File name: | ExLoader.exe |
Full analysis: | https://app.any.run/tasks/e5d8a5c5-f2cd-45da-9984-ab3a8e99fe48 |
Verdict: | Malicious activity |
Analysis date: | November 16, 2019, 16:58:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | BAD6C58357030E51773E5F82CB0016E9 |
SHA1: | 9AC18D7F31D765DCA2E7C91A48F8DE6C8DEF8873 |
SHA256: | C70B9C8787B60DAA2615BB21D8596594EB6225323FA06B9E3E2CB18A3DBADEC5 |
SSDEEP: | 98304:OjTmsKgEUDzvEU6CNwhFjTBrHJWGs2NyqeoNE/7SRYYGZ8OC0sLPchA9RpE65QY:2EGTEUdNwhdTVHJack+G8v0qEq9sJY |
.exe | | | Win32 Executable MS Visual C++ (generic) (41) |
---|---|---|
.exe | | | Win64 Executable (generic) (36.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.6) |
.exe | | | Win32 Executable (generic) (5.9) |
.exe | | | Win16/32 Executable Delphi generic (2.7) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:10:19 17:25:35+02:00 |
PEType: | PE32 |
LinkerVersion: | 2.22 |
CodeSize: | 25088 |
InitializedDataSize: | 115712 |
UninitializedDataSize: | 36864 |
EntryPoint: | 0x1290 |
OSVersion: | 4 |
ImageVersion: | 1 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Oct-2019 15:25:35 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 19-Oct-2019 15:25:35 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00006080 | 0x00006200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.98243 |
.data | 0x00008000 | 0x00000040 | 0x00000200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.163808 |
.rdata | 0x00009000 | 0x00000510 | 0x00000600 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.01355 |
.bss | 0x0000A000 | 0x00008E30 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00013000 | 0x00000AA8 | 0x00000C00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.65264 |
.rsrc | 0x00014000 | 0x0001AEF4 | 0x0001B000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.96386 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.77685 | 90 | UNKNOWN | Process Default Language | RT_GROUP_ICON |
2 | 2.25163 | 6 | UNKNOWN | Process Default Language | RT_RCDATA |
3 | 2.19423 | 16936 | UNKNOWN | Process Default Language | RT_ICON |
4 | 2.35356 | 9640 | UNKNOWN | Process Default Language | RT_ICON |
5 | 2.51532 | 4264 | UNKNOWN | Process Default Language | RT_ICON |
6 | 2.95345 | 1128 | UNKNOWN | Process Default Language | RT_ICON |
8 | 1 | 2 | UNKNOWN | Process Default Language | RT_RCDATA |
12 | 4.0958 | 22 | UNKNOWN | Process Default Language | RT_RCDATA |
15 | 4.21782 | 41 | UNKNOWN | Process Default Language | RT_RCDATA |
16 | 2.58496 | 6 | UNKNOWN | Process Default Language | RT_RCDATA |
ADVAPI32.DLL |
KERNEL32.dll |
SHELL32.DLL |
USER32.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2004 | "C:\Users\admin\AppData\Local\Temp\ExLoader.exe" | C:\Users\admin\AppData\Local\Temp\ExLoader.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1932 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\admin\AppData\Local\Temp\ExLoader.exe" org.develnext.jphp.ext.javafx.FXLauncher | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | ExLoader.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
1816 | C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp 65001>nul & reg query "HKU\S-1-5-19"" | C:\Windows\System32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2120 | C:\Windows\System32\chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3836 | reg query "HKU\S-1-5-19" | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2520 | C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp 65001>nul & reg query "HKU\S-1-5-19"" | C:\Windows\System32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2196 | C:\Windows\System32\chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
884 | reg query "HKU\S-1-5-19" | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3776 | C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp 65001>nul & C:\Windows\System32\mshta.exe vbscript:Execute("CreateObject(""Shell.Application"").ShellExecute(""C:/Users/admin/AppData/Local/Temp/ExLoader.exe"", """", """", ""runas"", 1)(window.close)")" | C:\Windows\System32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1012 | C:\Windows\System32\chcp 65001 | C:\Windows\System32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1932) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe | |||
(PID) Process: | (788) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (788) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3028) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
3028 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:ACB4CCD343A19C9A1913A33958D923BA | SHA256:37DB6CF3993C2C09CC6333123619CE1E2E7F4AEAC366BB9990A1B12A81012979 | |||
1932 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:BE0F77B482AA1FC92FAB8802D0760DF7 | SHA256:4D15D54B64A79F54EC666521208194F3706707AF9B6291247EAFED5F997FE187 | |||
3028 | javaw.exe | C:\ProgramData\ExLoader\config.json | text | |
MD5:88D53F7C670647997DFD34BA13B945BF | SHA256:FB5002326970A67D0885C9B9B3C002A6026B0980066637022C0561F96CFEB04C | |||
1932 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 | |||
788 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1] | html | |
MD5:16AA7C3BEBF9C1B84C9EE07666E3207F | SHA256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754 | |||
3028 | javaw.exe | C:\Users\admin\AppData\Local\Temp\+JXF1355351942427062134.tmp | ttf | |
MD5:C88CECBFFAD6D8E731FD95DE49561EBD | SHA256:BAB583D38D105DAC9141B287FB2B7763B6D8B0BAE97E745FAACCEDB40A579C29 | |||
3028 | javaw.exe | C:\Users\admin\AppData\Local\Temp\+JXF7063876538453843275.tmp | ttf | |
MD5:A98626E1AEF6CEBA5DFC1EE7112E235A | SHA256:92B3D3C6E135EB1DC95F88E6CA75BD6113D9EB3261A95CA39F733E3897E53675 | |||
3028 | javaw.exe | C:\Users\admin\AppData\Local\Temp\+JXF6412109723356646518.tmp | ttf | |
MD5:9BC77C3BCA968C7490DE95D1532D0E87 | SHA256:257AF9A05DE6371E1F7B345D02A93AF5C2E0AB9B9224418A45189B8CC86049CD |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 87.236.16.204:443 | exloader.net | Beget Ltd | RU | malicious |
3028 | javaw.exe | 87.236.16.204:443 | exloader.net | Beget Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
exloader.net |
| unknown |