File name:

file

Full analysis: https://app.any.run/tasks/79b7b119-a6f3-4bad-8e1d-394b3f1b32e8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 30, 2023, 04:25:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
opendir
socks5systemz
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

B49845866D2E9EDDA2F7D77A1DA07718

SHA1:

4F299C65AC4AC4AA7C8B15D96D6CB10B107FB143

SHA256:

B7CEDAA26031EAA3BD108ABB42E4A90738CA4606E7B305166B12A360F98CC251

SSDEEP:

12288:YJ0xUuI9BRg/FKgu/QRPgrPxs1qUrlLprC8OKetw5peVM4BNqJQ15WvUtEvlVCG4:Y0xUugeKgu/Q9As1PI8OHa3eCaNqy50Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • file.exe (PID: 2388)

    • Create files in the Startup directory

      • CasPol.exe (PID: 2880)

    • Drops the executable file immediately after the start

      • CasPol.exe (PID: 2880)
      • cNUT5VBzLU9fyBRkFUqSjP2q.exe (PID: 1408)
      • vLsaxhfNYAUE5yz6TmKg4viC.exe (PID: 3060)
      • NXYVXlz3xvzMfnvSFCun2w3O.exe (PID: 904)
      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)
      • NXYVXlz3xvzMfnvSFCun2w3O.exe (PID: 2492)
      • VolumeUTIL.exe (PID: 2268)

    • Uses Task Scheduler to run other applications

      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)

    • SOCKS5SYSTEMZ has been detected (YARA)

      • VolumeUTIL.exe (PID: 1476)

  • SUSPICIOUS

    • Reads the Internet Settings

      • file.exe (PID: 2388)
      • CasPol.exe (PID: 2880)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Starts POWERSHELL.EXE for commands execution

      • file.exe (PID: 2388)

    • Script adds exclusion path to Windows Defender

      • file.exe (PID: 2388)

    • Reads settings of System Certificates

      • CasPol.exe (PID: 2880)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Process requests binary or script from the Internet

      • CasPol.exe (PID: 2880)

    • Checks Windows Trust Settings

      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Reads security settings of Internet Explorer

      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Reads the Windows owner or organization settings

      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)

    • Process drops legitimate windows executable

      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Connects to the server without a host name

      • CasPol.exe (PID: 2880)

    • Connects to unusual port

      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

  • INFO

    • Checks supported languages

      • file.exe (PID: 2388)
      • CasPol.exe (PID: 2880)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)
      • Broom.exe (PID: 1156)
      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2528)
      • vLsaxhfNYAUE5yz6TmKg4viC.exe (PID: 3060)
      • NXYVXlz3xvzMfnvSFCun2w3O.exe (PID: 904)
      • NXYVXlz3xvzMfnvSFCun2w3O.exe (PID: 2492)
      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)
      • ZuwV5vK3C9DmvWk9V4sV4NiQ.exe (PID: 1776)
      • VolumeUTIL.exe (PID: 2268)
      • cNUT5VBzLU9fyBRkFUqSjP2q.exe (PID: 1408)
      • VolumeUTIL.exe (PID: 1476)

    • Reads the computer name

      • file.exe (PID: 2388)
      • CasPol.exe (PID: 2880)
      • cNUT5VBzLU9fyBRkFUqSjP2q.exe (PID: 1408)
      • Broom.exe (PID: 1156)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)
      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2528)
      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)
      • VolumeUTIL.exe (PID: 2268)
      • ZuwV5vK3C9DmvWk9V4sV4NiQ.exe (PID: 1776)

    • Reads the machine GUID from the registry

      • file.exe (PID: 2388)
      • CasPol.exe (PID: 2880)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)
      • ZuwV5vK3C9DmvWk9V4sV4NiQ.exe (PID: 1776)

    • Creates files or folders in the user directory

      • CasPol.exe (PID: 2880)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Reads Environment values

      • CasPol.exe (PID: 2880)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Create files in a temporary directory

      • vLsaxhfNYAUE5yz6TmKg4viC.exe (PID: 3060)
      • cNUT5VBzLU9fyBRkFUqSjP2q.exe (PID: 1408)
      • NXYVXlz3xvzMfnvSFCun2w3O.exe (PID: 904)
      • NXYVXlz3xvzMfnvSFCun2w3O.exe (PID: 2492)
      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)
      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)
      • VolumeUTIL.exe (PID: 2268)

    • Checks proxy server information

      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)

    • Creates files in the program directory

      • NXYVXlz3xvzMfnvSFCun2w3O.tmp (PID: 2764)
      • VolumeUTIL.exe (PID: 2268)
      • VolumeUTIL.exe (PID: 1476)

