File name: | http://sdl.adaware.com/cdn/avast_free_antivirus_setup_online.exe |
Full analysis: | https://app.any.run/tasks/93be6dc6-93df-4f75-9d0f-d066b6b5c561 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | February 10, 2019, 16:06:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 906009D6E7927189F1803DB099B0A162 |
SHA1: | 897D13FE64140A2EC3656180AAE2DE7F06A4E7A1 |
SHA256: | D833649B72DE406E636081E1A6271310DF0CD62B9E141B8374ED1DE02D7B0701 |
SSDEEP: | 3072:64UW6InDFMe4aLNHmSQcOCK9v/pUABPQ9LWvYEvVUmuJv5Rhr+F7mFIecRYW0cQb:6NWLnD+5VEK93phlRv3UZvyhYW02GkDK |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
ProductVersion: | 2.1.1252.0 |
---|---|
ProductName: | Avast MicroInstaller |
OriginalFileName: | microstub.exe |
LegalCopyright: | Copyright (c) 2019 AVAST Software |
InternalName: | microstub |
FileVersion: | 2.1.1252.0 |
FileDescription: | Avast Antivirus Installer |
Edition: | 1 |
CompanyName: | AVAST Software |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.1.1252.0 |
FileVersionNumber: | 2.1.1252.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x10d0 |
UninitializedDataSize: | - |
InitializedDataSize: | 76800 |
CodeSize: | 128512 |
LinkerVersion: | 14.15 |
PEType: | PE32 |
TimeStamp: | 2019:01:03 17:42:16+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 03-Jan-2019 16:42:16 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | AVAST Software |
Edition: | 1 |
FileDescription: | Avast Antivirus Installer |
FileVersion: | 2.1.1252.0 |
InternalName: | microstub |
LegalCopyright: | Copyright (c) 2019 AVAST Software |
OriginalFilename: | microstub.exe |
ProductName: | Avast MicroInstaller |
ProductVersion: | 2.1.1252.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 03-Jan-2019 16:42:16 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0001F57A | 0x0001F600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.57927 |
.rdata | 0x00021000 | 0x00009204 | 0x00009400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.30132 |
.data | 0x0002B000 | 0x00001574 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.7944 |
.didat | 0x0002D000 | 0x00000030 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.479587 |
.rsrc | 0x0002E000 | 0x000063E8 | 0x00006400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.9466 |
.reloc | 0x00035000 | 0x00001B88 | 0x00001C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.62801 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.32507 | 1079 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 2.7408 | 4264 | UNKNOWN | English - United States | RT_ICON |
3 | 2.68291 | 1128 | UNKNOWN | English - United States | RT_ICON |
63 | 3.10916 | 1058 | UNKNOWN | English - United States | RT_STRING |
69 | 3.17186 | 274 | UNKNOWN | English - United States | RT_STRING |
70 | 1.60795 | 76 | UNKNOWN | English - United States | RT_STRING |
100 | 2.45849 | 48 | UNKNOWN | English - United States | RT_GROUP_ICON |
126 | 2.57629 | 148 | UNKNOWN | English - United States | RT_STRING |
132 | 2.85598 | 324 | UNKNOWN | English - United States | RT_STRING |
133 | 2.50805 | 134 | UNKNOWN | English - United States | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
USER32.dll |
VERSION.dll (delay-loaded) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2876 | "C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe" | C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe | — | explorer.exe |
User: admin Company: AVAST Software Integrity Level: MEDIUM Description: Avast Antivirus Installer Exit code: 3221226540 Version: 2.1.1252.0 | ||||
3868 | "C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe" | C:\Users\admin\Desktop\avast_free_antivirus_setup_online.exe | explorer.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 2.1.1252.0 | ||||
3768 | "C:\Windows\Temp\asw.83e2cebe156d9b00\avast_free_antivirus_setup_online.exe" /ga_clientid:6763cb32-7faa-4c27-8dbf-205a4b6e133e /edat_dir:C:\Windows\Temp\asw.83e2cebe156d9b00 | C:\Windows\Temp\asw.83e2cebe156d9b00\avast_free_antivirus_setup_online.exe | avast_free_antivirus_setup_online.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 | ||||
3116 | "C:\Windows\Temp\asw.1d9340ba44724009\instup.exe" /cookie:mmm_lvs_ppi_002_967_n /edition:1 /ga_clientid:6763cb32-7faa-4c27-8dbf-205a4b6e133e /guid:275776f9-5580-40f8-a584-e3cf9797729c /prod:ais /sfx:lite /sfxstorage:C:\Windows\Temp\asw.1d9340ba44724009 /ga_clientid:6763cb32-7faa-4c27-8dbf-205a4b6e133e /edat_dir:C:\Windows\Temp\asw.83e2cebe156d9b00 | C:\Windows\Temp\asw.1d9340ba44724009\instup.exe | avast_free_antivirus_setup_online.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 | ||||
