.exe #SVCSTEALER syxxbsxtccx.exe no specs #SVCSTEALER winsvc.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs rundll32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
6192C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7292"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Binancewalletsflashv1.0.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7428"C:\Users\admin\Desktop\Binance Flash.exe" C:\Users\admin\Desktop\Binance Flash.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Software
Exit code:
0
Version:
1.2.1.1
Modules
Images
c:\users\admin\desktop\binance flash.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
7448"C:\Users\admin\AppData\Roaming\syssxavvpcp.exe"C:\Users\admin\AppData\Roaming\syssxavvpcp.exe
Binance Flash.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\syssxavvpcp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7456"C:\Users\admin\AppData\Roaming\sysxxcchceck.exe"C:\Users\admin\AppData\Roaming\sysxxcchceck.exe
Binance Flash.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\roaming\sysxxcchceck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7464"C:\Users\admin\AppData\Roaming\syxxbsxtccx.exe"C:\Users\admin\AppData\Roaming\syxxbsxtccx.exe
Binance Flash.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Version:
6.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\syxxbsxtccx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7752C:\Users\admin\AppData\Roaming\syxxbsxtccx.exeC:\Users\admin\AppData\Roaming\syxxbsxtccx.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Exit code:
0
Version:
6.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\syxxbsxtccx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7780C:\ProgramData\Winsrv\winsvc.exeC:\ProgramData\Winsrv\winsvc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Exit code:
0
Version:
6.0.0.1
Modules
Images
c:\programdata\winsrv\winsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7848"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Software_Info.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7948"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\System_info.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
17 626
Read events
17 576
Write events
50
Delete events
0

Modification events

(PID) Process:(7456) sysxxcchceck.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7456) sysxxcchceck.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7456) sysxxcchceck.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7464) syxxbsxtccx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SystemHandler
Value:
C:\Users\admin\AppData\Roaming\syxxbsxtccx.exe
(PID) Process:(7464) syxxbsxtccx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:SystemHandler
Value:
C:\ProgramData\Winsrv\winsvc.exe
(PID) Process:(7292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Binancewalletsflashv1.0.zip
(PID) Process:(7292) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
4
Suspicious files
1
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
7456sysxxcchceck.exeC:\ProgramData\6830FA554F652512029130\Browsers\Chrome_History.txt
MD5:
SHA256:
7456sysxxcchceck.exeC:\ProgramData\6830FA554F652512029130\Browsers\Chrome_Downloads.txt
MD5:
SHA256:
7456sysxxcchceck.exeC:\ProgramData\6830FA554F652512029130\Browsers\Edge_Downloads.txt
MD5:
SHA256:
7428Binance Flash.exeC:\Users\admin\AppData\Roaming\sysxxcchceck.exeexecutable
MD5:0535262FE0F5413494A58ACA9CE939B2
SHA256:0E545C02F20C83526F7F7F424F527E3FAA103017CFE046C1F3B7E4CCD842829B
7456sysxxcchceck.exeC:\ProgramData\6830FA554F652512029130\FTP Clients\FileZilla\filezilla.xmlxml
MD5:32F683306CE4FA78157113BB9EACB51D
SHA256:16283B36975456118FBAC2A0CB0AB466C2D26E2B396DD938CDF129F2D3224570
7464syxxbsxtccx.exeC:\ProgramData\Winsrv\winsvc.exeexecutable
MD5:421082A69F2904A743664E58906B6504
SHA256:06E56563A4FAB2B78642CE7C5AB19C75C72B5F7E9BFB0E658E95579B75B3D2C2
7428Binance Flash.exeC:\Users\admin\AppData\Roaming\syxxbsxtccx.exeexecutable
MD5:421082A69F2904A743664E58906B6504
SHA256:06E56563A4FAB2B78642CE7C5AB19C75C72B5F7E9BFB0E658E95579B75B3D2C2
7456sysxxcchceck.exeC:\ProgramData\6830FA554F652512029130\Screenshot.jpgimage
MD5:4A86DFA9547BF4642A217619460F1BAD
SHA256:5F7670E8BF20CCC4CC11BBB3E8BDE115792B0CD68E134B1BCAD5B08069F0ABBE
7456sysxxcchceck.exeC:\Users\admin\AppData\Local\Temp\Historysqlite
MD5:FDDE63730E15DD2E18C540BA52B6A945
SHA256:40740EAABD14FC0E08D3B5EE340C1E1B372E158F61EF58AEED1EE4B3A3F4492E
7428Binance Flash.exeC:\Users\admin\AppData\Roaming\syssxavvpcp.exeexecutable
MD5:8A7AF78CEE9B6487D1CEF5ABFD008B1B
SHA256:67CCDFA102CA31649309BF0639C6DE858383B2889A0FA86C31E3AC6B3457739C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
35
DNS requests
5
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7448
syssxavvpcp.exe
GET
176.113.115.149:80
http://176.113.115.149/bin/bot64.bin
unknown
unknown
7448
syssxavvpcp.exe
GET
176.113.115.149:80
http://176.113.115.149/bin/bot64.bin
unknown
unknown
7456
sysxxcchceck.exe
POST
185.81.68.156:80
http://185.81.68.156/svcstealer/get.php
unknown
malicious
7456
sysxxcchceck.exe
POST
185.81.68.156:80
http://185.81.68.156/svcstealer/get.php
unknown
malicious
7448
syssxavvpcp.exe
GET
176.113.115.149:80
http://176.113.115.149/bin/bot64.bin
unknown
unknown
7456
sysxxcchceck.exe
POST
176.113.115.149:80
http://176.113.115.149/svcstealer/get.php
unknown
unknown
7448
syssxavvpcp.exe
GET
176.113.115.149:80
http://176.113.115.149/bin/bot64.bin
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7448
syssxavvpcp.exe
176.113.115.149:80
Red Bytes LLC
RU
unknown
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7456
sysxxcchceck.exe
185.81.68.156:80
Chang Way Technologies Co. Limited
RU
malicious
7456
sysxxcchceck.exe
176.113.115.149:80
Red Bytes LLC
RU
unknown
7176
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.29
  • 23.216.77.20
  • 23.216.77.32
  • 23.216.77.27
  • 23.216.77.21
  • 23.216.77.22
  • 23.216.77.30
  • 23.216.77.25
  • 23.216.77.19
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7448
syssxavvpcp.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
7456
sysxxcchceck.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7456
sysxxcchceck.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 34
7456
sysxxcchceck.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
7456
sysxxcchceck.exe
A Network Trojan was detected
ET MALWARE SvcStealer Data Exfiltration Attempt
7448
syssxavvpcp.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
7448
syssxavvpcp.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
7456
sysxxcchceck.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7448
syssxavvpcp.exe
Potentially Bad Traffic
ET HUNTING Generic .bin download from Dotted Quad
7456
sysxxcchceck.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Binancewalletsflashv1.0.zip