File name:

file

Full analysis: https://app.any.run/tasks/5d1eaf1d-450f-4521-a25e-de73984a9689
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 02, 2023, 21:53:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
stealc
stealer
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B3D27655D9EE694F208D75D7FBA836FE

SHA1:

104C1AE9F8E14ED84FB5B532D7875AF2CF3C02AC

SHA256:

D1787B2FADB9F9DA05C64AA00A75AA54B771AF2110EB72045F4CAC7097C739AB

SSDEEP:

6144:NO8dbmNUEk8hRDciLoD3kwAUwZp0L7DaXaJVV0voYrpNNh4R0:VtErhRDci63k1UM0LyxNNh4R0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected (SURICATA)

      • file.exe (PID: 1092)

    • STEALC has been detected (YARA)

      • file.exe (PID: 1092)

    • Connects to the CnC server

      • file.exe (PID: 1092)

    • Steals credentials

      • file.exe (PID: 1092)

    • Drops the executable file immediately after the start

      • file.exe (PID: 1092)

    • Steals credentials from Web Browsers

      • file.exe (PID: 1092)

    • Starts CMD.EXE for self-deleting

      • file.exe (PID: 1092)

    • Actions looks like stealing of personal data

      • file.exe (PID: 1092)

  • SUSPICIOUS

    • Reads the Internet Settings

      • file.exe (PID: 1092)

    • Searches for installed software

      • file.exe (PID: 1092)

    • The process drops Mozilla's DLL files

      • file.exe (PID: 1092)

    • Process requests binary or script from the Internet

      • file.exe (PID: 1092)

    • Connects to the server without a host name

      • file.exe (PID: 1092)

    • The process drops C-runtime libraries

      • file.exe (PID: 1092)

    • Process drops legitimate windows executable

      • file.exe (PID: 1092)

    • The process verifies whether the antivirus software is installed

      • file.exe (PID: 1092)

    • Reads browser cookies

      • file.exe (PID: 1092)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 2976)

    • Starts CMD.EXE for commands execution

      • file.exe (PID: 1092)

  • INFO

    • Checks proxy server information

      • file.exe (PID: 1092)

    • Reads the computer name

      • file.exe (PID: 1092)

    • Checks supported languages

      • file.exe (PID: 1092)

    • Reads the machine GUID from the registry

      • file.exe (PID: 1092)

    • Reads Environment values

      • file.exe (PID: 1092)

    • Reads CPU info

      • file.exe (PID: 1092)

    • Reads product name

      • file.exe (PID: 1092)

    • Creates files or folders in the user directory

      • file.exe (PID: 1092)

