analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6C46E30CD737800F0ED1DDBCADFFE7C1.exe

Full analysis: https://app.any.run/tasks/e8705c7d-a2bf-4755-9e20-2bd67509b943
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 23, 2018, 01:53:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

6C46E30CD737800F0ED1DDBCADFFE7C1

SHA1:

27F1D19EC34C6855F1DB0FDB97AFF00112D280EB

SHA256:

C4316D58A152AE91439FD2412FAC27A5B683464460BB233CFA9502E261A10D53

SSDEEP:

6144:hc5oUUEvgMwaDKZlv1AMGql4pLoJkWH2BDokLqSawTuodtV+XbH3Ct:hcKUfvDAv1AMGGdJkWWBDnLYwTuodoS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • O3KXLAO2956549NC.exe (PID: 3592)

    • Connects to CnC server

      • O3KXLAO2956549NC.exe (PID: 3592)

    • Changes the autorun value in the registry

      • 6C46E30CD737800F0ED1DDBCADFFE7C1.exe (PID: 476)
      • O3KXLAO2956549NC.exe (PID: 3592)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 6C46E30CD737800F0ED1DDBCADFFE7C1.exe (PID: 476)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3824)

    • Application launched itself

      • iexplore.exe (PID: 3824)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2468)
      • iexplore.exe (PID: 1088)
      • iexplore.exe (PID: 3824)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2468)
      • iexplore.exe (PID: 1088)

    • Creates files in the user directory

      • iexplore.exe (PID: 2468)
      • iexplore.exe (PID: 1088)
      • iexplore.exe (PID: 3824)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3336)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3824)
      • iexplore.exe (PID: 2468)
      • iexplore.exe (PID: 1088)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x65001
UninitializedDataSize: -
InitializedDataSize: 262144
CodeSize: 24064
LinkerVersion: 6
PEType: PE32
TimeStamp: 2018:10:16 07:20:01+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Oct-2018 05:20:01
Detected languages:
  • Chinese - PRC

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 16-Oct-2018 05:20:01
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006000
0x00002E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.95056
.rdata
0x00007000
0x00001000
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.85041
.data
0x00008000
0x00039000
0x00027A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99804
0
0x00041000
0x0000F000
0x0000CE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99615
1
0x00050000
0x0000E000
0x0000B000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99489
.rsrc
0x0005E000
0x00007000
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.14336
.aspack
0x00065000
0x00008000
0x00007800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.40336
.adata
0x0006D000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.77792
357
UNKNOWN
Chinese - PRC
RT_MANIFEST
2
6.18261
7960
UNKNOWN
UNKNOWN
RT_ICON
3
6.12786
4264
UNKNOWN
UNKNOWN
RT_ICON
4
6.12434
2440
UNKNOWN
UNKNOWN
RT_ICON
5
6.02112
1128
UNKNOWN
UNKNOWN
RT_ICON
131
2.78815
76
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

advapi32.dll
iphlpapi.dll
kernEL32.dll
msvcrt.dll
user32.dll
ws2_32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 6c46e30cd737800f0ed1ddbcadffe7c1.exe no specs 6c46e30cd737800f0ed1ddbcadffe7c1.exe o3kxlao2956549nc.exe iexplore.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
684"C:\Users\admin\AppData\Local\Temp\6C46E30CD737800F0ED1DDBCADFFE7C1.exe" C:\Users\admin\AppData\Local\Temp\6C46E30CD737800F0ED1DDBCADFFE7C1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
476"C:\Users\admin\AppData\Local\Temp\6C46E30CD737800F0ED1DDBCADFFE7C1.exe" C:\Users\admin\AppData\Local\Temp\6C46E30CD737800F0ED1DDBCADFFE7C1.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3592C:\Users\admin\AppData\Local\Temp\O3KXLAO2956549NC.exeC:\Users\admin\AppData\Local\Temp\O3KXLAO2956549NC.exe
6C46E30CD737800F0ED1DDBCADFFE7C1.exe
User:
admin
Integrity Level:
HIGH
3824"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2468"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3824 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1088"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3824 CREDAT:6406C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3336C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
990
Read events
845
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
355
Unknown types
24

