analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

phonerescue-ios-en-setup.exe

Full analysis: https://app.any.run/tasks/6aa2bce9-a59c-4085-a289-ed8b0e7f90b2
Verdict: Malicious activity
Analysis date: July 12, 2020, 15:27:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

3E4B41A1EC54784F7F43A3A465EEF06F

SHA1:

33D5D8FA7043458513782ABDEF30CBF561B358E5

SHA256:

BED8C27C1CB153B0D9A532331598E09794B6A0F2E89C14B0C28C559020283D02

SSDEEP:

24576:izZT9XR+fJWMiierrCbhhS6IibT8la3fzU:il9X0J1herrCbhEYrQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • phonerescue-ios-en-setup.exe (PID: 3732)
      • PhoneRescue.exe (PID: 2068)
      • PhoneRescue.exe (PID: 576)

    • Application was dropped or rewritten from another process

      • PhoneRescue.exe (PID: 2068)
      • PhoneRescue.exe (PID: 576)

    • Changes settings of System certificates

      • PhoneRescue.exe (PID: 2068)
      • phonerescue-ios-en-setup.exe (PID: 3732)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • phonerescue-ios-en-setup.exe (PID: 3732)

    • Executable content was dropped or overwritten

      • phonerescue-ios-en-setup.exe (PID: 3732)

    • Creates a software uninstall entry

      • phonerescue-ios-en-setup.exe (PID: 3732)

    • Creates files in the user directory

      • PhoneRescue.exe (PID: 2068)
      • phonerescue-ios-en-setup.exe (PID: 3732)

    • Adds / modifies Windows certificates

      • PhoneRescue.exe (PID: 2068)
      • phonerescue-ios-en-setup.exe (PID: 3732)

    • Searches for installed software

      • PhoneRescue.exe (PID: 2068)

    • Creates files in the program directory

      • phonerescue-ios-en-setup.exe (PID: 3732)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • phonerescue-ios-en-setup.exe (PID: 3732)

    • Manual execution by user

      • PhoneRescue.exe (PID: 576)

    • Reads settings of System Certificates

      • phonerescue-ios-en-setup.exe (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 14:19:38+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 26624
InitializedDataSize: 475136
UninitializedDataSize: 16896
EntryPoint: 0x3415
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Japan (Shift - JIS X-0208)
CompanyName: iMobie Inc.
FileDescription: PhoneRescue
FileVersion: ${PRODUCT_VERSION}
InternalName: ${Name}
LegalCopyright: Copyright (C) iMobie Inc. All rights reserved
LegalTrademarks: iMobie Inc. All rights reserved
OriginalFileName: phonerescue_setup.exe
ProductName: PhoneRescue
ProductVersion: 4.0.0.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Apr-2010 12:19:38
Detected languages:
  • English - United States
CompanyName: iMobie Inc.
FileDescription: PhoneRescue
FileVersion: ${PRODUCT_VERSION}
InternalName: ${Name}
LegalCopyright: Copyright (C) iMobie Inc. All rights reserved
LegalTrademarks: iMobie Inc. All rights reserved
OriginalFilename: phonerescue_setup.exe
ProductName: PhoneRescue
ProductVersion: 4.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 10-Apr-2010 12:19:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000671C
0x00006800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.50461
.rdata
0x00008000
0x000019D6
0x00001A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.02684
.data
0x0000A000
0x0007139C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.73601
.ndata
0x0007C000
0x00181000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x001FD000
0x0005D7A0
0x0005D800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.0434

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.21494
966
UNKNOWN
English - United States
RT_MANIFEST
2
5.22283
67624
UNKNOWN
English - United States
RT_ICON
3
5.59076
16936
UNKNOWN
English - United States
RT_ICON
4
5.75137
9640
UNKNOWN
English - United States
RT_ICON
5
6.06855
4264
UNKNOWN
English - United States
RT_ICON
6
6.33174
1128
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.51066
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start phonerescue-ios-en-setup.exe no specs phonerescue-ios-en-setup.exe phonerescue.exe no specs phonerescue.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1148"C:\Users\admin\AppData\Local\Temp\phonerescue-ios-en-setup.exe" C:\Users\admin\AppData\Local\Temp\phonerescue-ios-en-setup.exeexplorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
MEDIUM
Description:
PhoneRescue
Exit code:
3221226540
Version:
${PRODUCT_VERSION}
3732"C:\Users\admin\AppData\Local\Temp\phonerescue-ios-en-setup.exe" C:\Users\admin\AppData\Local\Temp\phonerescue-ios-en-setup.exe
explorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
HIGH
Description:
PhoneRescue
Exit code:
0
Version:
${PRODUCT_VERSION}
2068"C:\Program Files\iMobie\PhoneRescue\PhoneRescue.exe" C:\Program Files\iMobie\PhoneRescue\PhoneRescue.exephonerescue-ios-en-setup.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
HIGH
Description:
PhoneRescue
Version:
4.0.0.0
576"C:\Program Files\iMobie\PhoneRescue\PhoneRescue.exe" C:\Program Files\iMobie\PhoneRescue\PhoneRescue.exeexplorer.exe
User:
admin
Company:
iMobie Inc.
Integrity Level:
MEDIUM
Description:
PhoneRescue
Exit code:
0
Version:
4.0.0.0
Total events
2 484
Read events
887
Write events
0
Delete events
0