    • Creates files in the program directory

      • file.exe (PID: 1092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Stealc

(PID) Process(1092) file.exe
C2http://5.42.64.41/40d570f44e84a454.php
Keys
RC49983923984025551955005984414
Strings (346)" & del "C:\ProgramData\*.dll"" & exit
%08lX%04lX%lu
%APPDATA%
%DESKTOP%
%DOCUMENTS%
%LOCALAPPDATA%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
%USERPROFILE%
%d/%d/%d %d:%d:%d
%hu/%hu/%hu
*.ini
*.lnk
*.tox
- Architecture:
- CPU:
- Computer Name:
- Cores:
- Country: ISO?
- Display Resolution:
- GPU:
- HWID:
- IP: IP?
- Keyboards:
- Language:
- Laptop:
- Local Time:
- OS:
- RAM:
- Running Path:
- Threads:
- UTC:
- UserName:
.exe
.txt
/2a7743b8bbd7e4a7/
/40d570f44e84a454.php
/c start
/c timeout /t 5 & del /f /q "
00000001
00000002
00000003
00000004
7C`@}}mm_d
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
All Users:
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptDestroyKey
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BitBlt
C:\ProgramData\
C:\ProgramData\nss3.dll
C:\Windows\system32\cmd.exe
CURRENT
CharToOemW
CloseHandle
CloseWindow
CoCreateInstance
CoInitialize
CoUninitialize
Content-Disposition: form-data; name="
Content-Type: multipart/form-data; boundary=----
Cookies
CopyFileA
CreateComptibleBitmap
CreateComptibleDC
CreateDCA
CreateEventA
CreateFileA
CreateStremOnHGlobal
CreateToolhelp32Snapshot
CryptBinaryToStringA
CryptStringToBinaryA
CryptUnprotectData
Current User:
D877F783D5D3EF8C*
DISPLAY
DeleteFileA
DeleteObject
DialogConfig.vdf
DialogConfigOverlay*.vdf
DisplayName
DisplayVersion
EnumDisplayDevicesA
ExitProcess
F8806DD0C461824F*
FALSE
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipFree
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipSaveImgeToStream
GdiplusShutdown
GdiplusStartup
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetDC
GetDesktopWindow
GetDeviceCps
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileSizeEx
GetHGlobalFromStream
GetKeyboardLayoutList
GetLastError
GetLocalTime
GetLocaleInfoA
GetLogicalProcessorInformationEx
GetModuleFileNameA
GetModuleFileNameExA
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetTimeZoneInformation
GetUserDefultLangID
GetUserDefultLocaleNae
GetUserNameA
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalSize
HAL9TH
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HTTP/1.1
HeapAlloc
HeapFree
History
HttpOpenRequestA
HttpSendRequestA
IndexedDB
Installed Apps:
InternetCloseHandle
InternetConnectA
InternetCrckUrlA
InternetOpenA
InternetOpenUrlA
InternetRedFile
IsWow64Process
JohnDoe
LoadLibraryA
Local Extension Settings
Local State
LocalAlloc
LocalFree
Login Data
MultiByteToWideChar
NSS_Init
NSS_Shutdown
Network
Network Info:
OpenEventA
OpenProcess
Opera
Opera GX Stable
Opera Stable
OperaGX
PATH
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
POST
Password
PathMatchSpecA
Pidgin
Process List:
Process32First
Process32Next
ProcessorNmeString
ProductName
ReadFile
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
ReleaseDC
RmEndSession
RmGetList
RmRegisterResources
RmStartSession
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-1164448800, name, encrypted_value from cookies
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
SELECT origin_url, username_value, password_value FROM logins
SELECT url FROM moz_places LIMIT 1000
SELECT url FROM urls LIMIT 1000
SHGetFolderPathA
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SelectObject
SetEnvironmentVariableA
SetFilePointer
ShellExecuteExA
Sleep
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Vlve\Steam
SteamPath
StrCmpCA
StrCmpCW
StrStrA
Sync Extension Settings
System Summary:
SystemTimeToFileTime
T32<F
TRUE
Telegram
TerminateProcess
User Agents:
VMwareVMware
VirtualAlloc
VirtualAllocExNuma
VirtualFree
VirtualProtect
Web Data
WideCharToMultiByte
WriteFile
\.purple\
\Discord\tokens.txt
\Local Storage\leveldb
\Local Storage\leveldb\CURRENT
\Outlook\accounts.txt
\Steam\
\Telegram Desktop\
\Temp\
\config\
\discord\
_0.indexeddb.leveldb
accounts.xml
advapi32.dll
autofill
bcrypt.dll
browser:
browsers
build
card:
chrome
chrome-extension_
config.vdf
cookies
cookies.sqlite
crypt32.dll
dQw4w9WgXcQ
default
done
encryptedPssword
encryptedUsername
encrypted_key
file
file_name
files
firefox
formSubmitURL
formhistory.sqlite
freebl3.dll
gdi32.dll
gdiplus.dll
guid
history
http://5.42.64.41
https
hwid
jRi&yn
key_datas
libraryfolders.vdf
login:
logins.son
loginusers.vdf
lstrcatA
lstrcpyA
lstrcpynA
lstrlenA
map*
message
month:
mozglue.dll
msvcp140.dll
name:
nss3.dll
ntdll.dll
oftware\Microsoft\Windows Messaging Subsystem\Profiles\975CFF0413111d3B88A0104B2A6676\
ole32.dll
open
opera
password:
places.sqlite
plugins
profile:
profiles.ini
psapi.dll
rstrtmgr.dll
runas
screenshot.jpg
shell32.dll
shlwapi.dll
soft
softokn3.dll
sqlite3.dll
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_finalize
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sscanf
ssfn*
system_info.txt
token
token:
url:
user32.dll
usernameField
vcruntime140.dll
wallets
wininet.dll
wsprintfA
wsprintfW
year:
~f$06,4T
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Clipper DOS Executable (2.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:06:10 17:35:02+02:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 178176
InitializedDataSize: 3835904
UninitializedDataSize: -
EntryPoint: 0x88fe
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 21.0.0.0
ProductVersionNumber: 34.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0373)
CharacterSet: Unknown (63B6)
CompanyName: Pundersucks
FileDescriptions: Vellting
LegalTrademark1: Fractal
OriginalFileName: Lameros.exe
ProductName: Happines
ProductVersion: 57.38.26
