General Info

File name

stealler.exe

Full analysis
https://app.any.run/tasks/34e76178-2ea0-4b37-a608-6372dc7cc10f
Verdict
Malicious activity
Analysis date
7/11/2019, 22:03:03
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

stealer

baldr

trojan

loader

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

0eefdd89ce81cb5eae8d83130373cf24

SHA1

d9c345ff8d1fad969ad9a6883968215475caec67

SHA256

cadcef1b2c609c08c28750f58fd245ad054d1c7367c3f8a5779b634431e572bf

SSDEEP

3072:kNpX2uAFp2Ob4Bg8iJxN7QFlMJifPefGr3uXk3EGduhprjO7e:4mZXIi88VQSIPeeLuXAsKS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • MSCBoard.exe (PID: 2484)
  • w56izo28q7.exe (PID: 2792)
  • MSCBoard.exe (PID: 3996)
  • dllhost.exe (PID: 3088)
Loads dropped or rewritten executable
  • stealler.exe (PID: 3096)
Changes the autorun value in the registry
  • stealler.exe (PID: 3096)
  • w56izo28q7.exe (PID: 2792)
  • MSCBoard.exe (PID: 3996)
  • MSCBoard.exe (PID: 2484)
  • dllhost.exe (PID: 3088)
Connects to CnC server
  • stealler.exe (PID: 3096)
Downloads executable files from the Internet
  • stealler.exe (PID: 3096)
Stealing of credential data
  • stealler.exe (PID: 3096)
BALDR was detected
  • stealler.exe (PID: 3096)
Actions looks like stealing of personal data
  • stealler.exe (PID: 3096)
Starts itself from another location
  • w56izo28q7.exe (PID: 2792)
  • MSCBoard.exe (PID: 2484)
Reads Environment values
  • stealler.exe (PID: 3096)
Checks for external IP
  • stealler.exe (PID: 3096)
Reads the cookies of Google Chrome
  • stealler.exe (PID: 3096)
Executable content was dropped or overwritten
  • MSCBoard.exe (PID: 2484)
  • stealler.exe (PID: 3096)
  • w56izo28q7.exe (PID: 2792)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (56.7%)
.exe
|   Win64 Executable (generic) (21.3%)
.scr
|   Windows screen saver (10.1%)
.dll
|   Win32 Dynamic Link Library (generic) (5%)
.exe
|   Win32 Executable (generic) (3.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:07:08 15:37:45+02:00
PEType:
PE32
LinkerVersion:
8
CodeSize:
79360
InitializedDataSize:
1536
UninitializedDataSize:
null
EntryPoint:
0x154de
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
null
CompanyName:
null
FileDescription:
null
FileVersion:
1.0.0.0
InternalName:
ARM.exe
LegalCopyright:
Copyright © 2019
LegalTrademarks:
null
OriginalFileName:
ARM.exe
ProductName:
null
ProductVersion:
1.0.0.0
AssemblyVersion:
1.0.0.0
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
08-Jul-2019 13:37:45
Comments:
null
CompanyName:
null
FileDescription:
null
FileVersion:
1.0.0.0
InternalName:
ARM.exe
LegalCopyright:
Copyright © 2019
LegalTrademarks:
null
OriginalFilename:
ARM.exe
ProductName:
null
ProductVersion:
1.0.0.0
Assembly Version:
1.0.0.0
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
08-Jul-2019 13:37:45
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x000134E4 0x00013600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.65257
.rsrc 0x00016000 0x00000400 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.61009
.reloc 0x00018000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
38
Monitored processes
5
Malicious processes
4
Suspicious processes
1

