File name:

decrypted_payload.bin

Full analysis: https://app.any.run/tasks/823e2fd5-176d-4172-ba32-6a37d047e4d9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 14:19:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
fakejami
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

7DE2A57083CB00AAC0BB0820537E2529

SHA1:

B299BB2A9493AFD3C885B3D8960CA0FE219E28BF

SHA256:

C10F8BA3A0C038E26479B8ED055AB5DF496DD9B82CEF11BF0E0E99230FD1E300

SSDEEP:

98304:bPjLUAurK7ktcpBR5U2wXWfMYBTEThE5iY8q1HIkMM+9zoHHBNuXsvmvmWU7qcwO:U2oIAM70ROVBIZ8QI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • decrypted_payload.bin.exe (PID: 3520)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 3708)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3708)

  • SUSPICIOUS

    • Reads browser cookies

      • RegAsm.exe (PID: 3708)

    • Connects to unusual port

      • RegAsm.exe (PID: 3708)

  • INFO

    • Checks supported languages

      • decrypted_payload.bin.exe (PID: 3520)
      • RegAsm.exe (PID: 3708)

    • Reads the machine GUID from the registry

      • decrypted_payload.bin.exe (PID: 3520)

    • Reads the computer name

      • decrypted_payload.bin.exe (PID: 3520)
      • RegAsm.exe (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2082:11:17 14:12:39+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 7109120
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x7006
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 4.3.2.5
ProductVersionNumber: 4.3.2.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: penalty
CompanyName: glory
FileDescription: tape
FileVersion: 4.3.2.5
InternalName: LoadToBadXml.exe
LegalCopyright: good diesel © 2024
LegalTrademarks: goddess
OriginalFileName: LoadToBadXml.exe
ProductName: good
ProductVersion: 4.3.2.5
AssemblyVersion: 21.3.4.22
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start decrypted_payload.bin.exe no specs regasm.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3520"C:\Users\admin\AppData\Local\Temp\decrypted_payload.bin.exe" C:\Users\admin\AppData\Local\Temp\decrypted_payload.bin.exeexplorer.exe
User:
admin
Company:
glory
Integrity Level:
MEDIUM
Description:
tape
Version:
4.3.2.5
Modules
Images
c:\users\admin\appdata\local\temp\decrypted_payload.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3708C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
decrypted_payload.bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
606
Read events
606
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
13
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
1372
svchost.exe
GET
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
1372
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
unknown
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
3708
RegAsm.exe
185.172.128.95:6666
OOO Nadym Svyaz Service
RU
unknown
3708
RegAsm.exe
185.172.128.95:6655
OOO Nadym Svyaz Service
RU
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
unknown
1372
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
unknown
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
unknown
www.microsoft.com
  • 23.52.120.96
unknown

Threats

PID
Process
Class
Message
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 32
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
decrypted_payload.bin