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC file.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1092"C:\Users\admin\AppData\Local\Temp\file.exe" C:\Users\admin\AppData\Local\Temp\file.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\file.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Stealc
(PID) Process(1092) file.exe
C2http://5.42.64.41/40d570f44e84a454.php
Keys
RC49983923984025551955005984414
Strings (346)" & del "C:\ProgramData\*.dll"" & exit
%08lX%04lX%lu
%APPDATA%
%DESKTOP%
%DOCUMENTS%
%LOCALAPPDATA%
%PROGRAMFILES%
%PROGRAMFILES_86%
%RECENT%
%USERPROFILE%
%d/%d/%d %d:%d:%d
%hu/%hu/%hu
*.ini
*.lnk
*.tox
- Architecture:
- CPU:
- Computer Name:
- Cores:
- Country: ISO?
- Display Resolution:
- GPU:
- HWID:
- IP: IP?
- Keyboards:
- Language:
- Laptop:
- Local Time:
- OS:
- RAM:
- Running Path:
- Threads:
- UTC:
- UserName:
.exe
.txt
/2a7743b8bbd7e4a7/
/40d570f44e84a454.php
/c start
/c timeout /t 5 & del /f /q "
00000001
00000002
00000003
00000004
7C`@}}mm_d
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
All Users:
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptDestroyKey
BCryptGenerateSymmetricKey
BCryptOpenAlgorithmProvider
BCryptSetProperty
BitBlt
C:\ProgramData\
C:\ProgramData\nss3.dll
C:\Windows\system32\cmd.exe
CURRENT
CharToOemW
CloseHandle
CloseWindow
CoCreateInstance
CoInitialize
CoUninitialize
Content-Disposition: form-data; name="
Content-Type: multipart/form-data; boundary=----
Cookies
CopyFileA
CreateComptibleBitmap
CreateComptibleDC
CreateDCA
CreateEventA
CreateFileA
CreateStremOnHGlobal
CreateToolhelp32Snapshot
CryptBinaryToStringA
CryptStringToBinaryA
CryptUnprotectData
Current User:
D877F783D5D3EF8C*
DISPLAY
DeleteFileA
DeleteObject
DialogConfig.vdf
DialogConfigOverlay*.vdf
DisplayName
DisplayVersion
EnumDisplayDevicesA
ExitProcess
F8806DD0C461824F*
FALSE
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipFree
GdipGetImageEncoders
GdipGetImageEncodersSize
GdipSaveImgeToStream
GdiplusShutdown
GdiplusStartup
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetDC
GetDesktopWindow
GetDeviceCps
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileSizeEx
GetHGlobalFromStream
GetKeyboardLayoutList
GetLastError
GetLocalTime
GetLocaleInfoA
GetLogicalProcessorInformationEx
GetModuleFileNameA
GetModuleFileNameExA
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemPowerStatus
GetSystemTime
GetTimeZoneInformation
GetUserDefultLangID
GetUserDefultLocaleNae
GetUserNameA
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalSize
HAL9TH
HARDWARE\DESCRIPTION\System\CentralProcessor\0
HTTP/1.1
HeapAlloc
HeapFree
History
HttpOpenRequestA
HttpSendRequestA
IndexedDB
Installed Apps:
InternetCloseHandle
InternetConnectA
InternetCrckUrlA
InternetOpenA
InternetOpenUrlA
InternetRedFile
IsWow64Process
JohnDoe
LoadLibraryA
Local Extension Settings
Local State
LocalAlloc
LocalFree
Login Data
MultiByteToWideChar
NSS_Init
NSS_Shutdown
Network
Network Info:
OpenEventA
OpenProcess
Opera
Opera GX Stable
Opera Stable
OperaGX
PATH
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
POST
Password
PathMatchSpecA
Pidgin
Process List:
Process32First
Process32Next
ProcessorNmeString
ProductName
ReadFile
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegOpenKeyExA
RegQueryValueExA
ReleaseDC
RmEndSession
RmGetList
RmRegisterResources
RmStartSession
SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-1164448800, name, encrypted_value from cookies
SELECT fieldname, value FROM moz_formhistory
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
SELECT origin_url, username_value, password_value FROM logins
SELECT url FROM moz_places LIMIT 1000
SELECT url FROM urls LIMIT 1000
SHGetFolderPathA
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SelectObject
SetEnvironmentVariableA
SetFilePointer
ShellExecuteExA
Sleep
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A0104B2A6676\
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Vlve\Steam
SteamPath
StrCmpCA
StrCmpCW
StrStrA
Sync Extension Settings
System Summary:
SystemTimeToFileTime
T32<F
TRUE
Telegram
TerminateProcess
User Agents:
VMwareVMware
VirtualAlloc
VirtualAllocExNuma
VirtualFree
VirtualProtect
Web Data
WideCharToMultiByte
WriteFile
\.purple\
\Discord\tokens.txt
\Local Storage\leveldb
\Local Storage\leveldb\CURRENT
\Outlook\accounts.txt
\Steam\
\Telegram Desktop\
\Temp\
\config\
\discord\
_0.indexeddb.leveldb
accounts.xml
advapi32.dll
autofill
bcrypt.dll
browser:
browsers
build
card:
chrome
chrome-extension_
config.vdf
cookies
cookies.sqlite
crypt32.dll
dQw4w9WgXcQ
default
done
encryptedPssword
encryptedUsername
encrypted_key
file
file_name
files
firefox
formSubmitURL
formhistory.sqlite
freebl3.dll
gdi32.dll
gdiplus.dll
guid
history
http://5.42.64.41
https
hwid
jRi&yn
key_datas
libraryfolders.vdf
login:
logins.son
loginusers.vdf
lstrcatA
lstrcpyA
lstrcpynA
lstrlenA
map*
message
month:
mozglue.dll
msvcp140.dll
name:
nss3.dll
ntdll.dll
oftware\Microsoft\Windows Messaging Subsystem\Profiles\975CFF0413111d3B88A0104B2A6676\
ole32.dll
open
opera
password:
places.sqlite
plugins
profile:
profiles.ini
psapi.dll
rstrtmgr.dll
runas
screenshot.jpg
shell32.dll
shlwapi.dll
soft
softokn3.dll
sqlite3.dll
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_text
sqlite3_finalize
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sscanf
ssfn*
system_info.txt
token
token:
url:
user32.dll
usernameField
vcruntime140.dll
wallets
wininet.dll
wsprintfA
wsprintfW
year:
~f$06,4T
2752timeout /t 5 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2976"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exitC:\Windows\SysWOW64\cmd.exefile.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
1 142
Read events
1 130
Write events
12
Delete events
0

