analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TotalAV_Setup.exe

Full analysis: https://app.any.run/tasks/69e09e6e-d462-49b0-bd7a-6ae6601cf035
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: August 13, 2019, 14:55:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

EE55C979E47BC2ED97A483CB9A944118

SHA1:

B8880A0C165ECD2F148FD7B097A5CF2953467738

SHA256:

D5466EB8F2FD988EA01C2CA84897372A012B71B0964D25870D736674FC786874

SSDEEP:

393216:Zy6Qca9DNM7KIMM3nRXoftyPbekg+164cX359D+lvtJrxR:LrvNRXoftyPbtg+8HX35kr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • TotalAV_Setup.exe (PID: 2436)
      • TotalAV.exe (PID: 2932)
      • SecurityService.exe (PID: 3340)
      • avupdate.exe (PID: 1324)
    • Application was dropped or rewritten from another process

      • ns23ED.tmp (PID: 3240)
      • ns22A4.tmp (PID: 2240)
      • ns214C.tmp (PID: 3144)
      • ns2546.tmp (PID: 2228)
      • ns1FF3.tmp (PID: 4024)
      • ns3312.tmp (PID: 3104)
      • TotalAV.exe (PID: 2932)
      • SecurityService.exe (PID: 1244)
      • subinacl.exe (PID: 3300)
      • SecurityService.exe (PID: 3340)
      • avupdate.exe (PID: 1324)
      • TotalAV.exe (PID: 3272)
    • Stealing of credential data

      • TotalAV.exe (PID: 2932)
  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • ns214C.tmp (PID: 3144)
      • ns1FF3.tmp (PID: 4024)
      • ns22A4.tmp (PID: 2240)
      • ns23ED.tmp (PID: 3240)
    • Starts application with an unusual extension

      • TotalAV_Setup.exe (PID: 2436)
    • Executable content was dropped or overwritten

      • TotalAV_Setup.exe (PID: 2436)
      • TotalAV.exe (PID: 2932)
      • SecurityService.exe (PID: 3340)
    • Creates files in the program directory

      • TotalAV_Setup.exe (PID: 2436)
      • SecurityService.exe (PID: 1244)
      • SecurityService.exe (PID: 3340)
      • avupdate.exe (PID: 1324)
      • TotalAV.exe (PID: 2932)
    • Creates a software uninstall entry

      • TotalAV_Setup.exe (PID: 2436)
    • Reads Environment values

      • TotalAV.exe (PID: 2932)
    • Creates files in the user directory

      • TotalAV.exe (PID: 2932)
    • Creates files in the Windows directory

      • SecurityService.exe (PID: 3340)
    • Removes files from Windows directory

      • SecurityService.exe (PID: 3340)
    • Executed as Windows Service

      • SecurityService.exe (PID: 3340)
    • Creates files in the driver directory

      • SecurityService.exe (PID: 3340)
  • INFO

    • Reads settings of System Certificates

      • TotalAV.exe (PID: 2932)
    • Dropped object may contain Bitcoin addresses

      • avupdate.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductVersion: 4.14.31.0
ProductName: TotalAV
OriginalFileName: TotalAV.exe
LegalCopyright: (C) SS Protect Ltd
FileVersion: 4.14.31.0
FileDescription: TotalAV Ultimate Antivirus Installer
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 4.14.31.0
FileVersionNumber: 4.14.31.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x32bf
UninitializedDataSize: 1024
InitializedDataSize: 118784
CodeSize: 24576
LinkerVersion: 6
PEType: PE32
TimeStamp: 2016:12:11 22:50:45+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Dec-2016 21:50:45
Detected languages:
  • English - United States
FileDescription: TotalAV Ultimate Antivirus Installer
FileVersion: 4.14.31.0
LegalCopyright: (C) SS Protect Ltd
OriginalFilename: TotalAV.exe
ProductName: TotalAV
ProductVersion: 4.14.31.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 11-Dec-2016 21:50:45
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005E59
0x00006000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.42419
.rdata
0x00007000
0x00001246
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.0004
.data
0x00009000
0x0001A818
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.21193
.ndata
0x00024000
0x00017000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0003B000
0x000194C0
0x00019600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.1717

