analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://2capallera.com/css/images/cs82108/

Full analysis: https://app.any.run/tasks/9d878f04-c814-48a5-8a59-c5eb22ca336b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 11:02:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
evasion
stealer
Indicators:
MD5:

B2BD3FBF74E13B678745E97705E48C16

SHA1:

2A35AC6DCDD68DB6152C4E53F33A6342B44F0B65

SHA256:

D151C32B2F6E51A1E86478C16B2CDFBCB3169EA8006530D03ED068667249F07E

SSDEEP:

3:N87MyQ3BWKMXn:2oyt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Factura-AmcNetworks31032020.exe (PID: 2988)

    • Writes to a start menu file

      • Gld_Supporting.exe (PID: 3252)

    • Connects to CnC server

      • Factura-AmcNetworks31032020.exe (PID: 2988)

    • Stealing of credential data

      • Gld_Supporting.exe (PID: 3252)

    • Loads dropped or rewritten executable

      • Gld_Supporting.exe (PID: 3252)

  • SUSPICIOUS

    • Reads Environment values

      • Factura-AmcNetworks31032020.exe (PID: 2988)
      • Gld_Supporting.exe (PID: 3252)

    • Reads Internet Cache Settings

      • Factura-AmcNetworks31032020.exe (PID: 2988)
      • Gld_Supporting.exe (PID: 3252)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3992)
      • Gld_Supporting.exe (PID: 3252)

    • Creates files in the user directory

      • Gld_Supporting.exe (PID: 3252)
      • Factura-AmcNetworks31032020.exe (PID: 2988)

    • Checks for external IP

      • Gld_Supporting.exe (PID: 3252)

    • Creates files in the program directory

      • Factura-AmcNetworks31032020.exe (PID: 2988)
      • Gld_Supporting.exe (PID: 3252)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 660)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 3364)
      • chrome.exe (PID: 660)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3364)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 660)

    • Application launched itself

      • chrome.exe (PID: 660)

    • Manual execution by user

      • Factura-AmcNetworks31032020.exe (PID: 2988)
      • WinRAR.exe (PID: 3992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
36
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe factura-amcnetworks31032020.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs gld_supporting.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://2capallera.com/css/images/cs82108/"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fa8a9d0,0x6fa8a9e0,0x6fa8a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
944"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1756 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3144"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11331905603503728617 --mojo-platform-channel-handle=944 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3364"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=3428077562762655983 --mojo-platform-channel-handle=1552 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9301733613058890766 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2336"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5923769228397792683 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2288 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3016"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10536944228434539644 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15950431114860791122 --mojo-platform-channel-handle=3472 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1000,3495253136555503653,17835884365472145328,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=9249058757244528892 --mojo-platform-channel-handle=3552 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 373
Read events
1 221
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
34
Text files
290
Unknown types
20

Dropped files

PID
Process
Filename
Type
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5E832365-294.pma
MD5:
SHA256:
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\17fc1f1e-65ee-425f-ae45-35ea67fcbf89.tmp
MD5:
SHA256:
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old
MD5:
SHA256:
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RFa66df5.TMP
MD5:
SHA256:
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFa66c8d.TMPtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFa66c7e.TMPtext
MD5:F69C20D5B552B8D973FB1CBA5FDD7D87
SHA256:48799968D50E2D74E625A0AB18E93C6792AF20010334C6BB4E935C8D26F7026A
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFa66c8d.TMPtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
660chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:AC43135B8C9FED46A92448C4E711F45C
SHA256:D840BA7CEBACF86DDBAD75BFB61A53449AA7AE3DE6B8ADC97FE45624626A6F09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
46
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3364
chrome.exe
GET
200
173.194.151.108:80
http://r6---sn-4g5e6ne6.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=92.118.13.5&mm=28&mn=sn-4g5e6ne6&ms=nvh&mt=1585652535&mv=m&mvi=5&pl=25&shardbypass=yes
US
crx
293 Kb
whitelisted
2988
Factura-AmcNetworks31032020.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAblg20XjDYvMdklb%2BSFKGs%3D
US
der
471 b
whitelisted
2988
Factura-AmcNetworks31032020.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
3364
chrome.exe
GET
302
172.217.23.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
522 b
whitelisted
2988
Factura-AmcNetworks31032020.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2988
Factura-AmcNetworks31032020.exe
GET
200
187.188.127.38:80
http://2capallera.com/css/images/amccount/index.php?MD=&AV=-Windows%20Defender&SO=Windows%207%20Professional%20-%206.1%20-%20&US=USER-PC%20-%20admin
MX
text
98 b
malicious
2988
Factura-AmcNetworks31032020.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAVjKs1LcjoWx51wu2cBcuE%3D
US
der
471 b
whitelisted
3364
chrome.exe
GET
200
173.194.151.74:80
http://r4---sn-4g5e6nes.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=bs&mip=92.118.13.5&mm=28&mn=sn-4g5e6nes&ms=nvh&mt=1585652600&mv=m&mvi=3&pl=25&shardbypass=yes
US
crx
862 Kb
whitelisted
3252
Gld_Supporting.exe
GET
200
216.239.36.21:80
http://ipinfo.io/json
US
text
256 b
shared
3252
Gld_Supporting.exe
GET
200
216.239.36.21:80
http://ipinfo.io/json
US
text
256 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
chrome.exe
187.188.127.38:443
2capallera.com
TOTAL PLAY TELECOMUNICACIONES SA DE CV
MX
malicious
3364
chrome.exe
216.58.210.4:443
www.google.com
Google Inc.
US
whitelisted
3364
chrome.exe
172.217.18.110:443
sb-ssl.google.com
Google Inc.
US
whitelisted
3364
chrome.exe
172.217.22.77:443
accounts.google.com
Google Inc.
US
whitelisted
3364
chrome.exe
172.217.23.110:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3364
chrome.exe
172.217.21.206:443
clients2.google.com
Google Inc.
US
whitelisted
3364
chrome.exe
173.194.151.108:80
r6---sn-4g5e6ne6.gvt1.com
Google Inc.
US
whitelisted
3364
chrome.exe
216.58.207.67:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3364
chrome.exe
172.217.23.163:443
www.gstatic.com
Google Inc.
US
whitelisted
3364
chrome.exe
172.217.16.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
2capallera.com
  • 187.188.127.38
malicious
clientservices.googleapis.com
  • 216.58.207.67
whitelisted
accounts.google.com
  • 172.217.22.77
shared
www.google.com
  • 216.58.210.4
  • 172.217.21.228
whitelisted
clients2.google.com
  • 172.217.21.206
whitelisted
sb-ssl.google.com
  • 172.217.18.110
whitelisted
redirector.gvt1.com
  • 172.217.23.110
whitelisted
r6---sn-4g5e6ne6.gvt1.com
  • 173.194.151.108
whitelisted
ssl.gstatic.com
  • 172.217.16.131
whitelisted
www.dropbox.com
  • 162.125.66.1
shared

Threats

PID
Process
Class
Message
2988
Factura-AmcNetworks31032020.exe
A Network Trojan was detected
AV TROJAN Banload CnC System Info Exfil
3252
Gld_Supporting.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
3252
Gld_Supporting.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
3252
Gld_Supporting.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
3252
Gld_Supporting.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://2capallera.com/css/images/cs82108/