Behavior graph

+
drop and start drop and start start drop and start drop and start #BALDR stealler.exe mscboard.exe mscboard.exe w56izo28q7.exe dllhost.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3096
CMD
"C:\Users\admin\AppData\Local\Temp\stealler.exe"
Path
C:\Users\admin\AppData\Local\Temp\stealler.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\stealler.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\7c32e936a07e0c7d9cae3ac27497f613\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web.28b9ef5a#\a00ba16c92fd291e37a00bab4a72a3fe\system.web.extensions.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework\v4.0.30319\webengine4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.io.cf61e09c5#\aa7d7c2bf390b327607c0f3dc47741fa\system.io.compression.filesystem.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.security\8391072310ccd84eecefe797cfd4a4a5\system.security.ni.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\mscboard.exe
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\local\arm.plugins\keylogger.dll
c:\users\admin\appdata\local\temp\w56izo28q7.exe
c:\users\admin\appdata\local\arm.plugins\webcam.dll
c:\windows\system32\avicap32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvfw32.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.io.cb3b124c8#\1b67d10602bf18a6a5d477897c4feec9\system.io.compression.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\system32\wintrust.dll

PID
2484
CMD
"C:\Users\admin\AppData\Local\Temp\MSCBoard.exe"
Path
C:\Users\admin\AppData\Local\Temp\MSCBoard.exe
Indicators
Parent process
stealler.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Messages Board
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\mscboard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\mscboard\mscboard.exe

PID
3996
CMD
"C:\Users\admin\AppData\Local\MSCBoard\MSCBoard.exe" -l
Path
C:\Users\admin\AppData\Local\MSCBoard\MSCBoard.exe
Indicators
Parent process
MSCBoard.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Messages Board
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\mscboard\mscboard.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2792
CMD
"C:\Users\admin\AppData\Local\Temp\w56izo28q7.exe"
Path
C:\Users\admin\AppData\Local\Temp\w56izo28q7.exe
Indicators
Parent process
stealler.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\w56izo28q7.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\microsoft.securitykl\dllhost.exe

PID
3088
CMD
"C:\Users\admin\AppData\Local\Microsoft.SecurityKL\dllhost.exe" -k
Path
C:\Users\admin\AppData\Local\Microsoft.SecurityKL\dllhost.exe
Indicators
Parent process
w56izo28q7.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\microsoft.securitykl\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll

Registry activity

Total events
1126
Read events
1108
Write events
18
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3996
MSCBoard.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
MSCBoard
"C:\Users\admin\AppData\Local\MSCBoard\MSCBoard.exe" -l
3096
stealler.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Defender Updating
"C:\Users\admin\AppData\Local\BrowserUpdate3d\stealler.exe" -3d
3096
stealler.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3096
stealler.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3096
stealler.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
vga.drv 1280x720x32(BGR 0)
31,31,31,31
2484
MSCBoard.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
MSCBoard
"C:\Users\admin\AppData\Local\MSCBoard\MSCBoard.exe" -l
2484
MSCBoard.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2484
MSCBoard.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2792
w56izo28q7.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
SecurityKey
"C:\Users\admin\AppData\Local\Microsoft.SecurityKL\dllhost.exe" -k
2792
w56izo28q7.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2792
w56izo28q7.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3088
dllhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
SecurityKey
"C:\Users\admin\AppData\Local\Microsoft.SecurityKL\dllhost.exe" -k

