| File name: | Abantes.exe |
| Full analysis: | https://app.any.run/tasks/352a8fbb-2ba0-4b53-88a5-f7a86392b92d |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 24, 2021, 02:31:26 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | CD2E58136D3049E9BE40AE29F9250C93 |
| SHA1: | E97BEB8B87D130E5C5745981E3614ED6AA3CAAE3 |
| SHA256: | DAC4B5511343CF863832E38886AF8A3E1D55529648314EB02CC21FA3979F6419 |
| SSDEEP: | 49152:yi98eUDa7+tCg3e+zNWZjUDa7+tCg3e+zNWyUDa7+tCg3e+zNWR9Bh:yAC+7+p3ej2+7+p3ejh+7+p3ejDBh |
MALICIOUS
Changes the login/logoff helper path in the registry
- Abantes.exe (PID: 1484)
Task Manager has been disabled (taskmgr)
- Abantes.exe (PID: 1484)
UAC/LUA settings modification
- Abantes.exe (PID: 1484)
Changes Image File Execution Options
- Abantes.exe (PID: 1484)
Loads the Task Scheduler COM API
- Abantes.exe (PID: 1484)
SUSPICIOUS
Creates executable files which already exist in Windows
- Abantes.exe (PID: 1484)
Creates files in the Windows directory
- Abantes.exe (PID: 1484)
Drops a file that was compiled in debug mode
- Abantes.exe (PID: 1484)
Drops a file with too old compile date
- Abantes.exe (PID: 1484)
Executable content was dropped or overwritten
- Abantes.exe (PID: 1484)
Starts CMD.EXE for commands execution
- Abantes.exe (PID: 1484)
Uses ICACLS.EXE to modify access control list
- cmd.exe (PID: 3960)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| AssemblyVersion: | 2.0.0.163 |
|---|---|
| ProductVersion: | 2.0.0.163 |
| ProductName: | Abantes |
| OriginalFileName: | Abantes.exe |
| LegalTrademarks: | - |
| LegalCopyright: | Copyright 2018 |
| InternalName: | Abantes.exe |
| FileVersion: | 2.0.0.163 |
| FileDescription: | Abantes |
| CompanyName: | - |
| Comments: | Abantes Trojan |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 2.0.0.163 |
| FileVersionNumber: | 2.0.0.163 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x2b274e |
| UninitializedDataSize: | - |
| InitializedDataSize: | 4608 |
| CodeSize: | 2820096 |
| LinkerVersion: | 48 |
| PEType: | PE32 |
| TimeStamp: | 2021:05:23 19:04:16+02:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 23-May-2021 17:04:16 |
| Comments: | Abantes Trojan |
| CompanyName: | - |
| FileDescription: | Abantes |
| FileVersion: | 2.0.0.163 |
| InternalName: | Abantes.exe |
| LegalCopyright: | Copyright 2018 |
| LegalTrademarks: | - |
| OriginalFilename: | Abantes.exe |
| ProductName: | Abantes |
| ProductVersion: | 2.0.0.163 |
| Assembly Version: | 2.0.0.163 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 23-May-2021 17:04:16 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00002000 | 0x002B0754 | 0x002B0800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.35724 |
.rsrc | 0x002B4000 | 0x00000FD8 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.98466 |
.reloc | 0x002B6000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.96446 | 3076 | UNKNOWN | UNKNOWN | RT_MANIFEST |
Imports
mscoree.dll |
Total processes
49
Monitored processes
8
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 888 | takeown /f logonui.exe | C:\Windows\System32\takeown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1216 | icacls "C:\Windows\System32\en-US" /granted admin:F /T /C | C:\Windows\System32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1484 | "C:\Users\admin\Desktop\Abantes.exe" | C:\Users\admin\Desktop\Abantes.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Abantes Exit code: 0 Version: 2.0.0.163 Modules
| |||||||||||||||
| 2944 | takeown /f "C:\Windows\System32\en-US" /r /d y | C:\Windows\System32\takeown.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Takes ownership of a file Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3232 | "C:\Users\admin\Desktop\Abantes.exe" | C:\Users\admin\Desktop\Abantes.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Abantes Exit code: 3221226540 Version: 2.0.0.163 Modules
