| File name: | Poison Ivy 2.3.2.exe |
| Full analysis: | https://app.any.run/tasks/afaeb3cd-baaa-4f19-8490-4b64b431fc74 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | January 09, 2024, 18:44:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | B4F990CAD1D20EFAB410E98FC7A6C81B |
| SHA1: | 45419EB6D058766BB4D134BD567BC9EA02BA38B2 |
| SHA256: | C71D8085544E6F81E0301D9DD5CDF88369339A6001BAB8E4FDA22DE9EC0FEE31 |
| SSDEEP: | 98304:CPv0HBXFfJbdfq8ki+M0WVbCJ6/GALzkYGK0R1Q3gpoZ6DYqDYLRwSRL8Ilri/O:Zn |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Internet Settings
- Poison Ivy 2.3.2.exe (PID: 2040)
INFO
Create files in a temporary directory
- Poison Ivy 2.3.2.exe (PID: 2040)
Reads the computer name
- Poison Ivy 2.3.2.exe (PID: 2040)
Checks proxy server information
- Poison Ivy 2.3.2.exe (PID: 2040)
Checks supported languages
- Poison Ivy 2.3.2.exe (PID: 2040)
Reads the machine GUID from the registry
- Poison Ivy 2.3.2.exe (PID: 2040)
Connects to the CnC server
- Poison Ivy 2.3.2.exe (PID: 2040)
POISONIVY has been detected (SURICATA)
- Poison Ivy 2.3.2.exe (PID: 2040)
Drops the executable file immediately after the start
- Poison Ivy 2.3.2.exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 EXE Yoda's Crypter (71.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.1) |
| .exe | | | Win16/32 Executable Delphi generic (5.5) |
| .exe | | | Generic Win/DOS Executable (5.3) |
| .exe | | | DOS Executable Generic (5.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 1445888 |
| InitializedDataSize: | 692224 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x211060 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.3.2.0 |
| ProductVersionNumber: | 2.3.2.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| FileDescription: | Poison Ivy Remote Administration |
| FileVersion: | 2.3.2 |
| InternalName: | PI |
| LegalCopyright: | - |
| OriginalFileName: | PoisonIvy2.3.2.exe |
| ProductName: | Poison Ivy |
| ProductVersion: | 2.3.2 |
Total processes
34
Monitored processes
1
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2040 | "C:\Users\admin\AppData\Local\Temp\Poison Ivy 2.3.2.exe" | C:\Users\admin\AppData\Local\Temp\Poison Ivy 2.3.2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Poison Ivy Remote Administration Exit code: 0 Version: 2.3.2 Modules
| |||||||||||||||
Total events
362
Read events
330
Write events
32
Delete events
0
Modification events
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionReason |
Value: 1 | |||
| (PID) Process: | (2040) Poison Ivy 2.3.2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionTime |
Value: B81CDAF62B43DA01 | |||
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2040 | Poison Ivy 2.3.2.exe | C:\Users\admin\AppData\Local\Temp\Poison Ivy.ini | text | |
MD5:DC1CC4FBD94FDB8E8BE6BE87A85CC123 | SHA256:5463541DFBDA45C001693F203C1D069E7D4F2150FC70D89E3BDADA27BD279E96 | |||
| 2040 | Poison Ivy 2.3.2.exe | C:\Users\admin\AppData\Local\Temp\PILib.dll | executable | |
MD5:A8BB2EF9F6D3BB6DB348C00E750EE705 | SHA256:439464983845661A641ECA7AC0147354D96C51870B4CA8FA042F02E27783122E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2040 | Poison Ivy 2.3.2.exe | GET | 302 | 64.91.248.15:80 | http://www.poisonivy-rat.com/ver | unknown | — | — | unknown |
2040 | Poison Ivy 2.3.2.exe | GET | — | 199.59.243.225:80 | http://ww7.poisonivy-rat.com/ver?usid=26&utid=4581033120 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2040 | Poison Ivy 2.3.2.exe | 64.91.248.15:80 | www.poisonivy-rat.com | LIQUIDWEB | US | unknown |
2040 | Poison Ivy 2.3.2.exe | 199.59.243.225:80 | ww7.poisonivy-rat.com | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.poisonivy-rat.com |
| unknown |
ww7.poisonivy-rat.com |
| unknown |
Threats
2 ETPRO signatures available at the full report