analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BASE CAMP.exe

Full analysis: https://app.any.run/tasks/f1562b23-4f5d-43b9-8445-a22b22806517
Verdict: Malicious activity
Analysis date: November 17, 2019, 02:14:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B5912666E7FD752463368B9DA6B511B8

SHA1:

DC1CDA4FF2EC6801B32925309D0294B0EE31EC72

SHA256:

ADA5CDBB66CEF8FDFDD51396910EC110B15895619747D71BFE298676B9A9664F

SSDEEP:

24576:RDI2fWt3kkeXVix+8VQhcKAaBgEV0gI6zEaYtXac3MHjaAaYcs9v+:R6K+Kj8naMKc3t6Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • owbase.exe (PID: 2488)

  • SUSPICIOUS

    • Creates files in the user directory

      • BASE CAMP.exe (PID: 2660)

    • Executable content was dropped or overwritten

      • BASE CAMP.exe (PID: 2660)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (52.5)
.scr | Windows screen saver (22)
.dll | Win32 Dynamic Link Library (generic) (11)
.exe | Win32 Executable (generic) (7.5)
.exe | Generic Win/DOS Executable (3.3)

EXIF

EXE

ProductVersion: 1.1.30.01
ProductName: -
OriginalFileName: -
LegalCopyright: -
InternalName: -
FileVersion: 1.1.30.01
FileDescription: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 1.1.30.1
FileVersionNumber: 1.1.30.1
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0xcd04d
UninitializedDataSize: -
InitializedDataSize: 392192
CodeSize: 928256
LinkerVersion: 10
PEType: PE32
TimeStamp: 2019:11:01 11:25:23+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Nov-2019 10:25:23
Detected languages:
  • English - United States
FileDescription: -
FileVersion: 1.1.30.01
InternalName: -
LegalCopyright: -
OriginalFilename: -
ProductName: -
ProductVersion: 1.1.30.01

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 01-Nov-2019 10:25:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000E2936
0x000E2A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.6102
.rdata
0x000E4000
0x00030B56
0x00030C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.4033
.data
0x00115000
0x0000B998
0x00003C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.18819
.rsrc
0x00121000
0x0002B39C
0x0002B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.74074

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.33598
1159
Latin 1 / Western European
English - United States
RT_MANIFEST
2
0.816182
67624
Latin 1 / Western European
English - United States
RT_ICON
3
1.07095
38056
Latin 1 / Western European
English - United States
RT_ICON
4
5.84157
1128
Latin 1 / Western European
English - United States
RT_ICON
5
5.3349
1128
Latin 1 / Western European
English - United States
RT_ICON
6
5.46964
1128
Latin 1 / Western European
English - United States
RT_ICON
7
4.56056
296
Latin 1 / Western European
English - United States
RT_ICON
8
1.1749
21640
Latin 1 / Western European
English - United States
RT_ICON
9
1.0277
16936
Latin 1 / Western European
English - United States
RT_ICON
10
1.32117
9640
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
VERSION.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start base camp.exe owbase.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2660"C:\Users\admin\AppData\Local\Temp\BASE CAMP.exe" C:\Users\admin\AppData\Local\Temp\BASE CAMP.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.1.30.01
2488C:\Users\admin\AppData\Local\Temp\owbase.exeC:\Users\admin\AppData\Local\Temp\owbase.exeBASE CAMP.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Haf_TKGB
Exit code:
0
Version:
1.0.0.0
2532"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
440
Read events
407
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2660BASE CAMP.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@discordapp[1].txttext
MD5:160719A7BD127F1092FD0AB8C801C363
SHA256:DD2A437056ADB4A87B75F98AF4D07E0EC3A81D565C2C4950BDBBD1806C68D9A6
2660BASE CAMP.exeC:\Users\admin\AppData\Local\Temp\caap.exeexecutable
MD5:41A98267FA53ACD9C045A786EA916133
SHA256:8EBC6F2AF8FBFE6BA7B46A8964D7DBF834B93FBD780D837715CC34B59C5D2DAD
2660BASE CAMP.exeC:\Users\admin\AppData\Local\Temp\owbase.exeexecutable
MD5:B0EE0CE763162E77DD07B23A62EC4A72
SHA256:77B36956ACB525BAFE271A4B4664B0B8D31CE2774FDB675D853A4DBCE93DC4FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2660
BASE CAMP.exe
162.159.130.233:443
cdn.discordapp.com
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.130.233
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.135.233
  • 162.159.133.233
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BASE CAMP.exe