File name:	Client.exe
Full analysis:	https://app.any.run/tasks/4d542c1d-7ab5-453d-b5a5-b2a0ad7eff16
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	December 14, 2024, 04:17:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	remote sheetrat rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	E9BC8253DB832402B30833FC7B23E567
SHA1:	18C07C0D52AA468A0163A0B28DBD74D85A8DB4FD
SHA256:	D70EBC61DAAFC227910D5D2BD4BD7278A181563AD370F2E6D09A80951FE4771F
SSDEEP:	3072:Kv+iSJcZ8pHEdKKPQPuHxru+td1LBXbcW+LTmKIiu67XZnugejZp:vU8pHEd/PQ2RDtd1LZbcWe6VMX5uT

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr	\|	Windows screen saver (12.9)
.dll	\|	Win32 Dynamic Link Library (generic) (6.4)
.exe	\|	Win32 Executable (generic) (4.4)
.exe	\|	Generic Win/DOS Executable (1.9)

AssemblyVersion:	259.41.258.69
ProductVersion:	259.41.258.69
ProductName:	F.lux
OriginalFileName:	Inkscape Upgrade.exe
LegalTrademarks:	Avast Antivirus
LegalCopyright:	Microsoft Visual Studio
InternalName:	Inkscape Upgrade.exe
FileVersion:	21.86.6.79
FileDescription:	QuickBooks Upgrade
CompanyName:	Microsoft Money
Comments:	-
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	259.41.258.69
FileVersionNumber:	21.86.6.79
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x4af4e
UninitializedDataSize:	-
InitializedDataSize:	2560
CodeSize:	299008
LinkerVersion:	48
PEType:	PE32
ImageFileCharacteristics:	Executable, Large address aware
TimeStamp:	2100:10:13 03:20:15+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(2100) Client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE
Operation:	write	Name:	hwid
Value: MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M=
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Userinit
Value: C:\Windows\System32\userinit.exe,C:\WINDOWS\Registry
(PID) Process:	(2380) Client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	ok
Value: C:\WINDOWS\Registry
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage
Operation:	write	Name:	Export
Value: .NET Memory Cache 4.0
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: MSDTC Bridge 3.0.0.0
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage
Operation:	write	Name:	Export
Value: MSDTC Bridge 4.0.0.0
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: ServiceModelEndpoint 3.0.0.0
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: ServiceModelOperation 3.0.0.0
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: ServiceModelService 3.0.0.0
(PID) Process:	(2380) Client.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage
Operation:	write	Name:	Export
Value: SMSvcHost 3.0.0.0

PID	Process	Filename		Type
2380	Client.exe	C:\Windows\Registry		executable
		MD5:E9BC8253DB832402B30833FC7B23E567	SHA256:D70EBC61DAAFC227910D5D2BD4BD7278A181563AD370F2E6D09A80951FE4771F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
372	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
372	svchost.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.106:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
372	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
372	svchost.exe	2.16.164.106:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
372	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2380	Client.exe	147.185.221.24:13571	community-pride.gl.at.ply.gg	PLAYIT-GG	US	suspicious

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.16.164.106 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
community-pride.gl.at.ply.gg	147.185.221.24	unknown
self.events.data.microsoft.com	13.89.179.10	whitelisted

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET INFO playit .gg Tunneling Domain in DNS Lookup
—	—	Misc activity	ET INFO Tunneling Service in DNS Lookup (* .ply .gg)
—	—	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] SheetRat (Ping)

General Info

Client.exe

E9BC8253DB832402B30833FC7B23E567

18C07C0D52AA468A0163A0B28DBD74D85A8DB4FD

D70EBC61DAAFC227910D5D2BD4BD7278A181563AD370F2E6D09A80951FE4771F

3072:Kv+iSJcZ8pHEdKKPQPuHxru+td1LBXbcW+LTmKIiu67XZnugejZp:vU8pHEd/PQ2RDtd1LZbcWe6VMX5uT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses Task Scheduler to autorun other applications

Changes the autorun value in the registry

Changes the login/logoff helper path in the registry

Connects to the CnC server

SHEETRAT has been detected (SURICATA)

SUSPICIOUS

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Connects to unusual port

Reads the date of Windows installation

Application launched itself

Executes as Windows Service

The process checks if it is being run in the virtual environment

Contacting a server suspected of hosting an CnC

INFO

Reads the machine GUID from the registry

Reads the computer name

Process checks computer location settings

Checks supported languages

The process uses the downloaded file

Reads the time zone

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings