File name:

bankassistant.exe

Full analysis: https://app.any.run/tasks/8c8af308-e27d-4c6e-92d0-de1292a06206
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 26, 2024, 07:03:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
vmprotect
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

A81DF1689FBA9E8EBAD0E66E81A26961

SHA1:

0134FE97F3A1318F82B64DF699019A53D0E9166C

SHA256:

D8FC5F7FC7B7F6039C879EC0E4E63B4517DA854F158BEB251B8498D4FEC8164D

SSDEEP:

98304:85Iokvq5hgUWofO6al+4aT+2ZekY4Z8fhly1sEHHv0HofiXcZUncVJIsF8fzRKwL:nherKoRI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)
      • UKeyDriver.exe (PID: 7000)

    • Executing a file with an untrusted certificate

      • CBiBankInputService.exe (PID: 6676)
      • FirefoxMOIT.exe (PID: 4308)

    • Uses Task Scheduler to autorun other applications

      • CBiBankGuardXInput.exe (PID: 6552)

    • Actions looks like stealing of personal data

      • CBiBankGuardXInput.exe (PID: 6552)
      • netSignServer.exe (PID: 5392)
      • EsWebSocketKit.exe (PID: 4504)
      • FirefoxMOIT.exe (PID: 4308)
      • regFirefox64.exe (PID: 2940)

    • Changes the autorun value in the registry

      • netSignServer.exe (PID: 5392)
      • EsWebSocketKit.exe (PID: 4504)
      • certd_I3000_CBIB.exe (PID: 3848)
      • UKeyDriver.exe (PID: 7000)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 6772)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bankassistant.exe (PID: 6332)
      • CBibankAssit.exe (PID: 624)
      • PasswordCtrl.exe (PID: 3848)
      • CBiBankGuardX.exe (PID: 5040)
      • SignMessenger.exe (PID: 644)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • bankassistant.exe (PID: 6332)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)

    • The process creates files with name similar to system file names

      • bankassistant.exe (PID: 6332)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)
      • EsWebSocketKit.exe (PID: 4504)
      • FirefoxMOIT.exe (PID: 4308)
      • UKeyDriver.exe (PID: 7000)

    • Uses TASKKILL.EXE to kill process

      • bankassistant.exe (PID: 6332)

    • Creates a software uninstall entry

      • bankassistant.exe (PID: 6332)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)
      • UKeyDriver.exe (PID: 7000)

    • Reads Microsoft Outlook installation path

      • CBibankAssit.exe (PID: 624)

    • Reads security settings of Internet Explorer

      • CBibankAssit.exe (PID: 624)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)

    • Reads Internet Explorer settings

      • CBibankAssit.exe (PID: 624)

    • Creates/Modifies COM task schedule object

      • PasswordCtrl.exe (PID: 3848)
      • regsvr32.exe (PID: 6560)
      • SignMessenger.exe (PID: 644)
      • regsvr32.exe (PID: 7160)
      • regsvr32.exe (PID: 7064)

    • Creates files in the driver directory

      • CBiBankGuardX.exe (PID: 5040)

    • Drops a system driver (possible attempt to evade defenses)

      • CBiBankGuardX.exe (PID: 5040)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 4976)
      • schtasks.exe (PID: 1544)
      • schtasks.exe (PID: 6864)

    • Executes as Windows Service

      • CBiBankInputService.exe (PID: 5776)
      • netSignServerService.exe (PID: 768)
      • rundll32.exe (PID: 7076)

    • Process drops legitimate windows executable (CertUtil.exe)

      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)

    • Starts a Microsoft application from unusual location

      • certutil.exe (PID: 6824)
      • certutil.exe (PID: 6548)
      • certutil.exe (PID: 6528)
      • certutil.exe (PID: 2076)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 6824)
      • EsWebSocketKit.exe (PID: 4504)
      • UKeyDriver.exe (PID: 7000)
      • CBibankAssit.exe (PID: 624)

    • Reads Mozilla Firefox installation path

      • regFirefox64.exe (PID: 2940)
      • EsWebSocketKit.exe (PID: 4504)

    • Loads DLL from Mozilla Firefox

      • regFirefox64.exe (PID: 2940)

    • Starts CMD.EXE for commands execution

      • EsWebSocketKit.exe (PID: 4504)

    • The process executes via Task Scheduler

      • EsWebSocket.exe (PID: 396)
      • EsHttpServer.exe (PID: 7160)
      • EsWebSocket.exe (PID: 5200)
      • EsHttpServer.exe (PID: 1704)