Modification events

(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1092) file.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
12
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1092file.exeC:\ProgramData\freebl3.dllexecutable
MD5:550686C0EE48C386DFCB40199BD076AC
SHA256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
1092file.exeC:\ProgramData\IJDBGDGCGDAKFIDGIDBFbinary
MD5:CEB39527E05115BBE0227EA14D897374
SHA256:D3406398F5A7D00D94E1F36065ACC5C63DBF27FB4026D75FB09129DDD05C2D20
1092file.exeC:\ProgramData\DAAAKFHIEGDGCAAAEGDGIDAECF
MD5:
SHA256:
1092file.exeC:\ProgramData\HIIIJDAAAAAAKECBFBAEBKJJJJbinary
MD5:F8260F59C1D4AEEEE9112752955D2DBA
SHA256:CF30136A5C367EE357204A80FEA426DD4609E49731E8494F1D686770BB9A64B7
1092file.exeC:\ProgramData\FBFCGIDAbinary
MD5:8ED59ABBE343BC945E3A9F4801075399
SHA256:97E62577149EB459A713FCBE09C5C73A1ADDF230042F53B2CA9E256E695EA7A0
1092file.exeC:\ProgramData\nss3.dllexecutable
MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
SHA256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
1092file.exeC:\ProgramData\GCGCBAECFCAKKEBFCFIIbinary
MD5:0F653EDF207BB943166A7EED331F14AD
SHA256:E4D518E335DF25562B0570F4F3FC6F39BF63F7D84805AECD485C5798671EA3D8
1092file.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\freebl3[1].dllexecutable
MD5:550686C0EE48C386DFCB40199BD076AC
SHA256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
1092file.exeC:\ProgramData\mozglue.dllexecutable
MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
1092file.exeC:\ProgramData\msvcp140.dllexecutable
MD5:5FF1FCA37C466D6723EC67BE93B51442
SHA256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
9
DNS requests
1
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
text
1.48 Kb
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
executable
78.9 Kb
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
html
267 b
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
text
1.54 Kb
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
html
267 b
unknown
1092
file.exe
GET
200
5.42.64.41:80
http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
unknown
executable
439 Kb
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
text
5.29 Kb
unknown
1092
file.exe
GET
200
5.42.64.41:80
http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
unknown
executable
1.06 Mb
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
executable
1.06 Mb
unknown
1092
file.exe
POST
200
5.42.64.41:80
http://5.42.64.41/40d570f44e84a454.php
unknown
html
267 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
1092
file.exe
5.42.64.41:80
CJSC Kolomna-Sviaz TV
RU
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1092
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting browsers Config from C2
1092
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
1092
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc Requesting plugins Config from C2
1092
file.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config
1092
file.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1092
file.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
1092
file.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
1092
file.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1092
file.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1092
file.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
1 ETPRO signatures available at the full report
No debug info