File name:

dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced

Full analysis: https://app.any.run/tasks/1bba8de9-41df-486f-9d53-224ecc9b9c1a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 13, 2025, 11:53:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
twodash
loader
storm-0156
turla
confuser
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

CD33AEC04E4CFF8396D335CCF9195E5A

SHA1:

3CF3E17E55675A47EFD10D2D88B05E0A53BBE3B5

SHA256:

DBBF8108FD14478AE05D3A3A6AABC242BFF6AF6EB1E93CBEAD4F5A23C3587CED

SSDEEP:

3072:J43fRO7ZnCMM+jurqydKTQ/d3fEdMNwxMlHv7pmVt2kmoY75+XFi4JMOthpBWl//:J4pYCN+jur3dMFVt00Vi4RnpB253Oi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TWODASH has been detected

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • Starts a Microsoft application from unusual location

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • Connects to unusual port

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

  • INFO

    • Checks supported languages

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • Reads the machine GUID from the registry

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • The sample compiled with english language support

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • Reads the computer name

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • Sends debugging messages

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)

    • Confuser has been detected (YARA)

      • dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:07:14 00:18:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.12
CodeSize: 49664
InitializedDataSize: 110080
UninitializedDataSize: -
EntryPoint: 0x15cd
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2001.12.8530.1
ProductVersionNumber: 2001.12.8530.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Media Foundation Protected Pipeline EXE
FileVersion: 2001.12.8530.1
InternalName: mfpmpe.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: mfpmpe.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 2001.12.8530.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\Desktop\dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe" C:\Users\admin\Desktop\dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Media Foundation Protected Pipeline EXE
Version:
2001.12.8530.1
Modules
Images
c:\users\admin\desktop\dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
490
Read events
490
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3128dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exeC:\Users\admin\AppData\Local\Temp\Tmp574C.tmpbinary
MD5:76FA37687302DEA5ED4142925080EA8B
SHA256:C2D5C114B30D13BE57E6679CAB50767F3E942FCB93A79759B03D1EEE01785F36
3128dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\8596739b0d8bdf6073d43ecd34c3c73f_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:DDA611AF5CDCF0F3E39EE6B9CC5601A7
SHA256:B3B72EF2E425EA5F9F2A83D24E022792BD480EB1A03798C94308808F55CCDDF1
3128dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exeC:\Users\admin\AppData\Local\Temp\Tmp56BE.tmpbinary
MD5:76FA37687302DEA5ED4142925080EA8B
SHA256:C2D5C114B30D13BE57E6679CAB50767F3E942FCB93A79759B03D1EEE01785F36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
36
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6988
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6224
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6988
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5064
SearchApp.exe
2.23.227.198:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
3128
dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe
91.205.105.146:9443
connectotels.net
RELIABLESITE
US
malicious

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
  • 2.16.164.43
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 2.23.227.198
  • 2.23.227.199
  • 2.23.227.208
  • 2.23.227.221
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
connectotels.net
  • 91.205.105.146
malicious
login.live.com
  • 20.190.159.75
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.68
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted

Threats

No threats detected
Process
Message
dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced.exe
------------------------ 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced