analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Loader.exe

Full analysis: https://app.any.run/tasks/7c0f4999-7c90-4d93-a8b3-2ed7cc490319
Verdict: Malicious activity
Threats:

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 15:42:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
predator
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C92FB7F6F460432F3D53D44D38CB6440

SHA1:

5F0A7364C8438A1C71A4B03DF311B2CD657668E7

SHA256:

A7B74620595D7EE1418679FE6892CCA34487BF8B85C7FF2CB1E6FE7CD01F13CD

SSDEEP:

12288:S5393whFOBbROYKWQ/scxnW+woYNekrYjgGPOHRL36agihXGdbP:S53uhFqO9scxFwQbg0OHR76ajGpP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bingo.exe (PID: 1800)
      • bingo.exe (PID: 1324)

    • Connects to CnC server

      • bingo.exe (PID: 1800)

    • PREDATOR was detected

      • bingo.exe (PID: 1800)

  • SUSPICIOUS

    • Application launched itself

      • bingo.exe (PID: 1324)

    • Creates files in the user directory

      • bingo.exe (PID: 1800)

    • Executable content was dropped or overwritten

      • Loader.exe (PID: 2564)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

ProductVersion: 1.7.0.3900
ProductName: 7-Zip SFX
PrivateBuild: April 1, 2016
OriginalFileName: 7ZSfxMod_x86.exe
LegalCopyright: Copyright © 2005-2016 Oleg N. Scherbakov
InternalName: 7ZSfxMod
FileVersion: 1.7.0.3900
FileDescription: 7z Setup SFX (x86)
CompanyName: Oleg N. Scherbakov
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: Private build
FileFlagsMask: 0x003f
ProductVersionNumber: 1.7.0.3900
FileVersionNumber: 1.7.0.3900
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1c35f
UninitializedDataSize: -
InitializedDataSize: 25600
CodeSize: 114176
LinkerVersion: 8
PEType: PE32
TimeStamp: 2016:04:03 00:14:34+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Apr-2016 22:14:34
CompanyName: Oleg N. Scherbakov
FileDescription: 7z Setup SFX (x86)
FileVersion: 1.7.0.3900
InternalName: 7ZSfxMod
LegalCopyright: Copyright © 2005-2016 Oleg N. Scherbakov
OriginalFilename: 7ZSfxMod_x86.exe
PrivateBuild: April 1, 2016
ProductName: 7-Zip SFX
ProductVersion: 1.7.0.3900

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0060
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000060

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 02-Apr-2016 22:14:34
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001BD4A
0x0001BE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.71053
.rdata
0x0001D000
0x000041A8
0x00004200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.74602
.data
0x00022000
0x00004C90
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.69661
.rsrc
0x00027000
0x00001928
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.38787

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.2117
777
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
2.60602
744
Latin 1 / Western European
UNKNOWN
RT_ICON
3
2.63074
488
Latin 1 / Western European
UNKNOWN
RT_ICON
4
2.3817
296
Latin 1 / Western European
UNKNOWN
RT_ICON
54
5.03258
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
101
2.0815
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start loader.exe bingo.exe no specs #PREDATOR bingo.exe

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Users\admin\AppData\Local\Temp\Loader.exe" C:\Users\admin\AppData\Local\Temp\Loader.exe
explorer.exe
User:
admin
Company:
Oleg N. Scherbakov
Integrity Level:
MEDIUM
Description:
7z Setup SFX (x86)
Exit code:
0
Version:
1.7.0.3900
1324"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bingo.exe" C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bingo.exeLoader.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1800"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bingo.exe"C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bingo.exe
bingo.exe
User:
admin
Integrity Level:
MEDIUM
Total events
396
Read events
374
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1324bingo.exeC:\Users\admin\AppData\Local\Temp\bi.txt
MD5:
SHA256:
1800bingo.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txttext
MD5:F66A8AF7E3AD49ABC1EBAA45C310495D
SHA256:1B0085FFD975871EEC256D61F6FF352A8DF6F2A8324CA51634A8735340BD9C49
2564Loader.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bi.bmpimage
MD5:B7715EA2713CD888D505D9EED6EC195B
SHA256:2CA5098BA72B53D9EA2E0B454998FC736DF9291C0B958B01F0134F83C56BABB6
2564Loader.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bingo.exeexecutable
MD5:0B6DBFBBD5C6E9540FF215BD0E8BF9C0
SHA256:D9A6AA32ED97B2017957D83869B841F451D441076E7482F9E878FF371E51EE5E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1800
bingo.exe
POST
200
31.31.198.58:80
http://www.thepredstill.site/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=1&p9=0
RU
text
276 b
malicious
1800
bingo.exe
POST
200
31.31.198.58:80
http://www.thepredstill.site/api/check.get
RU
text
276 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1800
bingo.exe
31.31.198.58:80
www.thepredstill.site
Domain names registrar REG.RU, Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
www.thepredstill.site
  • 31.31.198.58
malicious

Threats

PID
Process
Class
Message
1800
bingo.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Loader.exe