  • INFO

    • The sample compiled with chinese language support

      • bankassistant.exe (PID: 6332)
      • CBiBankGuardX.exe (PID: 5040)
      • PasswordCtrl.exe (PID: 3848)
      • CBibankAssit.exe (PID: 624)
      • SignMessenger.exe (PID: 644)

    • Reads the computer name

      • bankassistant.exe (PID: 6332)
      • CBibankAssit.exe (PID: 624)
      • PasswordCtrl.exe (PID: 3848)
      • CBiBankInputService.exe (PID: 6412)
      • CBiBankInputService.exe (PID: 6676)
      • CBiBankInputService.exe (PID: 5776)
      • CBiBankGuardXInput.exe (PID: 6552)
      • CBiBankGuardX.exe (PID: 5040)
      • certutil.exe (PID: 6824)
      • SignMessenger.exe (PID: 644)
      • netSignServerService.exe (PID: 520)
      • netSignServerService.exe (PID: 4308)
      • netSignServerService.exe (PID: 768)
      • netSignServer.exe (PID: 5392)
      • certutil.exe (PID: 6528)
      • certutil.exe (PID: 6548)
      • certutil.exe (PID: 2076)
      • regFirefox64.exe (PID: 2940)
      • EsWebSocket.exe (PID: 1020)
      • UKeyDriver.exe (PID: 7000)
      • certd_I3000_CBIB.exe (PID: 3848)
      • certd_I3000_CBIB.exe (PID: 3568)

    • Checks supported languages

      • bankassistant.exe (PID: 6332)
      • CBibankAssit.exe (PID: 624)
      • PasswordCtrl.exe (PID: 3848)
      • CBiBankGuardX.exe (PID: 5040)
      • CBiBankInputService.exe (PID: 6412)
      • CBiBankInputService.exe (PID: 5776)
      • CBiBankGuardXInput.exe (PID: 6552)
      • CBiBankInputService.exe (PID: 6676)
      • certutil.exe (PID: 6824)
      • netSignServerService.exe (PID: 4308)
      • netSignServer.exe (PID: 5392)
      • netSignServerService.exe (PID: 768)
      • SignMessenger.exe (PID: 644)
      • certutil.exe (PID: 6528)
      • netSignServerService.exe (PID: 520)
      • certutil.exe (PID: 6548)
      • certutil.exe (PID: 2076)
      • EsWebSocketKit.exe (PID: 4504)
      • regFirefox64.exe (PID: 2940)
      • EsHttpServer.exe (PID: 6512)
      • FirefoxMOIT.exe (PID: 4308)
      • EsWebSocket.exe (PID: 1020)
      • EsWebSocket.exe (PID: 6796)
      • UKeyDriver.exe (PID: 7000)
      • certd_I3000_CBIB.exe (PID: 3848)
      • certd_I3000_CBIB.exe (PID: 3568)
      • EsHttpServer.exe (PID: 7160)
      • EsWebSocket.exe (PID: 5200)
      • EsWebSocket.exe (PID: 396)
      • EsHttpServer.exe (PID: 1704)

    • Create files in a temporary directory

      • bankassistant.exe (PID: 6332)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)
      • EsWebSocketKit.exe (PID: 4504)
      • FirefoxMOIT.exe (PID: 4308)
      • UKeyDriver.exe (PID: 7000)

    • The sample compiled with english language support

      • bankassistant.exe (PID: 6332)
      • CBibankAssit.exe (PID: 624)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)

    • Creates files in the program directory

      • bankassistant.exe (PID: 6332)
      • CBibankAssit.exe (PID: 624)
      • EsWebSocketKit.exe (PID: 4504)
      • UKeyDriver.exe (PID: 7000)

    • Creates files or folders in the user directory

      • bankassistant.exe (PID: 6332)
      • CBibankAssit.exe (PID: 624)
      • CBiBankGuardXInput.exe (PID: 6552)
      • regFirefox64.exe (PID: 2940)

    • Sends debugging messages

      • CBibankAssit.exe (PID: 624)
      • EsWebSocketKit.exe (PID: 4504)

    • Checks proxy server information

      • CBibankAssit.exe (PID: 624)
      • CBiBankGuardXInput.exe (PID: 6552)

    • The process uses the downloaded file

      • CBibankAssit.exe (PID: 624)
      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)

    • Reads the software policy settings

      • CBibankAssit.exe (PID: 624)

    • Reads the machine GUID from the registry

      • CBiBankGuardXInput.exe (PID: 6552)
      • netSignServer.exe (PID: 5392)
      • EsWebSocket.exe (PID: 1020)