| |||||||||||||||
| 3772 | icacls logonui.exe /granted admin:F | C:\Windows\System32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3896 | "C:\Windows\System32\shutdown.exe" /l /f | C:\Windows\System32\shutdown.exe | — | Abantes.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Shutdown and Annotation Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | |||||||||||||||
| 3960 | cmd /c ""C:\Windows\Defender\Action.bat"" | C:\Windows\system32\cmd.exe | — | Abantes.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
127
Read events
74
Write events
53
Delete events
0
Modification events
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
| Operation: | write | Name: | WallpaperStyle |
Value: 2 | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_CURRENT_USER\Control Panel\Desktop |
| Operation: | write | Name: | TileWallpaper |
Value: 0 | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon |
| Operation: | write | Name: | (default) |
Value: C:\Windows\Defender\icon.ico | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DefaultIcon |
| Operation: | write | Name: | (default) |
Value: C:\Windows\Defender\icon.ico | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | legalnoticecaption |
Value: Welcome To Hell | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | legalnoticetext |
Value: This Computer has been Infected by the Abantes Trojan. Hope You Enjoy. | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Operation: | write | Name: | NoControlPanel |
Value: 1 | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Operation: | write | Name: | AutoRestartShell |
Value: 0 | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Operation: | write | Name: | Userinit |
Value: C:\Windows\System32\userinit.exe, C:\Windows\Defender\Abantes.exe | |||
| (PID) Process: | (1484) Abantes.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | EnableLUA |
Value: 0 | |||
Executable files
8
Suspicious files
1
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1484 | Abantes.exe | C:\Users\admin\AppData\Local\Temp\wallpaper.bmp | — | |
MD5:— | SHA256:— | |||
| 1484 | Abantes.exe | C:\Windows\Defender\cursor.cur | image | |
MD5:F45D84E471C87561676942F31167B952 | SHA256:B01930E8CFC1ECC9E2F3F7930D0999B32C928351BECB9ACEC227079730F466A6 | |||
| 1484 | Abantes.exe | C:\Windows\Defender\explorer.exe.mui | executable | |
MD5:39F1A6A8B713FCF30AFC03EA3C936F85 | SHA256:B69B61675531060D350A795A53568CCF19A146060CEBB659EBC658A0E8B27FC9 | |||
| 1484 | Abantes.exe | C:\Windows\Defender\Rules.exe | executable | |
MD5:A284FBA14CF7FA169CF0AEB86C65F30F | SHA256:AA783A55F119224D8A0A366E609142DE4DAB1EC09EA7D7CD470099FF41D3BAF0 | |||
| 1484 | Abantes.exe | C:\Windows\Defender\Payloads.dll | executable | |
MD5:1267609A5F26696613050A2DE89FE470 | SHA256:D6E77BC9B31AB9CEFE74C688349545908A633D0E09B80FAAECEF837565775B8E | |||
| 1484 | Abantes.exe | C:\Windows\Defender\LogonUi.exe | executable | |
MD5:9E61E83B1C53A8DF4A72BB5CE5A83EBD | SHA256:49876F744F58FA0665F902FB2761695C1EEE9F557299DDD9094C77EFE15CD0BA | |||
| 1484 | Abantes.exe | C:\Windows\Defender\Abantes.exe | executable | |
MD5:CD2E58136D3049E9BE40AE29F9250C93 | SHA256:DAC4B5511343CF863832E38886AF8A3E1D55529648314EB02CC21FA3979F6419 | |||
| 1484 | Abantes.exe | C:\Windows\Defender\authui.dll.mui | executable | |
MD5:A3A8FB6325F2F4FD31039775BE19A9A4 | SHA256:6BAF83C2C45F0E3A1A1DEDC799CCE6ADB766DABE25BAA847F9DD308AAE0218EB | |||
| 1484 | Abantes.exe | C:\Windows\Defender\logonOverwrite.bat | text | |
MD5:BD0EA10E01862B4ACC74371B340600D0 | SHA256:3359C3F847AF127E61D9857FD1F6D6C0AA50FC6ADDEED302513A651C04A28720 | |||
| 1484 | Abantes.exe | C:\Windows\Defender\icon.ico | image | |
MD5:42A701663704B77AA489A355F28273C1 | SHA256:FA1D8F98ACE197C7A40D3A73F84DC23FB447DA75BA067C2B10CCA59C4B5B2C1C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report