    • Reads product name

      • qEgDjUUTBqwPWqqlVJuylBr0.exe (PID: 2620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2104:06:07 15:09:39+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 535011
InitializedDataSize: 1458
UninitializedDataSize: -
EntryPoint: 0x849dd
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: pk1304new
FileVersion: 1.0.0.0
InternalName: pk1304new.exe
LegalCopyright: Copyright © 2021
LegalTrademarks: -
OriginalFileName: pk1304new.exe
ProductName: pk1304new
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start file.exe no specs powershell.exe no specs caspol.exe qegdjuutbqwpwqqlvjuylbr0.exe cnut5vbzlu9fybrkfuqsjp2q.exe no specs cnut5vbzlu9fybrkfuqsjp2q.exe broom.exe no specs vlsaxhfnyaue5yz6tmkg4vic.exe no specs nxyvxlz3xvzmfnvsfcun2w3o.exe no specs nxyvxlz3xvzmfnvsfcun2w3o.tmp no specs nxyvxlz3xvzmfnvsfcun2w3o.exe nxyvxlz3xvzmfnvsfcun2w3o.tmp no specs zuwv5vk3c9dmvwk9v4sv4niq.exe no specs schtasks.exe no specs volumeutil.exe no specs net.exe no specs #SOCKS5SYSTEMZ volumeutil.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392C:\Windows\system32\net1 helpmsg 29C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
688"C:\Windows\system32\net.exe" helpmsg 29C:\Windows\SysWOW64\net.exeNXYVXlz3xvzMfnvSFCun2w3O.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
904"C:\Users\admin\Pictures\NXYVXlz3xvzMfnvSFCun2w3O.exe" C:\Users\admin\Pictures\NXYVXlz3xvzMfnvSFCun2w3O.exeCasPol.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
VolumeUTIL Setup
Exit code:
0
Version:
1156C:\Users\admin\AppData\Local\Temp\Broom.exeC:\Users\admin\AppData\Local\Temp\Broom.execNUT5VBzLU9fyBRkFUqSjP2q.exe
User:
admin
Integrity Level:
HIGH
Description:
Broom
Exit code:
0
Version:
1.0.0.0
1200"C:\Users\admin\Pictures\cNUT5VBzLU9fyBRkFUqSjP2q.exe" C:\Users\admin\Pictures\cNUT5VBzLU9fyBRkFUqSjP2q.exeCasPol.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Cleaner installer
Exit code:
3221226540
Version:
1.0.0.0
1408"C:\Users\admin\Pictures\cNUT5VBzLU9fyBRkFUqSjP2q.exe" C:\Users\admin\Pictures\cNUT5VBzLU9fyBRkFUqSjP2q.exe
CasPol.exe
User:
admin
Integrity Level:
HIGH
Description:
Cleaner installer
Exit code:
0
Version:
1.0.0.0
1476"C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -sC:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe
NXYVXlz3xvzMfnvSFCun2w3O.tmp
User:
admin
Company:
VolumeSYNCH
Integrity Level:
HIGH
Description:
Volume² - advanced Windows volume control
Exit code:
0
Version:
1.1.7.446
1776"C:\Users\admin\Pictures\ZuwV5vK3C9DmvWk9V4sV4NiQ.exe" C:\Users\admin\Pictures\ZuwV5vK3C9DmvWk9V4sV4NiQ.exeCasPol.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2100"C:\Windows\system32\schtasks.exe" /QueryC:\Windows\SysWOW64\schtasks.exeNXYVXlz3xvzMfnvSFCun2w3O.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2268"C:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exe" -iC:\Program Files (x86)\Common Files\VolumeUTIL\VolumeUTIL.exeNXYVXlz3xvzMfnvSFCun2w3O.tmp
User:
admin
Company:
VolumeSYNCH
Integrity Level:
HIGH
Description:
Volume² - advanced Windows volume control
Exit code:
0
Version:
1.1.7.446
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
38
Suspicious files
17
Text files
19
Unknown types
0