    • Process checks computer location settings

      • PasswordCtrl.exe (PID: 3848)
      • SignMessenger.exe (PID: 644)
      • CBibankAssit.exe (PID: 624)

    • VMProtect protector has been detected

      • netSignServer.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:05:11 20:03:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 117760
UninitializedDataSize: 1024
EntryPoint: 0x30b6
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.7
ProductVersionNumber: 1.0.0.7
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Traditional)
CharacterSet: Windows, Taiwan (Big5)
CompanyName: 國際銀行有限責任公司
FileDescription: 國際網銀助手
FileVersion: 1.0.0.7
LegalCopyright: Copyright (C) 國際銀行有限責任公司 所有權利保留
ProductName: 國際網銀助手
ProductVersion: 1.0.0.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
216
Monitored processes
85
Malicious processes
10
Suspicious processes
4

Behavior graph

Click at the process to see the details
start bankassistant.exe taskkill.exe no specs conhost.exe no specs cbibankassit.exe passwordctrl.exe cbibankguardx.exe regsvr32.exe no specs checknetisolation.exe no specs conhost.exe no specs cbibankinputservice.exe no specs cbibankguardxinput.exe cbibankinputservice.exe no specs cbibankinputservice.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs signmessenger.exe regsvr32.exe no specs checknetisolation.exe no specs conhost.exe no specs netsignserverservice.exe no specs netsignserver.exe netsignserverservice.exe no specs netsignserverservice.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs eswebsocketkit.exe checknetisolation.exe no specs conhost.exe no specs regfirefox64.exe eswebsocket.exe no specs eshttpserver.exe no specs firefoxmoit.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs eswebsocket.exe no specs ukeydriver.exe regsvr32.exe no specs rundll32.exe no specs certd_i3000_cbib.exe certd_i3000_cbib.exe no specs eswebsocket.exe no specs eshttpserver.exe no specs eswebsocket.exe no specs eshttpserver.exe no specs bankassistant.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exesvchost.exe
User:
admin
Company:
FEITIAN Technologies Co., Ltd.
Integrity Level:
MEDIUM
Description:
WebSocket Server
Exit code:
1
Version:
0.1.0.1
Modules
Images
c:\program files (x86)\eswebsocketkit\eswebsocket.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
520"C:\WINDOWS\system32\Microdone\signmessgerNew\netSignServerService.exe" "-install"C:\Windows\SysWOW64\Microdone\signmessgerNew\netSignServerService.exeSignMessenger.exe
User:
admin
Company:
北京微通新成网络科技有限公司
Integrity Level:
HIGH
Description:
SignMessengerService
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\windows\syswow64\microdone\signmessgernew\netsignserverservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Program Files (x86)\CBIbankAssit\CBibankAssit"C:\Program Files (x86)\CBIbankAssit\CBibankAssit.exe
bankassistant.exe
User:
admin
Company:
国际银行
Integrity Level:
HIGH
Description:
网银助手
Version:
1.0.0.7
Modules
Images
c:\program files (x86)\cbibankassit\cbibankassit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
644"C:\Program Files (x86)\CBIbankAssit\Download\SignMessenger.exe" /SC:\Program Files (x86)\CBIbankAssit\Download\SignMessenger.exe
CBibankAssit.exe
User:
admin
Company:
China Binary International Bank
Integrity Level:
HIGH
Description:
CBiBank签名控件
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\program files (x86)\cbibankassit\download\signmessenger.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
768C:\WINDOWS\SysWOW64\Microdone\signmessgerNew\netSignServerService.exeC:\Windows\SysWOW64\Microdone\signmessgerNew\netSignServerService.exeservices.exe
User:
SYSTEM
Company:
北京微通新成网络科技有限公司
Integrity Level:
SYSTEM
Description:
SignMessengerService
Version:
1.0.1.0
Modules
Images
c:\windows\syswow64\microdone\signmessgernew\netsignserverservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1020"C:\Program Files (x86)\EsWebSocketKit\ESWebSocket.exe"C:\Program Files (x86)\EsWebSocketKit\EsWebSocket.exeEsWebSocketKit.exe
User:
admin
Company:
FEITIAN Technologies Co., Ltd.
Integrity Level:
HIGH
Description:
WebSocket Server
Version:
0.1.0.1
Modules
Images
c:\program files (x86)\eswebsocketkit\eswebsocket.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 846
Read events
34 681
Write events
154
Delete events
11