Files activity

Executable files
8
Suspicious files
5
Text files
15
Unknown types
1

Dropped files

PID
Process
Filename
Type
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.plugins\KeyLogger.dll
executable
MD5: 8e03decf1880e2830c3ad39ae223e749
SHA256: fa88a7998bf07798169c95955452216972c24a67fae2422a5bfd3dcd4f098939
3096
stealler.exe
C:\Users\admin\AppData\Local\Temp\nzphlwoo.exe
executable
MD5: 3b0a0eba1c596c394807974deb9e78ba
SHA256: 88cd1ed667192dc6c2882a73ce41bd045faf305524a3a180981cc01acbf5b98d
2484
MSCBoard.exe
C:\Users\admin\AppData\Local\MSCBoard\MSCBoard.exe
executable
MD5: f18b572b4a4edd938e6d7ef4ca9542f7
SHA256: dd35ab03e289f7bbdfcda0d3d17de552d21d449b6ae5be07411e64027ff848e2
3096
stealler.exe
C:\Users\admin\AppData\Local\Temp\MSCBoard.exe
executable
MD5: f18b572b4a4edd938e6d7ef4ca9542f7
SHA256: dd35ab03e289f7bbdfcda0d3d17de552d21d449b6ae5be07411e64027ff848e2
2792
w56izo28q7.exe
C:\Users\admin\AppData\Local\Microsoft.SecurityKL\dllhost.exe
executable
MD5: 120924a86705bef1272868eaf0dd58c5
SHA256: 8ef7e2cfbc587f50d5a95304ca736ee73b68392d73070ab78096c8f7d247c80d
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.plugins\WebCam.dll
executable
MD5: 5d08a914ef32f81ff7a0450b0d42aa11
SHA256: bd74765a3345d597572b0b3b664637610f14c3a4e19e746642c66fb6927a78df
3096
stealler.exe
C:\Users\admin\AppData\Local\BrowserUpdate3d\stealler.exe
executable
MD5: 0eefdd89ce81cb5eae8d83130373cf24
SHA256: cadcef1b2c609c08c28750f58fd245ad054d1c7367c3f8a5779b634431e572bf
3096
stealler.exe
C:\Users\admin\AppData\Local\Temp\w56izo28q7.exe
executable
MD5: 120924a86705bef1272868eaf0dd58c5
SHA256: 8ef7e2cfbc587f50d5a95304ca736ee73b68392d73070ab78096c8f7d247c80d
3096
stealler.exe
C:\Users\admin\AppData\Local\Logs - [admin].zip
compressed
MD5: 0d7f572c7a1dca755780295d0d5f7418
SHA256: 4da35205fc19bd9a9d352ec27d43f2ff1cc484889759f586e5f26631de88fb98
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Desktop Files\guidenude.rtf
text
MD5: 35548b848791774d2b44055c1a6c49d5
SHA256: fb522cab4e269a15c57823a1dfac4b7ec751eb6cca43f95511a243d88228ea63
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Буфер обмена.txt
text
MD5: 809b24c010f6102183f6461cab36eb06
SHA256: b2df1a1b12de37c3b1159c28aa1fe7c7230666f70ad6d5f7b6c474307db26b10
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Desktop Files\chrisapr.rtf
text
MD5: 1954d13d96680b960febe0793c555ebc
SHA256: 36add60d364dcfadc8adaa6b0ae49ab782cdb8d311da74311871ba75357c86b3
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Steam\info.txt
text
MD5: 0f5747ce33419c6c364e370ea6b32dae
SHA256: 6c278a5b587c299e3567d9a1136e6894b8402fc99c5a0de221d7336fd89ca39b
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\000017.log
binary
MD5: fe2158ead9bc46127ae2c51d54768f95
SHA256: 3e871802b3d0c18930104545944173f7514c325ea6e7c666bd841000a5b58bda
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\LOG.old
text
MD5: b06e7fdd069cdd89af69c49ece456bf9
SHA256: 4b8663b54ad80f79109fa607678f2e8da56a5b751ab9c94898eecad7a3133344
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\000018.ldb
binary
MD5: 6bd68ffb23742ce14d3f80b92d3357bb
SHA256: 67abd6be3c0032a8be2046bfab18888fe83556627865b01bcad2c7ef0ad05169
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\MANIFEST-000001
binary
MD5: 3a7de820860e24f223d8f55cf833f2e9
SHA256: 5cc9eb18b29243881abaa716e4de5dfd4fecb63910f77728d4d3efb52076e20f
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\CURRENT
text
MD5: 46295cac801e5d4857d09837238a6394
SHA256: 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\LOG
text
MD5: 7f39b22308b34b4138a09991ec4d41c5
SHA256: 31c4d714afbfab8d23ae08f061f6a5f1e46a26b0ab20795eac7d2134a55cceb6
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Skype\Local Storage\leveldb\000005.ldb
binary
MD5: 481b01d81087f708e6c9ddec34d987ec
SHA256: 0816d2abf723e8a066c9464d0335ba864af53eafdfbcd8c235aa16f1900b9df3
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Discord\info.txt
text
MD5: 9bb181c80ae642bb1e5a6c33dc3a6ff7
SHA256: 6ff04e0cf3fbc0afd2391d09675abc0d906833f1e8cab2dde5bdcf121cbe4ade
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\FileZilla\info.txt
text
MD5: 49500921ad268a844597c6d6937a3f84
SHA256: 462891a17dec7d6920715f7671457014bb5c8de1590c68c201fb6f208958f662
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Telegram\info.txt
text
MD5: eee3df32a97d3b8fe14e046a90633451
SHA256: 8bc24564994f842e4432e2cf350294380f4728663cb4255cb5a391488e970d0b
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Browsers\Passwords.txt
text
MD5: a5c22431970929c1a0cef532b3630c85
SHA256: a296a62f08549b646f10917dfdf6712cdb479ca8f51264e661d75484446b39cb
3096
stealler.exe
C:\Users\admin\AppData\Local\Temp\1re3-s5yig75o
––
MD5:  ––
SHA256:  ––
3096
stealler.exe
C:\Users\admin\AppData\Local\Temp\q8nzqy4uavg68rmgscptn8s0o2s42
sqlite
MD5: dd9640af5f03807cf2e3921cba16af0d
SHA256: ecf72c454fef08c5948a565464839a554567e499f995483d6c8b54b32ea2c5f0
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\ScreenShot.jpeg
image
MD5: 2d53edb67601c838719b65820ff82249
SHA256: 012043511203095795eac85fd40fb53c35328de093fb69ae8764a0f0c795308b
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\Desktop Files\optionremove.rtf
text
MD5: 640c2ac2755cb1c8cc7a3e3a1cb2409d
SHA256: 75d8485c6e165bc56f800aad8e01bdfe1a59bad2916a2c81ab1cdc5ffa24d2d9
3096
stealler.exe
C:\Users\admin\AppData\Local\BrowserUpdate3d\3d.dat
text
MD5: f29f4c859b42b184cd7bc7dcaa5a9eec
SHA256: 2ddf7f093dc9c3b334071992601fb0ddc78c73d70bbd503904089b1edbc63697
3096
stealler.exe
C:\Users\admin\AppData\Local\arm.logs\PCInfo.txt
text
MD5: 8b2e1406a374ab65a56c596e53410b41
SHA256: 500e4d4d0e5615ce70a2c9a55522465f635999a879247057a3c243bc2bbf3ea6

