File name: | aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed |
Full analysis: | https://app.any.run/tasks/680979ca-afe2-4a9a-b698-5bab235bbc1a |
Verdict: | Malicious activity |
Analysis date: | December 06, 2022, 03:54:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B9981E80CA464B9F06E410A46188FF57 |
SHA1: | BA1E393FA269AF84CD24D18A359181752614BAFD |
SHA256: | AA5E0845CB5B10EC129F89D4024970E91DB250B220E184B4F3296F49B70CA9ED |
SSDEEP: | 6144:ZTz4g5mrLSfzkIiROcfR11nXRQhBPZR2obO2OdI85RsQXg2TYyuZ7mS0YMa:Z0nSriROcfR/XRo7xbtOdI85Rs0tYyuH |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2011-Oct-18 19:02:55 |
Detected languages: |
|
CompanyName: | Sun Microsystems, Inc. |
FileDescription: | |
FileVersion: | 6.0.60.2 |
Full Version: | 1.6.0_06-b02 |
InternalName: | |
LegalCopyright: | Copyright © 2004 |
OriginalFilename: | |
ProductName: | |
ProductVersion: | 6.0.60.2 |
e_magic: | MZ |
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | 0 |
e_cparhdr: | 4 |
e_minalloc: | 0 |
e_maxalloc: | 65535 |
e_ss: | 0 |
e_sp: | 184 |
e_csum: | 0 |
e_ip: | 0 |
e_cs: | 0 |
e_ovno: | 0 |
e_oemid: | 0 |
e_oeminfo: | 0 |
e_lfanew: | 192 |
Signature: | PE |
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 26 |
TimeDateStamp: | 2011-Oct-18 19:02:55 |
PointerToSymbolTable: | 0 |
NumberOfSymbols: | 0 |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 9532 | 9728 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.13616 |
.rdata | 16384 | 4817 | 5120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.82838 |
.data | 24576 | 3008 | 2560 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.20483 |
.fhj5 | 28672 | 196 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.48671 |
.fhj50 | 32768 | 222 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.43236 |
.fhj51 | 36864 | 228 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.69088 |
.fhj52 | 40960 | 151423 | 151552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.71305 |
.fhj53 | 192512 | 151423 | 151552 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.75318 |
.fhj54 | 344064 | 212 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.54667 |
.fhj55 | 348160 | 214 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.56642 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.34193 | 9640 | Latin 1 / Western European | Process Default Language | RT_ICON |
2 | 5.43858 | 4264 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 5.85464 | 1128 | Latin 1 / Western European | Process Default Language | RT_ICON |
2 (#2) | 2.45849 | 48 | Latin 1 / Western European | Process Default Language | RT_GROUP_ICON |
1 (#2) | 3.25415 | 700 | Latin 1 / Western European | Process Default Language | RT_VERSION |
1 (#3) | 5.04894 | 360 | Latin 1 / Western European | Process Default Language | RT_MANIFEST |
ADVAPI32.dll |
GDI32.dll |
KERNEL32.dll |
MFC42u.DLL |
SHELL32.dll |
USER32.dll |
WINMM.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2056 | "C:\Users\admin\AppData\Local\Temp\aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe" | C:\Users\admin\AppData\Local\Temp\aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Exit code: 0 Version: 6.0.60.2 Modules
| |||||||||||||||
2964 | C:\PROGRA~2\IXn03qTukr.exe | C:\PROGRA~2\IXn03qTukr.exe | aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe | ||||||||||||
User: admin Company: Sun Microsystems, Inc. Integrity Level: MEDIUM Version: 6.0.60.2 Modules
|
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2964) IXn03qTukr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | Use FormSuggest |
Value: Yes |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | IXn03qTukr.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk | lnk | |
MD5:E5DE74D1E7485693A782D4ACF7D0547E | SHA256:57E0CC394342262C2B4E513B8E31E22D86CBD0CD192D05F1165218EA2DFE3296 | |||
2964 | IXn03qTukr.exe | C:\PROGRA~2\IXn03qTukr | binary | |
MD5:89D37084DDC9D1467A189FAE8AB5411A | SHA256:76FE9B9C3C1C504126C7CB003A4BDD8E94C42C65CFC0F2EA864D8DB0884242A9 | |||
2056 | aa5e0845cb5b10ec129f89d4024970e91db250b220e184b4f3296f49b70ca9ed.exe | C:\ProgramData\IXn03qTukr.exe | executable | |
MD5:B9981E80CA464B9F06E410A46188FF57 | SHA256:AA5E0845CB5B10EC129F89D4024970E91DB250B220E184B4F3296F49B70CA9ED | |||
2964 | IXn03qTukr.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk | lnk | |
MD5:D6196F7A01469DC85588514555D95A29 | SHA256:7F89F37F0808386AAB50CFCA83F83597B4459B2EAA9066A66B77DBA092288F50 | |||
2964 | IXn03qTukr.exe | C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Restore.lnk | lnk | |
MD5:982C00877AA0F9F3AE97056A9465BB23 | SHA256:673C0CD545CAEF4623BF59F19448CD40BB7C35141A3806E08E86B494A3A7C711 | |||
2964 | IXn03qTukr.exe | C:\Users\admin\Desktop\System Restore.lnk | lnk | |
MD5:51FE1E5F483CB01D1FE20981BB0D051F | SHA256:88B74B1F482887E4AE33437FA4E2705C732A085C30382BA6F06C9E6DB313983E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2964 | IXn03qTukr.exe | GET | 403 | 198.71.233.197:80 | http://bitgale.com/404.php?type=stats&affid=540&subid=01&version=8.0&installok | US | html | 199 b | malicious |
2964 | IXn03qTukr.exe | GET | — | 198.71.233.197:80 | http://bitgale.com/a-houston-ppc-agency-how-to-show-tangible-ppc-value-to-clients/ | US | — | — | malicious |
2964 | IXn03qTukr.exe | GET | 301 | 198.71.233.197:80 | http://bitgale.com/britix/a | US | html | 199 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2964 | IXn03qTukr.exe | 198.71.233.197:80 | bitgale.com | AS-26496-GO-DADDY-COM-LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
start-520186.com |
| unknown |
open-994233.com |
| unknown |
bitgale.com |
| malicious |
wiki-722866.com |
| unknown |
dearafford.com |
| unknown |
catalogs-503872.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2964 | IXn03qTukr.exe | A Network Trojan was detected | ET TROJAN Fake AV GET |
2964 | IXn03qTukr.exe | A Network Trojan was detected | ET TROJAN Trojan.Win32.A.FakeAV Reporting |
2964 | IXn03qTukr.exe | Potentially Bad Traffic | ET USER_AGENTS User-Agent (Internet Explorer) |
2964 | IXn03qTukr.exe | A Network Trojan was detected | ET TROJAN Jorik FakeAV GET |
2964 | IXn03qTukr.exe | Potentially Bad Traffic | ET USER_AGENTS User-Agent (Internet Explorer) |
2964 | IXn03qTukr.exe | Potentially Bad Traffic | ET USER_AGENTS User-Agent (Internet Explorer) |