Modification events

(PID) Process:(6332) bankassistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\International online banking assistant
Operation:writeName:DisplayName
Value:
Online banking assistant
(PID) Process:(6332) bankassistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\International online banking assistant
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\CBIbankAssit\uninst.exe
(PID) Process:(6332) bankassistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\International online banking assistant
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\CBIbankAssit\CBibankAssit
(PID) Process:(6332) bankassistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\International online banking assistant
Operation:writeName:DisplayVersion
Value:
1.0.0.7
(PID) Process:(6332) bankassistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\International online banking assistant
Operation:writeName:URLInfoAbout
Value:
(PID) Process:(6332) bankassistant.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\International online banking assistant
Operation:writeName:Publisher
Value:
International Bank Limited
(PID) Process:(624) CBibankAssit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(624) CBibankAssit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(624) CBibankAssit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(624) CBibankAssit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\DirectDraw\MostRecentApplication
Operation:writeName:Name
Value:
CBibankAssit.exe
Executable files
36
Suspicious files
8
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
6332bankassistant.exeC:\Users\admin\AppData\Local\Temp\nsl58A4.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
6332bankassistant.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\International online banking assistant\Online banking assistant.lnkbinary
MD5:1E8F195692D86C17B5F1A0D22C190600
SHA256:72A099492B2180BCF577EEF24EA8A4B82EAED079301C53B651AEBAFD8FC1B545
6332bankassistant.exeC:\Users\admin\Desktop\Online banking assistant.lnkbinary
MD5:2624E336E40B391D74F8196258CB34D1
SHA256:3DB003A98875BC3F21A7E0CDD4D59F707CECAD0F5C5F5BC3B12C4F3A6B818121
6332bankassistant.exeC:\Users\admin\AppData\Local\Temp\nsl58A4.tmp\nsDialogs.dllexecutable
MD5:E75AE7CFE06FF9692D98A934F6AA2D3C
SHA256:1F861AEB145EBBB9A2628414E6DCA6B06D0BFB252F2DE624B86814CFEC8097D0
3848PasswordCtrl.exeC:\Windows\System32\CBiBank\CBiBankGuardX.dllexecutable
MD5:A8C2256032CE22310C6779752E2CC600
SHA256:36002BA54D3EFB5FC46496BF9BCBB7B7F7059E4F25CDA0FE80B5C3BEF6457181
6332bankassistant.exeC:\Users\admin\AppData\Local\Temp\nsl58A4.tmp\System.dllexecutable
MD5:A436DB0C473A087EB61FF5C53C34BA27
SHA256:75ED40311875312617D6711BAED0BE29FCAEE71031CA27A8D308A72B15A51E49
6332bankassistant.exeC:\Program Files (x86)\CBIbankAssit\CBISysTray.exeexecutable
MD5:7AE8C932DCB526F0FF633D2A590E9D6E
SHA256:ECE51766CA78E648CEEBA113B7569AD61C10F13DAB7DC1D64C6A769B0A9FE84E
6332bankassistant.exeC:\Program Files (x86)\CBIbankAssit\libcurl.dllexecutable
MD5:63B09A70418A7DD51353F738995E6C8B
SHA256:FA477933A613B03652EA2A787527486D0E9225BF1D208AE77D065E35405B4FF6
6332bankassistant.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\International online banking assistant\uninstall.lnkbinary
MD5:CBEAB67719515090ACA5E07781690494
SHA256:5F37CB5B86D96BD1353C2FA8DD386860EF4ACAEFCD22DC23D5DAFE8446512A8D
6332bankassistant.exeC:\Users\admin\AppData\Local\Temp\nsl58A4.tmp\KillProcDLL.dllexecutable
MD5:99F345CF51B6C3C317D20A81ACB11012
SHA256:C2689BA1F66066AFCE85CA6457ECD36370BE0FE351C58422E45EFD0948655C93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3544
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4972
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4972
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2160
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
google.com
  • 216.58.212.174
whitelisted
www.bing.com
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.176
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.187
  • 2.23.209.189
  • 2.16.110.121
  • 2.16.110.171
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.23
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
Process
Message
CBibankAssit.exe
long = 0
CBibankAssit.exe
path = C:\Program Files (x86)\CBIbankAssit\CBibankAssit.exe
CBibankAssit.exe
chpath = C:\Program Files (x86)\CBIbankAssit\CBibankAssit.exe
CBibankAssit.exe
no start
EsWebSocketKit.exe
fontdrvhost.exe
EsWebSocketKit.exe
dwm.exe
EsWebSocketKit.exe
csrss.exe
EsWebSocketKit.exe
smss.exe
EsWebSocketKit.exe
fontdrvhost.exe
EsWebSocketKit.exe
firefox.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bankassistant.exe