analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Rb.exe

Full analysis: https://app.any.run/tasks/3c677fa4-3592-49fe-9fdc-d3e6aaebc327
Verdict: Malicious activity
Analysis date: January 17, 2020, 16:38:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BBBEF216609000C3753A139FCA5B42FD

SHA1:

57D11FEF5ACFC28457195C5917AB2F21EBEF4CD9

SHA256:

CF73D5A1AB28866ECCB6794B55D589FA575FAC5E82553C02A3F4982CED6FA2BE

SSDEEP:

196608:zjyLQM4Ik+i8I4GA81G+L9+3rkBwcrwaOme82giExmFDN:7M4Iz5G1NKrkBuaOm9y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Rb.exe (PID: 1028)

  • SUSPICIOUS

    • Application launched itself

      • Rb.exe (PID: 3944)

    • Executable content was dropped or overwritten

      • Rb.exe (PID: 3944)

    • Loads Python modules

      • Rb.exe (PID: 1028)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • Rb.exe (PID: 3944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (50.1)
.exe | Win64 Executable (generic) (32.2)
.dll | Win32 Dynamic Link Library (generic) (7.6)
.exe | Win32 Executable (generic) (5.2)
.exe | Generic Win/DOS Executable (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:04 16:43:33+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 125952
InitializedDataSize: 173056
UninitializedDataSize: -
EntryPoint: 0x79d3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Sep-2018 14:43:33

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 04-Sep-2018 14:43:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001EB34
0x0001EC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64811
.rdata
0x00020000
0x0000B164
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.09995
.data
0x0002C000
0x0000E688
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.92387
.gfids
0x0003B000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.83952
.rsrc
0x0003C000
0x0000EEC8
0x0000F000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.51705
.reloc
0x0004B000
0x000017B4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65332

Resources

Title
Entropy
Size
Codepage
Language
Type
1
6.15653
3752
UNKNOWN
UNKNOWN
RT_ICON
2
6.44895
2216
UNKNOWN
UNKNOWN
RT_ICON
3
5.77742
1384
UNKNOWN
UNKNOWN
RT_ICON
4
7.95095
38188
UNKNOWN
UNKNOWN
RT_ICON
5
6.0521
9640
UNKNOWN
UNKNOWN
RT_ICON
6
6.15081
4264
UNKNOWN
UNKNOWN
RT_ICON
7
6.39466
1128
UNKNOWN
UNKNOWN
RT_ICON
101
2.71858
104
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

KERNEL32.dll
USER32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rb.exe rb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3944"C:\Users\admin\Desktop\Rb.exe" C:\Users\admin\Desktop\Rb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1028"C:\Users\admin\Desktop\Rb.exe" C:\Users\admin\Desktop\Rb.exeRb.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
1
Text files
913
Unknown types
2

Dropped files

PID
Process
Filename
Type
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\_contextvars.pydexecutable
MD5:4A525F91513ECE5FE180A5D1123D8337
SHA256:6629835406814CD78D006A6080EFAF0E93E28B88B3FA2FEB00B7EF9C975E4A61
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\_tkinter.pydexecutable
MD5:CA14F8ECEC66E86D206656CCDB7E9E50
SHA256:2AD4C0A6E125862880C5359FEE1F64DEAAB706498F92107C0F8F03654D8EC54C
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\_lzma.pydexecutable
MD5:D72665EA18965F103200CCC7AD072F85
SHA256:AB20E63D14259A7DECA85A068796476C0EFCC236A11D53B1816FC6F8956424A8
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\_hashlib.pydexecutable
MD5:1280A084744EF726A673B757B9364335
SHA256:C2B3DC92ABD96485032D1287941E405D56DF05FB5BA68199497D8594400163E5
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\_decimal.pydexecutable
MD5:942849B267A15E74C43BC298CF8EFCA3
SHA256:749347C07F5DB9D5CD318313EBF120E541E12502710C27486047123E6E5D5AC4
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\python37.dllexecutable
MD5:198DC945FA3A7215C2AA90BD296025B4
SHA256:20CD780CF1E90778799E749812B00B1865938EF8990CD9BF2C1630787C6181C9
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\_sqlite3.pydexecutable
MD5:938A875AD7F42AFC56384E2C170114D1
SHA256:238210354447B6C75FB742851A566AD4FBE4269F93336E22B18E91749F631E89
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\tk_appxa.exe.manifestxml
MD5:4146566D005A07DC7A9DD214CC3644B0
SHA256:FA3701E86282055F3E82D0347224CAC3E32199FB06565F1A8FFEC76B2F7852D2
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\libssl-1_1.dllexecutable
MD5:D07120C4A7F7FA74D9C774D81663D685
SHA256:96FECBEA2F57B69326EB2E0DCBA7C32A8AE1D281D85F52C32FC39D5D4CCA479B
3944Rb.exeC:\Users\admin\AppData\Local\Temp\_MEI39442\VCRUNTIME140.dllexecutable
MD5:AE96651CFBD18991D186A029CBECB30C
SHA256:1B372F064EACB455A0351863706E6326CA31B08E779A70DE5DE986B5BE8069A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Rb.exe