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.28813
1070
UNKNOWN
English - United States
RT_MANIFEST
2
3.53788
9640
UNKNOWN
English - United States
RT_ICON
3
3.2151
4264
UNKNOWN
English - United States
RT_ICON
4
2.6513
3752
UNKNOWN
English - United States
RT_ICON
5
2.23721
2216
UNKNOWN
English - United States
RT_ICON
6
3.16204
1640
UNKNOWN
English - United States
RT_ICON
7
1.54486
1384
UNKNOWN
English - United States
RT_ICON
8
3.94614
1128
UNKNOWN
English - United States
RT_ICON
9
3.3666
744
UNKNOWN
English - United States
RT_ICON
10
3.08381
296
UNKNOWN
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
18
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start totalav_setup.exe no specs totalav_setup.exe ns1ff3.tmp no specs taskkill.exe no specs ns214c.tmp no specs taskkill.exe no specs ns22a4.tmp no specs taskkill.exe no specs ns23ed.tmp no specs taskkill.exe no specs ns2546.tmp no specs ns3312.tmp no specs securityservice.exe no specs subinacl.exe no specs totalav.exe securityservice.exe avupdate.exe totalav.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1920"C:\Users\admin\AppData\Local\Temp\TotalAV_Setup.exe" C:\Users\admin\AppData\Local\Temp\TotalAV_Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TotalAV Ultimate Antivirus Installer
Exit code:
3221226540
Version:
4.14.31.0
2436"C:\Users\admin\AppData\Local\Temp\TotalAV_Setup.exe" C:\Users\admin\AppData\Local\Temp\TotalAV_Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TotalAV Ultimate Antivirus Installer
Exit code:
0
Version:
4.14.31.0
4024"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns1FF3.tmp" "taskkill" /F /FI "WINDOWTITLE eq TotalAV"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns1FF3.tmpTotalAV_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2960"taskkill" /F /FI "WINDOWTITLE eq TotalAV"C:\Windows\system32\taskkill.exens1FF3.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns214C.tmp" "taskkill" /f /T /IM "avupdate.exe"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns214C.tmpTotalAV_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
128
3628"taskkill" /f /T /IM "avupdate.exe"C:\Windows\system32\taskkill.exens214C.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2240"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns22A4.tmp" "taskkill" /f /T /IM "Update.Win.exe"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns22A4.tmpTotalAV_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
128
4020"taskkill" /f /T /IM "Update.Win.exe"C:\Windows\system32\taskkill.exens22A4.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3240"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns23ED.tmp" "taskkill" /f /T /IM "PasswordExtension.Win.exe"C:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns23ED.tmpTotalAV_Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
128
2304"taskkill" /f /T /IM "PasswordExtension.Win.exe"C:\Windows\system32\taskkill.exens23ED.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
735
Read events
667
Write events
0
Delete events
0

