analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

00000.exe

Full analysis: https://app.any.run/tasks/28e12715-6765-4d79-b14e-579ee7edc9b5
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: January 23, 2019, 10:49:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
revcode
trojan
backdoor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

059FFB48AEF0DE69CDF182895C6CE69B

SHA1:

FD303ABAA5DE824A5E23BFDE73E17D904D3670BB

SHA256:

BE535A8C325E4EEC17BBC63D813F715D2C8AF9FD23901135046FBC5C187AABB2

SSDEEP:

12288:EuhMDFL7alk0poG5hnDg375ROEehKyDzVbuYzJ:nMBL7alk0OGv01ROEeNDJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • 00000.exe (PID: 3248)
    • REVCODE was detected

      • 00000.exe (PID: 3248)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • 00000.exe (PID: 3248)
    • Application launched itself

      • 00000.exe (PID: 3048)
    • Creates files in the user directory

      • 00000.exe (PID: 3248)
      • notepad++.exe (PID: 3380)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:01:18 06:29:34+01:00
PEType: PE32
LinkerVersion: 14.14
CodeSize: 2560
InitializedDataSize: 391168
UninitializedDataSize: -
EntryPoint: 0x16e0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.64.0.0
ProductVersionNumber: 0.64.0.0
FileFlagsMask: 0x000b
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
CompanyName: Simon Tatham
ProductName: PuTTY suite
FileDescription: SSH, Telnet and Rlogin client
InternalName: PuTTY
OriginalFileName: PuTTY
FileVersion: Release 0.64
ProductVersion: Release 0.64
LegalCopyright: Copyright © 1997-2015 Simon Tatham.

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Jan-2019 05:29:34
Detected languages:
  • English - United Kingdom
  • English - United States
CompanyName: Simon Tatham
ProductName: PuTTY suite
FileDescription: SSH, Telnet and Rlogin client
InternalName: PuTTY
OriginalFilename: PuTTY
FileVersion: Release 0.64
ProductVersion: Release 0.64
LegalCopyright: Copyright © 1997-2015 Simon Tatham.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 18-Jan-2019 05:29:34
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00000818
0x00000A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.38083
.rdata
0x00002000
0x0000070C
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.72255
.data
0x00003000
0x00001010
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00005000
0x0005EFD8
0x0005F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.81277

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.84233
1236
Latin 1 / Western European
English - United States
RT_MANIFEST
2
7.46215
768
Latin 1 / Western European
UNKNOWN
RT_HTML
3
7.71043
768
Latin 1 / Western European
UNKNOWN
RT_HTML
4
7.74948
768
Latin 1 / Western European
UNKNOWN
RT_HTML
5
7.70086
768
Latin 1 / Western European
UNKNOWN
RT_HTML
6
7.72168
768
Latin 1 / Western European
UNKNOWN
RT_HTML
7
7.76409
768
Latin 1 / Western European
UNKNOWN
RT_HTML
8
7.71434
768
Latin 1 / Western European
UNKNOWN
RT_HTML
9
7.67499
768
Latin 1 / Western European
UNKNOWN
RT_HTML
10
7.72845
768
Latin 1 / Western European
UNKNOWN
RT_HTML

Imports

ADVAPI32.dll
KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 00000.exe no specs #REVCODE 00000.exe notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3048"C:\Users\admin\Desktop\00000.exe" C:\Users\admin\Desktop\00000.exeexplorer.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet and Rlogin client
Exit code:
0
Version:
Release 0.64
3248"C:\Users\admin\Desktop\00000.exe"C:\Users\admin\Desktop\00000.exe
00000.exe
User:
admin
Company:
Simon Tatham
Integrity Level:
MEDIUM
Description:
SSH, Telnet and Rlogin client
Version:
Release 0.64
3380"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\d7bb0949.bin"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
636"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
697
Read events
105
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
324800000.exeC:\Users\admin\Desktop\d7bb0949.binhtml
MD5:D3A94F2F4D95CFE97E11FEBF1348B88E
SHA256:7E52E68D6B5FF6403F7B353A86683E3EAAB8A7F1294113035B143B7E328B1977
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\backup\d7bb0949.bin@2019-01-23_105434binary
MD5:C16654677A55247ECC401CD7B1E575E1
SHA256:6D0D883AE34882249CA350D0A0A007FF2EBE293538852FF0401558439C80143C
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:160406F1E05132BAC87AC883A1C8B009
SHA256:00CC6E32EBF2CCCD7CF4F23FFCE896566057831DE096238E8DAFD163B135142F
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:90E16DBB702543A48ABDD5A47D68D3C0
SHA256:9A25D16AB95633A84A2C4FE02BB4D4D79E83F8EDACA7A38297CC971AA4F638D0
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xmltext
MD5:AD21A64014891793DD9B21D835278F36
SHA256:C24699C9D00ABDD510140FE1B2ACE97BFC70D8B21BF3462DED85AFC4F73FE52F
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\langs.xmlxml
MD5:E792264BEC29005B9044A435FBA185AB
SHA256:5298FD2F119C43D04F6CF831F379EC25B4156192278E40E458EC356F9B49D624
324800000.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
3380notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
49
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.106.80:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
unknown
der
471 b
whitelisted
GET
200
2.16.106.80:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
unknown
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3248
00000.exe
185.86.149.172:53
sdns.se
Makonix SIA
SE
unknown
3248
00000.exe
82.199.134.156:443
obatools.wm01.to
AS33891 Netzbetrieb GmbH
CH
malicious
3248
00000.exe
114.114.114.114:53
Cogent Communications
CN
malicious
3248
00000.exe
1.2.4.8:53
China Internet Network Infomation Center
CN
malicious
636
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2.16.106.80:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
obatools.wm01.to
  • 82.199.134.156
malicious
sdns.se
  • 185.86.149.172
malicious
71f19cec8fce0b5d6698a18e623fbd83.com
  • 82.199.134.156
malicious
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 2.16.106.80
  • 2.16.106.50
whitelisted

Threats

PID
Process
Class
Message
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
3248
00000.exe
A Network Trojan was detected
MALWARE [PTsecurity] RevCode RAT Cert
44 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093