analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

D_Encode.exe

Full analysis: https://app.any.run/tasks/1ee4bf25-c105-4aea-a955-5311817d7c81
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: July 18, 2019, 02:05:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

DF2C26D399D530A0C90ED03073FE7CAF

SHA1:

4C8A15CC96376B65163499B0D00D0F788CA617F5

SHA256:

C8B3BF6106C408DACDB369845901CC2CEB316EC99BC8544568F442F1649B6961

SSDEEP:

196608:0RqScnFUkLqQll8WgNs2It/4vx14egOcqxu1aS:rnFUKqzWgZGW7vczMS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • D_Encode.exe (PID: 3292)
    • Stealing of credential data

      • D_Encode.exe (PID: 3292)
  • SUSPICIOUS

    • Loads Python modules

      • D_Encode.exe (PID: 3292)
    • Application launched itself

      • D_Encode.exe (PID: 3432)
    • Executable content was dropped or overwritten

      • D_Encode.exe (PID: 3432)
      • D_Encode.exe (PID: 3292)
    • Reads the cookies of Google Chrome

      • D_Encode.exe (PID: 3292)
    • Creates files in the user directory

      • D_Encode.exe (PID: 3292)
    • Starts CMD.EXE for commands execution

      • D_Encode.exe (PID: 3292)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • D_Encode.exe (PID: 3432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (50.1)
.exe | Win64 Executable (generic) (32.2)
.dll | Win32 Dynamic Link Library (generic) (7.6)
.exe | Win32 Executable (generic) (5.2)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:04 16:42:13+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 128000
InitializedDataSize: 120320
UninitializedDataSize: -
EntryPoint: 0x779a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 04-Sep-2018 14:42:13
TLS Callbacks: 1 callback(s) detected.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 04-Sep-2018 14:42:13
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001F224
0x0001F400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65269
.rdata
0x00021000
0x0000B0EC
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.10091
.data
0x0002D000
0x0000E680
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.94098
.gfids
0x0003C000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.89006
.rsrc
0x0003D000
0x0000FE28
0x00010000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.50467
.reloc
0x0004D000
0x000017B8
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65088
no
0x00050000
0x00043000
0x00043000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.99796

Resources

Title
Entropy
Size
Codepage
Language
Type
0
1.51664
20
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
7.94928
8792
Latin 1 / Western European
UNKNOWN
RT_ICON
2
6.05629
2216
Latin 1 / Western European
UNKNOWN
RT_ICON
3
5.5741
1384
Latin 1 / Western European
UNKNOWN
RT_ICON
4
7.95079
37019
Latin 1 / Western European
UNKNOWN
RT_ICON
5
5.29119
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
6
5.43869
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
7
5.89356
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
101
2.71858
104
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

SHFolder.dll
advapi32.dll
kernel32.dll
ntdll.dll
ole32.dll
oleaut32.dll
shlwapi.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start d_encode.exe d_encode.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3432"C:\Users\admin\AppData\Local\Temp\D_Encode.exe" C:\Users\admin\AppData\Local\Temp\D_Encode.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
3292"C:\Users\admin\AppData\Local\Temp\D_Encode.exe" C:\Users\admin\AppData\Local\Temp\D_Encode.exe
D_Encode.exe
User:
admin
Integrity Level:
MEDIUM
3756C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exeD_Encode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
284
Read events
284
Write events
0
Delete events
0

Modification events

No data
Executable files
27
Suspicious files
2
Text files
12
Unknown types
2

Dropped files

PID
Process
Filename
Type
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\_cffi_backend.cp36-win32.pydexecutable
MD5:37870C71B315B371553FC91EE1D84643
SHA256:4CBC9DEF520E2FAF4699B546FD383254F301357C9ABC1340C53C84DF619A6B3F
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography\hazmat\bindings\_constant_time.cp36-win32.pydexecutable
MD5:0128EE6C24D1FFF6C343185EE51C5568
SHA256:BD5D0970675A7BCD45F32CB22524AEC66DD25086D5F0633671D15873316076B9
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\_multiprocessing.pydexecutable
MD5:7BC556656109DBC68E247482A4A9DB2C
SHA256:62F024653EEF024149750483CD50FA9365A3818723163B7BACC4E78282C70800
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\d_encode.exe.manifestxml
MD5:3D76AB58B2C179511A3E78CAD73485AB
SHA256:A6E98850284ADEACB08441154C9385E6C4EF0C7704AA263A5C82D1F26C1C1AA9
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\cryptography\hazmat\bindings\_openssl.cp36-win32.pydexecutable
MD5:09A6A2D3999BB5BD08197EA86E6388B4
SHA256:9B77B0B0895249BB7DBEBC360D64C3C4B616F3553DCE187BD26322239EEEB6FD
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\multidict\_multidict.cp36-win32.pydexecutable
MD5:06341B093952E067237789429C168D42
SHA256:BE8D9E208D7D85B2B8B69CBBC6D928AED28A4F386085C52AC0E6ADF9F6B86461
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\_ctypes.pydexecutable
MD5:D0B0AACAC633EE2EDA0075EB85D43C06
SHA256:A9C70C16CBD27D15B4D76F68F8D7663C27F7B4D89AB1641ABE6C4A2ED2227032
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\_bz2.pydexecutable
MD5:F97C69209C208C1DD472C5E0ED760456
SHA256:9A0B806E6A764D6109DA7762F57A92381DB329D1B3EC5ADBFBD3CF61EF81E3C0
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\pyexpat.pydexecutable
MD5:23ED0A03A2B8AE756C459CAAE2859D02
SHA256:5E94B9C35C4EF0188BDD57FC08AFD0F982849F8E100AE8FF9B90844E6F9F0EDC
3432D_Encode.exeC:\Users\admin\AppData\Local\Temp\_MEI34322\VCRUNTIME140.dllexecutable
MD5:A2523EA6950E248CBDF18C9EA1A844F6
SHA256:6823B98C3E922490A2F97F54862D32193900077E49F0360522B19E06E6DA24B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3292
D_Encode.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
3292
D_Encode.exe
162.159.135.233:443
discordapp.com
Cloudflare Inc
shared
3292
D_Encode.exe
54.235.124.112:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
3292
D_Encode.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared
api.ipify.org
  • 54.235.124.112
  • 50.19.247.198
  • 54.243.198.12
  • 23.21.121.219
  • 54.204.36.156
  • 107.22.215.20
  • 54.243.147.226
  • 50.16.229.140
shared
discordapp.com
  • 162.159.135.233
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.130.233
whitelisted
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
3292
D_Encode.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
3292
D_Encode.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
1 ETPRO signatures available at the full report
No debug info