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
2
Threats
6

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3096 stealler.exe GET 200 185.194.141.58:80 http://ip-api.com/json/ DE
text
shared
3096 stealler.exe POST 200 141.8.192.151:80 http://f0316439.xsph.ru/ARMBot/logs.php RU
text
text
malicious
3096 stealler.exe GET 200 141.8.192.151:80 http://f0316439.xsph.ru/m.exe RU
executable
malicious
3096 stealler.exe POST 200 141.8.192.151:80 http://f0316439.xsph.ru/ARMBot/upload.php RU
text
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3096 stealler.exe 185.194.141.58:80 netcup GmbH DE suspicious
3096 stealler.exe 141.8.192.151:80 Sprinthost.ru LLC RU malicious

DNS requests

Domain IP Reputation
ip-api.com 185.194.141.58
shared
f0316439.xsph.ru 141.8.192.151
malicious

Threats

PID Process Class Message
3096 stealler.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
3096 stealler.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3096 stealler.exe A Network Trojan was detected MALWARE [PTsecurity] Baldr.Stealer C2 Response
3096 stealler.exe A Network Trojan was detected ET TROJAN Single char EXE direct download likely trojan (multiple families)
3096 stealler.exe Potentially Bad Traffic ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3096 stealler.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP

Debug output strings

No debug info.