Modification events

No data
Executable files
118
Suspicious files
37
Text files
68
Unknown types
294

Dropped files

PID
Process
Filename
Type
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns1FF3.tmp
MD5:
SHA256:
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns23ED.tmp
MD5:
SHA256:
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\TotalAV.7z
MD5:
SHA256:
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns2546.tmpexecutable
MD5:37707A29BD8EFBEB912019737BB2B584
SHA256:4751809EF6FD3CED738392E7C5DF6D4E3938D85711DAA0B52B045B5092913C27
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns22A4.tmpexecutable
MD5:37707A29BD8EFBEB912019737BB2B584
SHA256:4751809EF6FD3CED738392E7C5DF6D4E3938D85711DAA0B52B045B5092913C27
2436TotalAV_Setup.exeC:\Program Files\TotalAV\SecurityProductInformation.initext
MD5:9C6D9F5CAD431222C618226C1E9BED3E
SHA256:9FF35F07CE4E5A9E894DCF738BDFDD666A1BE88813A1DC1DAE3B6E982B4CCE20
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\ns214C.tmpexecutable
MD5:37707A29BD8EFBEB912019737BB2B584
SHA256:4751809EF6FD3CED738392E7C5DF6D4E3938D85711DAA0B52B045B5092913C27
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\System.dllexecutable
MD5:3F176D1EE13B0D7D6BD92E1C7A0B9BAE
SHA256:FA4AB1D6F79FD677433A31ADA7806373A789D34328DA46CCB0449BBF347BD73E
2436TotalAV_Setup.exeC:\Program Files\TotalAV\ovpn\openvpn_down.battext
MD5:08BAE2DE82FA4FB579F707376D440056
SHA256:6CAB17FEE12D3A2C43EB4D7C3A790CDBD7FC9AFC6B0C6D60DBBB61594F6CEC74
2436TotalAV_Setup.exeC:\Users\admin\AppData\Local\Temp\nsrF70D.tmp\nsRandom.dllexecutable
MD5:AB467B8DFAA660A0F0E5B26E28AF5735
SHA256:DB267D9920395B4BADC48DE04DF99DFD21D579480D103CAE0F48E6578197FF73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2932
TotalAV.exe
GET
101
52.70.110.13:80
http://ortc-prd-useast1-s0001.realtime.co/broadcast/60/BEKYCELU/websocket
US
unknown
2932
TotalAV.exe
GET
200
35.190.42.108:80
http://install.protected.net/windows/avirasdk/3.0.0/avira32redist.zip
US
compressed
15.7 Mb
malicious
2932
TotalAV.exe
HEAD
200
35.190.63.3:80
http://definition.protected.net/vdf.zip
US
whitelisted
2932
TotalAV.exe
GET
35.190.63.3:80
http://definition.protected.net/vdf.zip
US
whitelisted
2932
TotalAV.exe
HEAD
200
35.190.63.3:80
http://definition.protected.net/vdf.zip
US
whitelisted
2932
TotalAV.exe
GET
200
54.236.186.150:80
http://ortc-developers.realtime.co/server/2.1/?appkey=NY1jn9
US
text
64 b
unknown
2932
TotalAV.exe
HEAD
200
35.190.63.3:80
http://definition.protected.net/vdf.zip
US
whitelisted
3340
SecurityService.exe
GET
200
2.16.106.186:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
56.6 Kb
whitelisted
2932
TotalAV.exe
GET
206
35.190.63.3:80
http://definition.protected.net/vdf.zip
US
binary
25.0 Mb
whitelisted
3340
SecurityService.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSHRqVSKsocqbcuJkRZwJjSAmttHAQUrWkGcPyAGxazqRiUa5QChl73J4wCEA8DpEdAc3HbUzijkx9jirc%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
SecurityService.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2932
TotalAV.exe
52.70.110.13:80
ortc-prd-useast1-s0001.realtime.co
Amazon.com, Inc.
US
unknown
2932
TotalAV.exe
54.236.186.150:80
ortc-developers.realtime.co
Amazon.com, Inc.
US
unknown
2932
TotalAV.exe
130.211.17.176:443
api.totalav.com
Google Inc.
US
unknown
2932
TotalAV.exe
35.190.42.108:80
install.protected.net
Google Inc.
US
unknown
3340
SecurityService.exe
2.16.106.186:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
2932
TotalAV.exe
35.190.63.3:80
definition.protected.net
Google Inc.
US
unknown
1324
avupdate.exe
35.190.63.3:443
definition.protected.net
Google Inc.
US
unknown

DNS requests

Domain
IP
Reputation
install.protected.net
  • 35.190.42.108
malicious
api.totalav.com
  • 130.211.17.176
unknown
ortc-developers.realtime.co
  • 54.236.186.150
  • 52.6.41.248
  • 54.156.160.140
  • 3.210.37.219
unknown
ortc-prd-useast1-s0001.realtime.co
  • 52.70.110.13
unknown
www.download.windowsupdate.com
  • 2.16.106.186
  • 2.16.106.233
whitelisted
definition.protected.net
  • 35.190.63.3
unknown
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info