| File name: | file.exe |
| Full analysis: | https://app.any.run/tasks/5997b6e2-6baf-49e6-bf72-62dc9ae604c2 |
| Verdict: | Malicious activity |
| Threats: | PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. |
| Analysis date: | September 12, 2024, 19:22:41 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | D27F0F74B4381FB585068B4AFDB81AFC |
| SHA1: | 59D8EFEA4A87A203F6941EFEF0700EDD95E2E38C |
| SHA256: | AA66C3988F3631925873757AE73AC5630508A43E2EEBE6C0502A4D3194DE8E41 |
| SSDEEP: | 98304:gJZ3CjZMIn0mJVT0rDVOu/0XSV+45Dn2K/X2VGaAHhsZ7VcxCpKKw7mzltfM9wKC:gWrumkS |
MALICIOUS
BERBEW mutex has been found
- RegAsm.exe (PID: 3276)
PRIVATELOADER has been detected (SURICATA)
- RegAsm.exe (PID: 3276)
Connects to the CnC server
- RegAsm.exe (PID: 3276)
SUSPICIOUS
Checks for external IP
- svchost.exe (PID: 2256)
- RegAsm.exe (PID: 3276)
INFO
Checks supported languages
- file.exe (PID: 7132)
- RegAsm.exe (PID: 3276)
Reads the machine GUID from the registry
- file.exe (PID: 7132)
- RegAsm.exe (PID: 3276)
Reads the computer name
- RegAsm.exe (PID: 3276)
- file.exe (PID: 7132)
Reads the software policy settings
- RegAsm.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2062:07:19 11:37:51+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 80 |
| CodeSize: | 4441600 |
| InitializedDataSize: | 102400 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x43e4b2 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.3.8.2 |
| ProductVersionNumber: | 7.3.8.2 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | mLh3cFVcgv |
| CompanyName: | KdSNAFwUIem |
| FileDescription: | thesoft |
| FileVersion: | 7.3.8.2 |
| InternalName: | thesoft.exe |
| LegalCopyright: | aAAfIoSwCavpG |
| LegalTrademarks: | - |
| OriginalFileName: | thesoft.exe |
| ProductName: | gfgfgfg |
| ProductVersion: | 7.3.8.2 |
| AssemblyVersion: | 4.4.3.7 |
Total processes
123
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3276 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | file.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7132 | "C:\Users\admin\Desktop\file.exe" | C:\Users\admin\Desktop\file.exe | — | explorer.exe | |||||||||||
User: admin Company: KdSNAFwUIem Integrity Level: MEDIUM Description: thesoft Exit code: 0 Version: 7.3.8.2 Modules
| |||||||||||||||
Total events
3 450
Read events
3 450
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
7
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6052 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6192 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3276 | RegAsm.exe | GET | 200 | 45.91.200.135:80 | http://45.91.200.135/api/crazyfish.php | unknown | — | — | malicious |
— | — | GET | 200 | 173.231.16.77:443 | https://api64.ipify.org/?format=json | unknown | binary | 48 b | — |
— | — | GET | 200 | 34.117.59.81:443 | https://ipinfo.io/widget/demo/2a00:23c4:6a93:bd01:9211:95ff:feef:2a34 | unknown | binary | 1010 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6052 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6192 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6052 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6192 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3276 | RegAsm.exe | 45.91.200.135:80 | — | Zomro B.V. | NL | malicious |
3276 | RegAsm.exe | 173.231.16.77:443 | api64.ipify.org | WEBNX | US | unknown |
3276 | RegAsm.exe | 34.117.59.81:443 | ipinfo.io | GOOGLE-CLOUD-PLATFORM | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
api64.ipify.org |
| unknown |
ipinfo.io |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
3276 | RegAsm.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
3276 | RegAsm.exe | A Network Trojan was detected | ET MALWARE PrivateLoader CnC Activity (GET) |
2256 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
3276 | RegAsm.exe | Device Retrieving External IP Address Detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
3276 | RegAsm.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io) |