File name:

MobaXterm_installer_23.6.msi

Full analysis: https://app.any.run/tasks/6a250d19-7ce4-4890-a96c-e5a8ea01780b
Verdict: Malicious activity
Analysis date: February 16, 2024, 00:28:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MobaXterm, Author: Mobatek, Keywords: Installer, Comments: This installer database contains the logic and data required to install MobaXterm., Template: Intel;1033, Revision Number: {C92C58DE-0ECF-4AE1-BEE3-4D16A1843DC3}, Create Time/Date: Wed Dec 20 22:15:34 2023, Last Saved Time/Date: Wed Dec 20 22:15:34 2023, Number of Pages: 100, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2
MD5:

DFBACD99F77AEA1AD45E443EBD871156

SHA1:

07C0E957E79CC0F73C4CC506DECC79FE9D6D3A08

SHA256:

A845C55F8C95D94996FB8584FA869CAE44A5D53A90B6347B333C259AB55FF8E1

SSDEEP:

98304:uMGEcc091JanZSfUb1QrsHJ0YV1k/WsOl0JldOCO+pARbTa1VTbpS9Ds1BlUXcs4:YSHC+yKubHqN/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3700)
      • MobaXterm.exe (PID: 2972)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3700)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2036)

    • Executable content was dropped or overwritten

      • MobaXterm.exe (PID: 2972)

    • The process creates files with name similar to system file names

      • MobaXterm.exe (PID: 2972)

  • INFO

    • Reads the software policy settings

      • msiexec.exe (PID: 3700)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3700)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3700)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3700)

    • Checks supported languages

      • MobaXterm.exe (PID: 2972)

    • Manual execution by a user

      • MobaXterm.exe (PID: 2972)

    • Reads the computer name

      • MobaXterm.exe (PID: 2972)

    • Reads product name

      • MobaXterm.exe (PID: 2972)

    • Creates files or folders in the user directory

      • MobaXterm.exe (PID: 2972)

    • Reads Environment values

      • MobaXterm.exe (PID: 2972)

    • Reads mouse settings

      • MobaXterm.exe (PID: 2972)

    • Reads the machine GUID from the registry

      • MobaXterm.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: MobaXterm
Author: Mobatek
Keywords: Installer
Comments: This installer database contains the logic and data required to install MobaXterm.
Template: Intel;1033
RevisionNumber: {C92C58DE-0ECF-4AE1-BEE3-4D16A1843DC3}
CreateDate: 2023:12:20 22:15:34
ModifyDate: 2023:12:20 22:15:34
Pages: 100
Words: 2
Software: Windows Installer XML (3.0.5419.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe vssvc.exe no specs mobaxterm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2036C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2972"C:\Program Files\Mobatek\MobaXterm\MobaXterm.exe" C:\Program Files\Mobatek\MobaXterm\MobaXterm.exe
explorer.exe
User:
admin
Company:
Mobatek
Integrity Level:
MEDIUM
Description:
MobaXterm
Exit code:
0
Version:
23.6.0.5186
Modules
Images
c:\program files\mobatek\mobaxterm\mobaxterm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3700"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\MobaXterm_installer_23.6.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
5 153
Read events
5 019
Write events
134
Delete events
0

Modification events

(PID) Process:(3700) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000A00E602C6F60DA01F40700005C0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000A00E602C6F60DA01F40700001C0B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000A00E602C6F60DA01F407000018090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000A00E602C6F60DA01F4070000240B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000FA70622C6F60DA01F40700001C0B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000FA70622C6F60DA01F4070000240B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000FA70622C6F60DA01F40700005C0F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
400000000000000054D3642C6F60DA01F407000018090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2036) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Enter)
Value:
400000000000000016ECA12D6F60DA01F40700001809000001040000010000000000000000000000ABB4511EEDFA7A4F9C0D814A55181EDE0000000000000000
Executable files
64
Suspicious files
228
Text files
472
Unknown types
65

Dropped files

PID
Process
Filename
Type
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\MobAgent.exeexecutable
MD5:6AEA7D513C68625C303F8765977F9F43
SHA256:5BD1A648DCE053324C8624970A457825AFEDDDDD50A1E7D58F625827CDB79BF6
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\wsltermdbinary
MD5:B55D329D483143E56D12AC9BCD0F491D
SHA256:2DE2374D8A32DC4BDC3B4834C85A0310C4867B4207978B73DFFB0EDB99637D68
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\stgames.exeexecutable
MD5:BE1901210FD2620D852B5EAE7921FF9B
SHA256:2D3C0163F3803B7F2E9D2F681B788E75F74BF34D4F2B56A99F71A8F166494736
3700msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI1AB7.tmpexecutable
MD5:5EA7455A71A9B481D0D9402C4E4E19D7
SHA256:428C16FAD8A8190A6090FA940C2EF2D5C13168F721D958750A874FF8C13C5A85
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\MobaSCP.exeexecutable
MD5:19C4B90E36B3F0EFB1589E63D6A10190
SHA256:8B97501E15159ACEB1A3AD804AFB6921CFB6ED1BDD0EC44B2C989AF83C096F4F
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\MobaKeyGen.exeexecutable
MD5:1D7B16502599C8B5969E07113776F3EB
SHA256:49E007B88E21A5DB9438D648CC74F452685B44AE339ECFE20B23B5139BB372FF
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\usr\share\img\base.gifimage
MD5:1F71B021E061A4948D69ADC4FF10CCAD
SHA256:FDC851CA6AD53AD1A2E64332962FCE7D9989BCE38B2EA538B35CBCD38C39B328
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\_TCPCapture.shtext
MD5:75B9899222605530903E5D145C5B75BD
SHA256:48F47C046CE9426706820549042270F3AC5BD835DDD1B18031F2469CEE95BC13
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\bin\MobaRTE.exeexecutable
MD5:091CAB4B6658353E08072D8C683E815E
SHA256:010F15D8B3494DA85D60CD187D24960B06634D3B078C299B99CD831B47A4F771
2972MobaXterm.exeC:\Users\admin\AppData\Roaming\MobaXterm\slash\usr\share\dtree.csstext
MD5:1E861C5A4D2D49CCFBFC1A5AAA87E0DD
SHA256:1B89005E727CE5B6128E8F0E415CD8511D3CB871BFE8D2B16EE2A986E1B9C1C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MobaXterm_installer_23.6.msi