analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d

Full analysis: https://app.any.run/tasks/920ae0df-c422-4f31-9b52-fef9f93329d7
Verdict: Malicious activity
Analysis date: December 06, 2018, 08:20:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

C47B4AD0C8F869C9F1EA9250DD1F9666

SHA1:

132F808D4C6E7818B5E0866FA5FFEE1D76F32D96

SHA256:

DF747E0FCA43337DF68D9F74703CAA9375C996BBFA32D27D4B2CA0FCA264163D

SSDEEP:

24576:hd09Gmemf0zDyPFo5zxuH1TnoKInSsieUcgIwVdNNfNdiX7pkuk01dkJ5V+1T:Pycmf0zDyPC5QtynSrBIwVFfNdIHk9o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Email Access Online.exe (PID: 2880)

    • Loads dropped or rewritten executable

      • df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe (PID: 3124)

    • Connects to CnC server

      • Email Access Online.exe (PID: 2880)

    • Changes the autorun value in the registry

      • df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe (PID: 3124)

  • SUSPICIOUS

    • Reads internet explorer settings

      • Email Access Online.exe (PID: 2880)

    • Starts Internet Explorer

      • Email Access Online.exe (PID: 2880)

    • Creates a software uninstall entry

      • df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe (PID: 3124)
      • Email Access Online.exe (PID: 2880)

    • Reads Internet Cache Settings

      • Email Access Online.exe (PID: 2880)

    • Executable content was dropped or overwritten

      • df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe (PID: 3124)

  • INFO

    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 3964)

    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 3516)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 3964)

    • Application launched itself

      • IEXPLORE.EXE (PID: 3516)

    • Reads Internet Cache Settings

      • IEXPLORE.EXE (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 2.29.0.33
ProductName: Desktop Search Bar
OriginalFileName: SBInstaller
LegalCopyright: (c) 2018 Springtech Ltd
FileVersion: 2.29.0.33
FileDescription: Desktop web search
CompanyName: Springtech Ltd
CharacterSet: ASCII
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 2.29.0.33
FileVersionNumber: 2.29.0.33
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x33b6
UninitializedDataSize: 2048
InitializedDataSize: 147968
CodeSize: 25088
LinkerVersion: 6
PEType: PE32
TimeStamp: 2018:10:17 10:31:53+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Oct-2018 08:31:53
Detected languages:
  • English - United States
CompanyName: Springtech Ltd
FileDescription: Desktop web search
FileVersion: 2.29.0.33
LegalCopyright: (c) 2018 Springtech Ltd
OriginalFilename: SBInstaller
ProductName: Desktop Search Bar
ProductVersion: 2.29.0.33

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 17-Oct-2018 08:31:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000615D
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45023
.rdata
0x00008000
0x000013A4
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.163
.data
0x0000A000
0x00020338
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.9824
.ndata
0x0002B000
0x00026000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00051000
0x000100D6
0x00010200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.39237

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29536
1058
UNKNOWN
English - United States
RT_MANIFEST
2
4.95971
9640
UNKNOWN
English - United States
RT_ICON
3
5.17657
4264
UNKNOWN
English - United States
RT_ICON
4
6.06862
3752
UNKNOWN
English - United States
RT_ICON
5
6.38338
2216
UNKNOWN
English - United States
RT_ICON
6
6.0562
1384
UNKNOWN
English - United States
RT_ICON
7
5.85803
1128
UNKNOWN
English - United States
RT_ICON
103
2.71858
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe email access online.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3124"C:\Users\admin\AppData\Local\Temp\df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe" C:\Users\admin\AppData\Local\Temp\df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe
explorer.exe
User:
admin
Company:
Springtech Ltd
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
2.29.0.33
2880"C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrunC:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe
df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exe
User:
admin
Company:
Springtech LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Version:
2.29.0.33
3516"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20181017&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1C:\Program Files\Internet Explorer\IEXPLORE.EXE
Email Access Online.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3964"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:3516 CREDAT:71937C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
957
Read events
868
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
5
Text files
42
Unknown types
4