Modification events

No data
Executable files
66
Suspicious files
12
Text files
770
Unknown types
14

Dropped files

PID
Process
Filename
Type
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\license.rtftext
MD5:108A4F36CDADA81388C5E7B6653552DD
SHA256:EDE43F3E23D7CB450B34B47BF9182E42271BEF512F3334B5D3B3E5B1A9ABBF51
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\bg2.bmpimage
MD5:19F31A2B56F90A29BBB7B1DB8FAAE9C4
SHA256:795D8C3122EBFB1B0CD5E5A167B4341752968B21C5B751A6CECBE1A1685C3019
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\check_customize.bmpimage
MD5:C44C2829D9EDFDD30D49B35C532FDD9C
SHA256:1D98AF415704BC333E6649DE162DA5D887F7FC44B220AC247770AC91BD81682B
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\btn_browse.bmpimage
MD5:5E82662FC7CB4FAF023BD6456BFEE212
SHA256:4ED0BA0D14C8E96D1BB356C83972ECE60E22DBDF46375714334647014F01711B
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\bg1.bmpimage
MD5:7E2F86B620E1453BF3A1A4BA00DFC639
SHA256:B65E06D62A8817AA5D40F732F466EBCB633EFC8582F8831C854D09D84999F4A2
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\uninstall.exeexecutable
MD5:FC35B2ED1DCE3B3CF347B940BC32D3B3
SHA256:E319336151A1127BC9B7708F383C1478559EB6D6A89A243DE6E73C5D11BB8428
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\bg.bmpimage
MD5:E1C379D28D86CFFAE118CD9B69F7776D
SHA256:B9D4C97B6C1953E362F4F5B18664FCDD414AD82057AA78FC8949B4AF84405BCE
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\checkbox1.bmpimage
MD5:15A83073DDDF1D72978123DB3A7AAE90
SHA256:AA34257121CEC1A37BB23D3BD36F03B8B83F46AE75B04F985BB8F94EB764AC32
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\btn_close.bmpimage
MD5:87B3E596866FA4C250F84AD17AE9A106
SHA256:24E3E5E393F16D878A7D527F27BD58B144F3227DC5D437D9D199F7FA0C530DCB
3732phonerescue-ios-en-setup.exeC:\Users\admin\AppData\Local\Temp\nssD905.tmp\editboder.bmpimage
MD5:9502A71F00EA7140C3B035E1AE06EC5A
SHA256:DD50EA9287E3B5EBD3EA02A9B6D04086227E7BF59672A760F45B3668369F6A2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3732
phonerescue-ios-en-setup.exe
GET
200
67.225.249.166:80
http://dl.imobie.com/phonerescue-32.7z
US
compressed
34.4 Mb
suspicious
3732
phonerescue-ios-en-setup.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3732
phonerescue-ios-en-setup.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAar2mu0dHehCAAAAABH74o%3D
US
der
471 b
whitelisted
3732
phonerescue-ios-en-setup.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3732
phonerescue-ios-en-setup.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAar2mu0dHehCAAAAABH74o%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3732
phonerescue-ios-en-setup.exe
172.217.18.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
3732
phonerescue-ios-en-setup.exe
172.217.18.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3732
phonerescue-ios-en-setup.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3732
phonerescue-ios-en-setup.exe
67.225.249.166:80
dl.imobie.com
Liquid Web, L.L.C
US
suspicious

DNS requests

Domain
IP
Reputation
www.google-analytics.com
  • 172.217.18.174
whitelisted
dl.imobie.com
  • 67.225.249.166
suspicious
ocsp.pki.goog
  • 172.217.16.131
  • 172.217.18.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
phonerescue-ios-en-setup.exe