2488 | "C:\Windows\Temp\asw.1d9340ba44724009\New_1302093c\instup.exe" /cookie:mmm_lvs_ppi_002_967_n /edat_dir:C:\Windows\Temp\asw.83e2cebe156d9b00 /edition:1 /ga_clientid:6763cb32-7faa-4c27-8dbf-205a4b6e133e /guid:275776f9-5580-40f8-a584-e3cf9797729c /online_installer /prod:ais /sfx /sfxstorage:C:\Windows\Temp\asw.1d9340ba44724009 | C:\Windows\Temp\asw.1d9340ba44724009\New_1302093c\instup.exe | instup.exe | |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 | ||||
2468 | "C:\Windows\Temp\asw.1d9340ba44724009\New_1302093c\sbr.exe" 2488 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!" | C:\Windows\Temp\asw.1d9340ba44724009\New_1302093c\sbr.exe | — | instup.exe |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Shutdown blocker Exit code: 0 Version: 19.2.4186.0 | ||||
2748 | "C:\Program Files\AVAST Software\Avast\SetupInf.exe" /catalog:aswRdr2.cat /uninstall | C:\Program Files\AVAST Software\Avast\SetupInf.exe | — | instup.exe |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 | ||||
3692 | "C:\Program Files\AVAST Software\Avast\SetupInf.exe" /catalog:aswHwid.cat /uninstall | C:\Program Files\AVAST Software\Avast\SetupInf.exe | — | instup.exe |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 | ||||
2316 | "C:\Program Files\AVAST Software\Avast\SetupInf.exe" /catalog:aswVmm.cat /uninstall | C:\Program Files\AVAST Software\Avast\SetupInf.exe | — | instup.exe |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 | ||||
3856 | "C:\Program Files\AVAST Software\Avast\SetupInf.exe" /catalog:aswRvrt.cat /uninstall | C:\Program Files\AVAST Software\Avast\SetupInf.exe | — | instup.exe |
User: admin Company: AVAST Software Integrity Level: HIGH Description: Avast Antivirus Installer Exit code: 0 Version: 19.2.4186.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3768 | avast_free_antivirus_setup_online.exe | Setup.log | — | |
MD5:— | SHA256:— | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\part-jrog2-237.vpx | binary | |
MD5:224CEE3A3B51DEB0A6566244EBEAAE80 | SHA256:CB3F5AAEA589AF422C1BDEB4008BE62BED80604AF925D46BADFFBCE2A2CE7A83 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\uat64.vpx | binary | |
MD5:7C16342E7C92E9678B3A33F9C27275EE | SHA256:8F648C74AC1E5A416A65AA6B8E4E04DD601E5E752E6FC57451C101F0AC72BDDB | |||
3868 | avast_free_antivirus_setup_online.exe | C:\windows\temp\asw.83e2cebe156d9b00\ecoo.edat | text | |
MD5:755C1279D67D01096C0E5796AD90BD56 | SHA256:F640CB849D78052C5ADBAA2D91764288A5BC4BA02D938EB5DDCA970D3E99BED4 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\cookie.bin | text | |
MD5:755C1279D67D01096C0E5796AD90BD56 | SHA256:F640CB849D78052C5ADBAA2D91764288A5BC4BA02D938EB5DDCA970D3E99BED4 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\servers.def.vpx | binary | |
MD5:7EAE1FA681AB95D4D84AAECEF04DA987 | SHA256:B413A4900F70A8DC71C2D492944E14C1C3902A9B0705E6D73245C1D8645F5BE4 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\instcont_ais-93c.vpx | binary | |
MD5:D010A34773C8FA39840F74D4B8A70FE3 | SHA256:BB7E787AA5152997815E6212DAE70B360BF2CB8CBE4CF633971CA615EF57B7A8 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\config.def | text | |
MD5:87954F2D2C0B4AD28EC03A200BD42C15 | SHA256:DAE6776D2F0ED97C8908A81F3505704A5ED3518E4B173CFB0E7D72B7E2DCD3B5 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\servers.def | text | |
MD5:C66EFF1E07EDD34AE3465B8FB23020F1 | SHA256:8EB05C4D9B307CF69ED5F13DAC4B18C912EA11B2230E62D9891EF1C138380A42 | |||
3768 | avast_free_antivirus_setup_online.exe | C:\Windows\Temp\asw.1d9340ba44724009\prod-pgm.vpx | binary | |
MD5:B044D6563E39755296DC54BD3ADFE2F4 | SHA256:33176E3829592DECA087A66261EA7ED1F8D08C7D4D29DF266A6DF2E2F0397BA5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3868 | avast_free_antivirus_setup_online.exe | GET | 200 | 2.16.186.50:80 | http://iavs9x.u.avast.com/iavs9x/avast_free_antivirus_setup_online.exe | unknown | executable | 7.34 Mb | whitelisted |
3116 | instup.exe | GET | 200 | 95.101.13.51:80 | http://m9761227.iavs9x.u.avast.com/iavs9x/prod-pgm.vpx | unknown | binary | 526 b | whitelisted |
3868 | avast_free_antivirus_setup_online.exe | POST | 204 | 5.62.40.204:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | DE | — | — | whitelisted |
