analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da

Full analysis: https://app.any.run/tasks/376d13aa-920b-4e43-81a1-5b0bf98af161
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 11:34:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

E3B6811591CE0A9D7761A7ED4222D4F4

SHA1:

D0DF3313BEB1CF21A86BE4649350C31E4604B945

SHA256:

B91C2D9D8AE45D1DAD9F2F69F3A2E8A35E3ECAEE8DED8EE2FFA63DB0A4B128DA

SSDEEP:

98304:Lvbq+kjR7AwK0trK73z9iEGZ9vb8mlIy9YC6obwZeXUy71RFM32x3GIwETOcMu3y:Tbq+e7AwK0trK73z9iEGZ9vb8mlIy9Yp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe (PID: 980)

  • SUSPICIOUS

    • Reads Environment values

      • b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe (PID: 980)

    • Changes tracing settings of the file or console

      • b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe (PID: 980)

    • Changes IE settings (feature browser emulation)

      • b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe (PID: 980)

    • Executable content was dropped or overwritten

      • b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe (PID: 980)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: PDFEditor
OriginalFileName: PDFEditor.exe
LegalTrademarks: easyPlotDesk - PDFMagick
LegalCopyright: Copyright © Hakan Usakli 2011-2018
InternalName: PDFEditor.exe
FileVersion: 1.0.0.0
FileDescription: PDFEditor
CompanyName: -
Comments: High Performance Reprographics Software
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x5121fe
UninitializedDataSize: -
InitializedDataSize: 8704
CodeSize: 5309440
LinkerVersion: 11
PEType: PE32
TimeStamp: 2020:08:21 18:18:47+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 21-Aug-2020 16:18:47
Comments: High Performance Reprographics Software
CompanyName: -
FileDescription: PDFEditor
FileVersion: 1.0.0.0
InternalName: PDFEditor.exe
LegalCopyright: Copyright © Hakan Usakli 2011-2018
LegalTrademarks: easyPlotDesk - PDFMagick
OriginalFilename: PDFEditor.exe
ProductName: PDFEditor
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 21-Aug-2020 16:18:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00510204
0x00510400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65754
.rsrc
0x00514000
0x00001E88
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.94759
.reloc
0x00516000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0815394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.94206
2259
UNKNOWN
UNKNOWN
RT_MANIFEST
32512
1.7815
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe

Process information

PID
CMD
Path
Indicators
Parent process
980"C:\Users\admin\AppData\Local\Temp\b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe" C:\Users\admin\AppData\Local\Temp\b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PDFEditor
Version:
1.0.0.0
Total events
59
Read events
41
Write events
0
Delete events
0

Modification events

No data
Executable files
26
Suspicious files
0
Text files
29
Unknown types
0

Dropped files

PID
Process
Filename
Type
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\error.logtext
MD5:CE52C9C433ECAF63C8CCA9165FA03304
SHA256:3C11586059C74A1B414D08CA5E7651A0C71A204287EA18C9EDC49D0CCA9806A5
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\clcPDLpjl.dll.newexecutable
MD5:606BE9A1FCEAEB018537DE0EA5B8746A
SHA256:7B398FE543845955CFABD18CC87C89B3FCDD96C01E7DE9AB4CB6612F6C333458
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\updater.battext
MD5:D41325CC91742649A1D0160B64E7ACB3
SHA256:191829DEC05AF0D03608995F03BAE7657FD34C67B1E2198B16950E44305BB972
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\PDFEditor.exe.newexecutable
MD5:B743193062CC2E7FD8399FCF7B793FAE
SHA256:8B13CD9A5C0A2EA0E51D730C85C41943A41BA5D00177F4909887300A72E75691
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\DragNDrop_VB.dll.newexecutable
MD5:425ECD7C10EAA18DA32014877CDB5274
SHA256:78F1B1F84E383BDE15DC35118B90E7A2242094F5128F3E2084142B228E6F7A99
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\ImageTraverser.dll.newexecutable
MD5:7A3F374DC6172885492B106563D6B746
SHA256:42B1CB15552A0DE439A26EEA7330A7C1E04478525C8DA896E32ECC7BAF0FA06D
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\clcCOMMON.dll.newexecutable
MD5:8B73CA8C623074F41748482BA11AA20D
SHA256:B279A99620FCE291FA163D1C15741DF33E8AEB4466A5FC12419A615CE2955621
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\FreeImageNET.dll.newexecutable
MD5:7F94F3BB52C3CAD55216854B170D4A9E
SHA256:4CFEA469522E86653D5781B01FF9D86AD964457792E7014E73031493A00BF597
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\Framework.Controls.ProgressBar.dll.newexecutable
MD5:5EB8ED56FB0FE610274314D3B616AB87
SHA256:0BABF0748969C7140FFC7F06A800AD08640D6C102E5BB9B84C6F38C2B86FA6B4
980b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exeC:\Users\admin\AppData\Local\Temp\AForge.Math.dll.newexecutable
MD5:C69973F674D9D113411D0FA2D1DBE222
SHA256:A4F24C9A46705C66FF7838C3A4C61759F5BA58EE8A5B061D05340C61D790C0B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/clcPDLpjl.dll
DE
executable
76.5 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/ImageTraverser.dll
DE
executable
24.0 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/clcCOMMON.dll
DE
executable
53.5 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/FreeImageNET.dll
DE
executable
176 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/DragNDrop_VB.dll
DE
executable
32.0 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/FreeImage.dll
DE
executable
5.74 Mb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/AForge.dll
DE
executable
17.5 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/HtmlAgilityPack.dll
DE
executable
131 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/Framework.Controls.ProgressBar.dll
DE
executable
24.0 Kb
malicious
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
GET
200
217.160.0.144:80
http://update.easyplotdesk.com/webupdate/master.txt
DE
text
3.08 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
217.160.0.144:80
update.easyplotdesk.com
1&1 Internet SE
DE
malicious

DNS requests

Domain
IP
Reputation
update.easyplotdesk.com
  • 217.160.0.144
malicious
gps.astleygilbert.com
  • 207.34.241.56
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Executable code was detected
ET SHELLCODE Common 0a0a0a0a Heap Spray String
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
980
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b91c2d9d8ae45d1dad9f2f69f3a2e8a35e3ecaee8ded8ee2ffa63db0a4b128da