Dropped files

PID
Process
Filename
Type
3824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
MD5:
SHA256:
3824iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\sp_main_v181017[1].pngimage
MD5:CF04753CD12DC5B715103E5DCEA2BB7F
SHA256:5A3852FE4983A0CE3E26B6D92F34C51816E678546428CA124AB6C5AC4EA0F5B9
4766C46E30CD737800F0ED1DDBCADFFE7C1.exeC:\Users\admin\AppData\Local\Temp\O3KXLAO2956549NC.exeexecutable
MD5:D47C61E0FD483888FCA3E00FC619C436
SHA256:1AC48B0BCB7D89A5E28294D16A972C591B4F93B738A6F6F97A5EEC8EA6B9D651
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\sp_nav_v180627[1].pngimage
MD5:649A2B775A10EFB84E88CD19E6B04C3B
SHA256:B15BA8D63AE9868398026B20D7EC38906603136F9FC09891764D847856CE00C0
2468iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@naver[1].txttext
MD5:390EDEA68D98ACF1393133251EFB66F9
SHA256:CF6503E735295C8D85E846FF46AC3190A74EE5844D588D5ED65A6ECD36965B16
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\webfont_v170623[1].csstext
MD5:70093F43E4B1B902A3F5FBC31F63026A
SHA256:611E82A4AD98D69C9F5B16B7CE019E1300ECC2EC180D3F73B62603032244A080
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\nlog_v180615[1].jstext
MD5:3247F387A81F27AC9AB52384746BC02A
SHA256:66DB4644059526C93E675FB8BCEFA42A67C376D00480E28BBFE0AF56C9DC69D6
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\api_atcmp_170914[1].csstext
MD5:D6DAE7FF4473D9954B68B08F0D7F2294
SHA256:030615E336A1F7A8FC193E2B2C841D1F6DDD9F1B160928E7512FE5A7E45DAFAC
2468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\BBEBA99F3F922B4CD7AFE[1].txttext
MD5:2703D08B1C1331CECC823F15294DF527
SHA256:575D8ED89BF152F1EE17304C50CB82BCE15A708B0161503984CCED87041BA17C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
101
DNS requests
66
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://www.naver.com.ver/
ZA
html
176 Kb
malicious
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://45.197.141.195/ca.php?m=4E5449744E5451744D4441744E454574515551744D54453D&h=437
ZA
text
7 b
malicious
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://www.naver.com.ver/js/layer.js
ZA
text
22.9 Kb
malicious
3592
O3KXLAO2956549NC.exe
GET
200
59.37.116.44:80
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=1603836364
CN
text
125 b
malicious
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://www.naver.com.ver/js/skin/layer.css
ZA
text
12.8 Kb
malicious
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://www.naver.com.ver/js/jquery-1.9.1.min.js
ZA
text
90.4 Kb
malicious
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://www.naver.com.ver/favicon.ico
ZA
image
5.30 Kb
malicious
1088
iexplore.exe
GET
301
104.31.74.222:80
http://abuseipdb.com/
US
shared
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://www.naver.com.ver/img/pop.jpg
ZA
image
54.2 Kb
malicious
3592
O3KXLAO2956549NC.exe
GET
200
45.197.141.195:80
http://naver.com.ver/img/pop.jpg
ZA
image
54.2 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3824
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2468
iexplore.exe
203.104.163.21:80
lcs.naver.com
NBP
KR
unknown
3592
O3KXLAO2956549NC.exe
45.197.141.195:80
MacroLAN
ZA
malicious
2468
iexplore.exe
2.18.233.157:443
www.naver.com
Akamai International B.V.
whitelisted
2468
iexplore.exe
210.89.168.147:443
nv.veta.naver.com
NBP
KR
unknown
3592
O3KXLAO2956549NC.exe
59.37.116.44:80
China Telecom (Group)
CN
malicious
3592
O3KXLAO2956549NC.exe
8.8.8.8:53
Google Inc.
US
whitelisted
2468
iexplore.exe
2.18.233.171:443
pm.pstatic.net
Akamai International B.V.
whitelisted
1088
iexplore.exe
2.18.233.157:443
www.naver.com
Akamai International B.V.
whitelisted
2468
iexplore.exe
210.89.172.16:443
nv.veta.naver.com
NBP
KR
unknown

DNS requests

Domain
IP
Reputation
gms.ahnlab.com
  • 34.246.64.247
unknown
r.pengyou.com
  • 0.0.0.1
unknown
6to4.ipv6.microsoft.com
  • 192.88.99.1
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.naver.com
  • 2.18.233.157
whitelisted
pm.pstatic.net
  • 2.18.233.171
whitelisted
ssl.pstatic.net
  • 2.18.233.157
whitelisted
s.pstatic.net
  • 2.18.233.171
whitelisted
lcs.naver.com
  • 203.104.163.21
whitelisted
nv.veta.naver.com
  • 210.89.168.147
  • 210.89.172.16
whitelisted

Threats

PID
Process
Class
Message
3592
O3KXLAO2956549NC.exe
A Network Trojan was detected
ET TROJAN Blackmoon/Banbra Configuration Request M2
3592
O3KXLAO2956549NC.exe
Misc activity
POLICY [PTsecurity] QZone username request (possible Banbra Configuration)
3592
O3KXLAO2956549NC.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blackmoon/Banbra Configuration Response
3592
O3KXLAO2956549NC.exe
A Network Trojan was detected
MALWARE [PTsecurity] Banker/Banbra Client Check-in
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6C46E30CD737800F0ED1DDBCADFFE7C1.exe