3868 | avast_free_antivirus_setup_online.exe | POST | 200 | 216.58.210.14:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
3116 | instup.exe | GET | 200 | 95.101.13.51:80 | http://m9761227.iavs9x.u.avast.com/iavs9x/offertool_ais-93c.vpx | unknown | binary | 2.17 Mb | whitelisted |
3116 | instup.exe | GET | 200 | 95.101.13.51:80 | http://m9761227.iavs9x.u.avast.com/iavs9x/avbugreport_ais-93c.vpx | unknown | binary | 773 Kb | whitelisted |
3116 | instup.exe | GET | 200 | 95.101.13.51:80 | http://m9761227.iavs9x.u.avast.com/iavs9x/servers.def.vpx | unknown | binary | 3.25 Kb | whitelisted |
3116 | instup.exe | GET | 200 | 95.101.13.51:80 | http://m9761227.iavs9x.u.avast.com/iavs9x/avdump_x86_ais-93c.vpx | unknown | binary | 315 Kb | whitelisted |
3868 | avast_free_antivirus_setup_online.exe | POST | 204 | 5.62.40.204:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | DE | — | — | whitelisted |
3868 | avast_free_antivirus_setup_online.exe | POST | 200 | 216.58.210.14:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3868 | avast_free_antivirus_setup_online.exe | 2.16.186.50:80 | iavs9x.u.avast.com | Akamai International B.V. | — | whitelisted |
3768 | avast_free_antivirus_setup_online.exe | 216.58.210.14:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
3116 | instup.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
3868 | avast_free_antivirus_setup_online.exe | 216.58.210.14:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
2488 | instup.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2488 | instup.exe | 95.101.13.43:80 | f3355109.vps18tiny.u.avcdn.net | Akamai International B.V. | — | whitelisted |
3116 | instup.exe | 77.234.46.22:443 | shepherd.ff.avast.com | AVAST Software s.r.o. | US | unknown |
2488 | instup.exe | 95.101.13.75:80 | k5854113.iavs9x.u.avast.com | Akamai International B.V. | — | whitelisted |
3116 | instup.exe | 95.101.13.51:80 | k5854113.iavs9x.u.avast.com | Akamai International B.V. | — | whitelisted |
3768 | avast_free_antivirus_setup_online.exe | 5.62.40.204:80 | v7event.stats.avast.com | AVAST Software s.r.o. | DE | malicious |
Domain | IP | Reputation |
---|---|---|
iavs9x.u.avast.com |
| whitelisted |
v7event.stats.avast.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
shepherd.ff.avast.com |
| whitelisted |
k5854113.iavs9x.u.avast.com |
| whitelisted |
l2350042.iavs9x.u.avast.com |
| whitelisted |
p3357684.iavs9x.u.avast.com |
| whitelisted |
m9761227.iavs9x.u.avast.com |
| whitelisted |
s-iavs9x.avcdn.net |
| whitelisted |
s0383910.iavs9x.u.avast.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3868 | avast_free_antivirus_setup_online.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2488 | instup.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3716 | AvEmUpdate.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2376 | AvEmUpdate.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2756 | CCUpdate.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3840 | instup.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3840 | instup.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
Process | Message |
---|---|
AvastSvc.exe | [2019-02-10 16:08:25.875] [error ] [av_pp_prov ] [ 3856: 3284] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|
AvastSvc.exe | [2019-02-10 16:08:25.906] [error ] [av_pp_prov ] [ 3856: 2944] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|
AvastSvc.exe | [2019-02-10 16:08:27.188] [info ] [nsf_urlinfo] [ 3856: 3020] Init UrlInfo
|
AvastSvc.exe | [2019-02-10 16:08:28.078] [error ] [av_pp_prov ] [ 3856: 2944] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|
AvastSvc.exe | [2019-02-10 16:08:28.235] [error ] [av_pp_prov ] [ 3856: 3324] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|
AvastSvc.exe | [2019-02-10 16:08:28.797] [error ] [av_pp_prov ] [ 3856: 3300] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|
AvastSvc.exe | [2019-02-10 16:08:31.281] [error ] [av_pp_prov ] [ 3856: 3332] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|
AvastSvc.exe | [2019-02-10 16:08:31.610] [error ] [ffl2 ] [ 3856: 3828] failed to load key 0 (error 2)
|
AvastSvc.exe | [2019-02-10 16:08:31.610] [error ] [ffl2 ] [ 3856: 3828] failed to load key 0 (error 2)
|
AvastSvc.exe | [2019-02-10 16:08:31.922] [error ] [av_pp_prov ] [ 3856: 3876] Exception: Request 'app.pam.GetBrowserLeakedPassword' was not processed. Routing parameters:
|