analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ExLoader.exe

Full analysis: https://app.any.run/tasks/e5d8a5c5-f2cd-45da-9984-ab3a8e99fe48
Verdict: Malicious activity
Analysis date: November 16, 2019, 16:58:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

BAD6C58357030E51773E5F82CB0016E9

SHA1:

9AC18D7F31D765DCA2E7C91A48F8DE6C8DEF8873

SHA256:

C70B9C8787B60DAA2615BB21D8596594EB6225323FA06B9E3E2CB18A3DBADEC5

SSDEEP:

98304:OjTmsKgEUDzvEU6CNwhFjTBrHJWGs2NyqeoNE/7SRYYGZ8OC0sLPchA9RpE65QY:2EGTEUdNwhdTVHJack+G8v0qEq9sJY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 1932)
      • javaw.exe (PID: 3028)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 3776)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2280)
    • Creates files in the user directory

      • javaw.exe (PID: 1932)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 2520)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2880)
    • Executes JAVA applets

      • ExLoader.exe (PID: 2004)
      • ExLoader.exe (PID: 2368)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3776)
    • Creates files in the program directory

      • javaw.exe (PID: 3028)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:19 17:25:35+02:00
PEType: PE32
LinkerVersion: 2.22
CodeSize: 25088
InitializedDataSize: 115712
UninitializedDataSize: 36864
EntryPoint: 0x1290
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Oct-2019 15:25:35
Detected languages:
  • Process Default Language

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 19-Oct-2019 15:25:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006080
0x00006200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.98243
.data
0x00008000
0x00000040
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.163808
.rdata
0x00009000
0x00000510
0x00000600
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.01355
.bss
0x0000A000
0x00008E30
0x00000000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00013000
0x00000AA8
0x00000C00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.65264
.rsrc
0x00014000
0x0001AEF4
0x0001B000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.96386

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.77685
90
UNKNOWN
Process Default Language
RT_GROUP_ICON
2
2.25163
6
UNKNOWN
Process Default Language
RT_RCDATA
3
2.19423
16936
UNKNOWN
Process Default Language
RT_ICON
4
2.35356
9640
UNKNOWN
Process Default Language
RT_ICON
5
2.51532
4264
UNKNOWN
Process Default Language
RT_ICON
6
2.95345
1128
UNKNOWN
Process Default Language
RT_ICON
8
1
2
UNKNOWN
Process Default Language
RT_RCDATA
12
4.0958
22
UNKNOWN
Process Default Language
RT_RCDATA
15
4.21782
41
UNKNOWN
Process Default Language
RT_RCDATA
16
2.58496
6
UNKNOWN
Process Default Language
RT_RCDATA

Imports

ADVAPI32.DLL
KERNEL32.dll
SHELL32.DLL
USER32.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
19
Malicious processes
2
Suspicious processes
4

Behavior graph

Click at the process to see the details
start exloader.exe no specs javaw.exe no specs cmd.exe no specs chcp.com no specs reg.exe no specs cmd.exe no specs chcp.com no specs reg.exe no specs cmd.exe no specs chcp.com no specs mshta.exe no specs exloader.exe javaw.exe cmd.exe no specs chcp.com no specs reg.exe no specs cmd.exe no specs chcp.com no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2004"C:\Users\admin\AppData\Local\Temp\ExLoader.exe" C:\Users\admin\AppData\Local\Temp\ExLoader.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1932"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\admin\AppData\Local\Temp\ExLoader.exe" org.develnext.jphp.ext.javafx.FXLauncherC:\Program Files\Java\jre1.8.0_92\bin\javaw.exeExLoader.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
1816C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp 65001>nul & reg query "HKU\S-1-5-19""C:\Windows\System32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2120C:\Windows\System32\chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3836reg query "HKU\S-1-5-19"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2520C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp 65001>nul & reg query "HKU\S-1-5-19""C:\Windows\System32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2196C:\Windows\System32\chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
884reg query "HKU\S-1-5-19"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3776C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp 65001>nul & C:\Windows\System32\mshta.exe vbscript:Execute("CreateObject(""Shell.Application"").ShellExecute(""C:/Users/admin/AppData/Local/Temp/ExLoader.exe"", """", """", ""runas"", 1)(window.close)")"C:\Windows\System32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1012C:\Windows\System32\chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
471
Read events
465
Write events
6
Delete events
0

Modification events

(PID) Process:(1932) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
(PID) Process:(788) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(788) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3028) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
0
Suspicious files
0
Text files
4
Unknown types
4

Dropped files

PID
Process
Filename
Type
3028javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:ACB4CCD343A19C9A1913A33958D923BA
SHA256:37DB6CF3993C2C09CC6333123619CE1E2E7F4AEAC366BB9990A1B12A81012979
1932javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:BE0F77B482AA1FC92FAB8802D0760DF7
SHA256:4D15D54B64A79F54EC666521208194F3706707AF9B6291247EAFED5F997FE187
3028javaw.exeC:\ProgramData\ExLoader\config.jsontext
MD5:88D53F7C670647997DFD34BA13B945BF
SHA256:FB5002326970A67D0885C9B9B3C002A6026B0980066637022C0561F96CFEB04C
1932javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
788mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1]html
MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
SHA256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
3028javaw.exeC:\Users\admin\AppData\Local\Temp\+JXF1355351942427062134.tmpttf
MD5:C88CECBFFAD6D8E731FD95DE49561EBD
SHA256:BAB583D38D105DAC9141B287FB2B7763B6D8B0BAE97E745FAACCEDB40A579C29
3028javaw.exeC:\Users\admin\AppData\Local\Temp\+JXF7063876538453843275.tmpttf
MD5:A98626E1AEF6CEBA5DFC1EE7112E235A
SHA256:92B3D3C6E135EB1DC95F88E6CA75BD6113D9EB3261A95CA39F733E3897E53675
3028javaw.exeC:\Users\admin\AppData\Local\Temp\+JXF6412109723356646518.tmpttf
MD5:9BC77C3BCA968C7490DE95D1532D0E87
SHA256:257AF9A05DE6371E1F7B345D02A93AF5C2E0AB9B9224418A45189B8CC86049CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
127
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
87.236.16.204:443
exloader.net
Beget Ltd
RU
malicious
3028
javaw.exe
87.236.16.204:443
exloader.net
Beget Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
exloader.net
  • 87.236.16.204
unknown

Threats

No threats detected
No debug info