File name:

Poison Ivy 2.3.2.exe

Full analysis: https://app.any.run/tasks/9906bbf9-2135-4d13-aaee-937a45144b06
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: November 30, 2024, 09:20:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
antivm
mimikatz
tools
rat
poisonivy
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

B4F990CAD1D20EFAB410E98FC7A6C81B

SHA1:

45419EB6D058766BB4D134BD567BC9EA02BA38B2

SHA256:

C71D8085544E6F81E0301D9DD5CDF88369339A6001BAB8E4FDA22DE9EC0FEE31

SSDEEP:

98304:CPv0HBXFfJbdfq8ki+M0WVbCJ6/GALzkYGK0R1Q3gpoZ6DYqDYLRwSRL8Ilri/O:Zn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MIMIKATZ has been detected (YARA)

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Connects to the CnC server

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • POISONIVY has been detected (SURICATA)

      • Poison Ivy 2.3.2.exe (PID: 1404)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Executable content was dropped or overwritten

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Reads security settings of Internet Explorer

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Contacting a server suspected of hosting an CnC

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • There is functionality for VM detection antiVM strings (YARA)

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Reads the Internet Settings

      • Poison Ivy 2.3.2.exe (PID: 1404)

  • INFO

    • Checks supported languages

      • Poison Ivy 2.3.2.exe (PID: 1404)
      • wmpnscfg.exe (PID: 580)

    • Reads the computer name

      • wmpnscfg.exe (PID: 580)
      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 580)
      • qqqq.exe (PID: 3024)
      • qqqq.exe (PID: 3500)

    • Checks proxy server information

      • Poison Ivy 2.3.2.exe (PID: 1404)

    • Reads the machine GUID from the registry

      • Poison Ivy 2.3.2.exe (PID: 1404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE Yoda's Crypter (71.5)
.exe | Win32 Executable (generic) (12.1)
.exe | Win16/32 Executable Delphi generic (5.5)
.exe | Generic Win/DOS Executable (5.3)
.exe | DOS Executable Generic (5.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 1445888
InitializedDataSize: 692224
UninitializedDataSize: -
EntryPoint: 0x211060
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.3.2.0
ProductVersionNumber: 2.3.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Poison Ivy Remote Administration
FileVersion: 2.3.2
InternalName: PI
LegalCopyright: -
OriginalFileName: PoisonIvy2.3.2.exe
ProductName: Poison Ivy
ProductVersion: 2.3.2
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #MIMIKATZ poison ivy 2.3.2.exe wmpnscfg.exe no specs qqqq.exe qqqq.exe

Process information

PID
CMD
Path
Indicators
Parent process
580"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1404"C:\Users\admin\Desktop\Poison Ivy 2.3.2.exe" C:\Users\admin\Desktop\Poison Ivy 2.3.2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Poison Ivy Remote Administration
Version:
2.3.2
Modules
Images
c:\users\admin\desktop\poison ivy 2.3.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3024"C:\Users\admin\Desktop\qqqq.exe" C:\Users\admin\Desktop\qqqq.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\qqqq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
3500"C:\Users\admin\Desktop\qqqq.exe" C:\Users\admin\Desktop\qqqq.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\qqqq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
2 021
Read events
1 953
Write events
56
Delete events
12

Modification events

(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005F010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionReason
Value:
1
(PID) Process:(1404) Poison Ivy 2.3.2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
Operation:writeName:WpadDecisionTime
Value:
2215FA310943DB01
Executable files
2
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1404Poison Ivy 2.3.2.exeC:\Users\admin\Desktop\Poison Ivy.initext
MD5:DC1CC4FBD94FDB8E8BE6BE87A85CC123
SHA256:5463541DFBDA45C001693F203C1D069E7D4F2150FC70D89E3BDADA27BD279E96
1404Poison Ivy 2.3.2.exeC:\Users\admin\Desktop\qqqq.exeexecutable
MD5:C0293FABEF593C463D1D82564EA1DDB5
SHA256:E3C77B34D2DB1AADDB90EF983BD9ACF091A589933907FAC137F6CE6B66C23ABD
1404Poison Ivy 2.3.2.exeC:\Users\admin\Desktop\PILib.dllexecutable
MD5:A8BB2EF9F6D3BB6DB348C00E750EE705
SHA256:439464983845661A641ECA7AC0147354D96C51870B4CA8FA042F02E27783122E
1404Poison Ivy 2.3.2.exeC:\Users\admin\Desktop\Profiles\qfqfqfqf.piptext
MD5:B71987670950156600B939A1CE0A7C93
SHA256:5F7953B8C7F80E08AAE63F3729B199FA7A2CE714EC687952862D445DAF18BAE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1404
Poison Ivy 2.3.2.exe
GET
172.232.25.148:80
http://www.poisonivy-rat.com/ver
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
1404
Poison Ivy 2.3.2.exe
172.232.25.148:80
www.poisonivy-rat.com
Akamai International B.V.
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
www.poisonivy-rat.com
  • 172.232.25.148
  • 172.232.4.213
  • 172.232.31.180
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Poison Ivy 2.3.2.exe