Dropped files

PID
Process
Filename
Type
2880CasPol.exeC:\Users\admin\AppData\Local\1CrdJXY59EwyazRRqt6aLhBB.exeexecutable
MD5:02B052275B009EFEA9452577CF7F79E0
SHA256:34DF098B3524B3389B6F9333D0BD74C414F9BD9B00A5B11BACCAE171ADBE066C
2880CasPol.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gyv6jaQpXp9ajWLGvakOofsp.battext
MD5:1F62C17835D12E0FE5D82C9331AB3770
SHA256:CFAFC20DB15BB072284648774252453026B2D18F412ACA2EFEEE2BF41759751F
1408cNUT5VBzLU9fyBRkFUqSjP2q.exeC:\Users\admin\AppData\Local\Temp\Broom.exeexecutable
MD5:00E93456AA5BCF9F60F84B0C0760A212
SHA256:FF3025F9CF19323C5972D14F00F01296D6D7A71547ECA7E4016BFD0E1F27B504
2880CasPol.exeC:\Users\admin\AppData\Local\hIYdq3nY8D0fKqifjJbVLTtY.exeexecutable
MD5:7CB9B0E029B0BD0D0D15204016DA8276
SHA256:8F816E27332D8D0D72BA4FB6A41B7B49B03CA0A9A6445575972FC36AEC956E64
2880CasPol.exeC:\Users\admin\AppData\Local\DJu8H45WpIBK2pCtR4P3CZZ9.exehtml
MD5:5B423612B36CDE7F2745455C5DD82577
SHA256:E0840D2EA74A00DCC545D770B91D9D889E5A82C7BEDF1B989E0A89DB04685B09
2404powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:43918519A128CF5B4E2106F4FEA28388
SHA256:699DCBD619A665C7C059C8954C906139B0E018975E97BB5B73EE3AD64A2A73A0
2404powershell.exeC:\Users\admin\AppData\Local\Temp\zwvp5zsj.lff.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2880CasPol.exeC:\Users\admin\Pictures\qEgDjUUTBqwPWqqlVJuylBr0.exeexecutable
MD5:02B052275B009EFEA9452577CF7F79E0
SHA256:34DF098B3524B3389B6F9333D0BD74C414F9BD9B00A5B11BACCAE171ADBE066C
2880CasPol.exeC:\Users\admin\AppData\Local\sIHmzLUAGFzi3i3j2Vqy427w.exeexecutable
MD5:EDB1C0127FF571A5FDF1FC391377D7B5
SHA256:4DF024B55828B1614430476702B416D108D9A12B36AD1C9B2C88E1F9EEFC16C0
2880CasPol.exeC:\Users\admin\Pictures\vLsaxhfNYAUE5yz6TmKg4viC.exeexecutable
MD5:7CB9B0E029B0BD0D0D15204016DA8276
SHA256:8F816E27332D8D0D72BA4FB6A41B7B49B03CA0A9A6445575972FC36AEC956E64
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
24
DNS requests
11
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2880
CasPol.exe
GET
91.92.241.91:80
http://91.92.241.91/files/My2.exe
unknown
unknown
2880
CasPol.exe
GET
91.92.241.91:80
http://91.92.241.91/files/InstallSetup24.exe
unknown
unknown
2880
CasPol.exe
GET
301
185.26.182.111:80
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
unknown
html
162 b
unknown
2880
CasPol.exe
GET
188.114.96.3:80
http://stim.graspalace.com/order/tuc4.exe
unknown
unknown
2620
qEgDjUUTBqwPWqqlVJuylBr0.exe
GET
200
23.53.40.35:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?50342ea270e371d5
unknown
compressed
65.2 Kb
unknown
2880
CasPol.exe
GET
301
188.114.96.3:80
http://gobo30cl.top/build.exe
unknown
unknown
2880
CasPol.exe
GET
404
91.92.241.91:80
http://91.92.241.91/files/wsclient-installer-1.25.win.03.exe
unknown
html
298 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
2880
CasPol.exe
104.20.68.143:443
pastebin.com
CLOUDFLARENET
unknown
2880
CasPol.exe
91.92.241.91:80
Natskovi & Sie Ltd.
BG
unknown
2880
CasPol.exe
188.114.96.3:80
gobo30cl.top
CLOUDFLARENET
NL
unknown
2880
CasPol.exe
172.67.216.81:443
flyawayaero.net
CLOUDFLARENET
US
unknown
2880
CasPol.exe
104.21.12.138:443
iplogger.com
CLOUDFLARENET
unknown
2880
CasPol.exe
188.114.96.3:443
gobo30cl.top
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.68.143
  • 172.67.34.170
  • 104.20.67.143
shared
gobo30cl.top
  • 188.114.96.3
  • 188.114.97.3
malicious
stim.graspalace.com
  • 188.114.96.3
  • 188.114.97.3
malicious
flyawayaero.net
  • 172.67.216.81
  • 104.21.93.225
unknown
net.geo.opera.com
  • 185.26.182.111
  • 185.26.182.112
whitelisted
redirector.pm
  • 194.49.94.85
malicious
iplogger.com
  • 104.21.12.138
  • 172.67.194.188
shared
yip.su
  • 188.114.96.3
  • 188.114.97.3
whitelisted
potatogoose.com
  • 104.21.35.235
  • 172.67.180.173
unknown
t.me
  • 149.154.167.99
whitelisted

Threats

PID
Process
Class
Message
324
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
324
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
324
svchost.exe
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2880
CasPol.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
2880
CasPol.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2880
CasPol.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2880
CasPol.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2880
CasPol.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2880
CasPol.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2880
CasPol.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
file