Dropped files

PID
Process
Filename
Type
3124df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exeC:\Users\admin\AppData\Local\Temp\nsyAB29.tmp
MD5:
SHA256:
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\main_ie8[1]text
MD5:1018C9C6FF69776EB1031BEC3D8AECF3
SHA256:27C6FAC028CB01F770FC2DEF97A460258DF3A2F5133688AF505AE5AE2F914048
3124df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exeC:\Users\admin\Desktop\Email Access Online .lnklnk
MD5:0770689FCFD4ABE7834ABB2EBF813CB3
SHA256:A7F455B35B68F50F3A192992CED873878FB8BC79428852CE697544C01492F9CD
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\style[1]text
MD5:72C0ABC6A8296A73C14ED3456719A9CB
SHA256:378DD789A9CF11C9F37F7AF09A757EADAA6CE5E4FDB6011967B91DC497C729E2
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\search-icon[1]image
MD5:E18A6B3FC11627FFA3BA5C171081848B
SHA256:E769F0760FF57F31E91F200FC5EB59E0ECB48A4B3C28A2900456D494E2573424
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\ie9[1]text
MD5:85FD7403A7A1E90E2DF9D2756E1D377C
SHA256:4495395B2FD5156C70D40E647F9A25783A35318620F99E8AFEC0055A4F5CEEF9
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\Sprite_Email_V6[1]image
MD5:591F7CD841ECDADD0F1A2438A0C9D015
SHA256:0D64481D7083A2E6B45AFDC8E225DAA3F1B68BE94C1F91706CA54F4DAA5DE0E0
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\gradient[1]image
MD5:BCD14445C27EBF520276A7947F4D7B63
SHA256:A71055FDD6C65B0B6BBCCA16BA9E8BC0143782C83F71D4EC4BF4EB2DB227CA0A
3124df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d.exeC:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exeexecutable
MD5:8052003E500E26D2C4C0659CF06FC246
SHA256:2908A84AA26483BCACCB06F6F2C8F9C97A70ED45927DF43DD48F04CAA16F6DD0
2880Email Access Online.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\down-arrow[1]image
MD5:372B2C407C53DF9BA6786554EC116863
SHA256:C3C07C543AED147214592C2B2AF636DCA5586DE86AB6E7D37D25D6AE422E5763
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
23
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2880
Email Access Online.exe
GET
200
158.85.63.182:80
http://getsearchbar.com/Content/kits/rotate_strings.json?_=1544084503418
US
text
401 b
suspicious
3964
IEXPLORE.EXE
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
3964
IEXPLORE.EXE
GET
302
52.20.188.76:80
http://results.hemailaccessonline.com/?uc=20181017&ap=appfocus1&source=-lp0-bb8-sbe&uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&i_id=email_1&page=newtab
US
html
287 b
malicious
3964
IEXPLORE.EXE
GET
302
52.20.188.76:80
http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20181017&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1
US
html
249 b
malicious
2880
Email Access Online.exe
GET
404
158.85.63.182:80
http://getsearchbar.com/Content/kits/SBVersion.json?distSubId3=2.29.0.33
US
html
215 b
suspicious
2880
Email Access Online.exe
GET
200
172.217.168.34:80
http://pagead2.googlesyndication.com/pagead/js/r20180910/r20180604/show_ads_impl.js
US
text
74.5 Kb
whitelisted
2880
Email Access Online.exe
GET
200
52.0.149.84:80
http://imp.hemailaccessonline.com/impression.do?event=ex_installed&useragent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F64.0.3282.140%20Safari%2F537.36%20Edge%2F17.17134&user_id=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&source=-lp0-bb8-sbe&traffic_source=appfocus1&subid=20181017&implementation_id=email_
US
image
109 b
malicious
2880
Email Access Online.exe
GET
200
52.0.149.84:80
http://imp.hemailaccessonline.com/impression.do?event=sbe_alive&useragent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F64.0.3282.140%20Safari%2F537.36%20Edge%2F17.17134&user_id=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&source=-lp0-bb8-sbe&traffic_source=appfocus1&subid=20181017&implementation_id=email_&subid2=2.29.0.33
US
image
109 b
malicious
3964
IEXPLORE.EXE
GET
200
52.222.146.67:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
3516
IEXPLORE.EXE
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3516
IEXPLORE.EXE
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3964
IEXPLORE.EXE
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2880
Email Access Online.exe
172.217.168.34:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3964
IEXPLORE.EXE
52.222.146.67:80
x.ss2.us
Amazon.com, Inc.
US
unknown
2880
Email Access Online.exe
158.85.63.182:80
getsearchbar.com
SoftLayer Technologies Inc.
US
unknown
2880
Email Access Online.exe
52.0.149.84:80
imp.hemailaccessonline.com
Amazon.com, Inc.
US
malicious
3964
IEXPLORE.EXE
52.20.188.76:443
results.hemailaccessonline.com
Amazon.com, Inc.
US
unknown
2880
Email Access Online.exe
172.217.168.34:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3964
IEXPLORE.EXE
52.20.188.76:80
results.hemailaccessonline.com
Amazon.com, Inc.
US
unknown
3964
IEXPLORE.EXE
34.228.95.247:443
pushible.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
getsearchbar.com
  • 158.85.63.182
suspicious
imp.hemailaccessonline.com
  • 52.0.149.84
  • 34.230.251.181
unknown
pagead2.googlesyndication.com
  • 172.217.168.34
whitelisted
googleads.g.doubleclick.net
  • 172.217.168.34
whitelisted
results.hemailaccessonline.com
  • 52.20.188.76
  • 52.1.180.135
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
x.ss2.us
  • 52.222.146.67
  • 52.222.146.119
  • 52.222.146.120
  • 52.222.146.93
whitelisted
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.10
  • 205.185.216.42
  • 205.185.216.10
whitelisted
d3ff8olul1r3ot.cloudfront.net
  • 52.222.146.165
  • 52.222.146.115
  • 52.222.146.103
  • 52.222.146.90
shared
www.gstatic.com
  • 172.217.168.35
whitelisted

Threats

PID
Process
Class
Message
2880
Email Access Online.exe
A Network Trojan was detected
SC ADWARE Adware.Spigot / Win32/Adware.BrowserIO - C&C checkin
2880
Email Access Online.exe
A Network Trojan was detected
SC ADWARE Adware.Spigot / Win32/Adware.BrowserIO - C&C checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
df747e0fca43337df68d9f74703caa9375c996bbfa32d27d4b2ca0fca264163d