File name:

blogar-129.rar_493413.exe

Full analysis: https://app.any.run/tasks/6c4f6f9a-197e-4faa-bbfe-d183b51c7fcb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 29, 2024, 16:47:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7DCDE8CE9C29B7960594F56896BB093E

SHA1:

F0A180D1D4C37AD694CDD5007476ED94D396F0FB

SHA256:

E2872C560E8EA1A5DA8223CBC2610A3B45183E62DDBCEABF42B9C38F2CB43194

SSDEEP:

98304:oYHkf+ckHsD3pccveJBv8bDD+k9MA2VRePblDHDogHEf6eCsb5+DOdNhZx1Se9rp:eS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Searches for installed software

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Reads security settings of Internet Explorer

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Reads the date of Windows installation

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Application launched itself

      • blogar-129.rar_493413.exe (PID: 4008)

    • Executable content was dropped or overwritten

      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Drops 7-zip archiver for unpacking

      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Creates/Modifies COM task schedule object

      • WealthdSoft.exe (PID: 6120)

    • Creates a software uninstall entry

      • WealthdSoft.exe (PID: 6120)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 4920)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 4920)

  • INFO

    • Checks supported languages

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)
      • default-browser-agent.exe (PID: 4920)

    • Reads the computer name

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Process checks computer location settings

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • The process uses the downloaded file

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Creates files in the program directory

      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Application launched itself

      • firefox.exe (PID: 7048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:08 17:24:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 10433024
InitializedDataSize: 695296
UninitializedDataSize: -
EntryPoint: 0x9680d2
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Wealth Soft Team Solutions
LegalCopyright: © 2022
FileDescription: Wealth Soft
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
OriginalFileName: WealthSoft.exe
ProductName: WealthSoft
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start blogar-129.rar_493413.exe no specs blogar-129.rar_493413.exe wealthdsoft.exe default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4008"C:\Users\admin\Desktop\blogar-129.rar_493413.exe" C:\Users\admin\Desktop\blogar-129.rar_493413.exeexplorer.exe
User:
admin
Company:
Wealth Soft Team Solutions
Integrity Level:
MEDIUM
Description:
Wealth Soft
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\blogar-129.rar_493413.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4920"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
2147500037
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6120"C:\Program Files (x86)\WealthnifSoft\WealthdSoft.exe" C:\Program Files (x86)\WealthnifSoft\WealthdSoft.exe
blogar-129.rar_493413.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\program files (x86)\wealthnifsoft\wealthdsoft.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
6620"C:\Users\admin\Desktop\blogar-129.rar_493413.exe" ==fulC:\Users\admin\Desktop\blogar-129.rar_493413.exe
blogar-129.rar_493413.exe
User:
admin
Company:
Wealth Soft Team Solutions
Integrity Level:
HIGH
Description:
Wealth Soft
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\blogar-129.rar_493413.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
7048"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
7140"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
4 641
Read events
4 597
Write events
44
Delete events
0

Modification events

(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6120) WealthdSoft.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(6120) WealthdSoft.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
Executable files
10
Suspicious files
7
Text files
99
Unknown types
0

Dropped files

PID
Process
Filename
Type
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\bn.txttext
MD5:D0E788F64268D15B4391F052B1F4B18A
SHA256:216CC780E371DC318C8B15B84DE8A5EC0E28F712B3109A991C8A09CDDAA2A81A
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\da.txttext
MD5:D8ABA2DA47C1031832957B75A6524737
SHA256:F65026AE33D4302A7EF06A856F6F062C9730100F5A87D5C00FB3FEAF5FCD5805
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\bg.txttext
MD5:833AFB4F88FDB5F48245C9B65577DC19
SHA256:4DCABCC8AB8069DB79143E4C62B6B76D2CF42666A09389EACFC35074B61779E3
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\br.txttext
MD5:C2EB67D788756BE5ECAA0A8CFB3D1E0B
SHA256:0F6BF6749C42C844980DB32EE56CADC987CE245EF650BC7D626D56468A7CBE6A
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\co.txttext
MD5:8E9EBA50A1FD7469D183A3CF4E806BB3
SHA256:0F485681C606F422F6EB7311A1F151873B47EED2832A129C2550B868E6610CD9
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\cy.txttext
MD5:0F5662A68805D859F871EDC07E766A57
SHA256:931DE741A6C8F1348A946623776FE36C55DD2FC384C7B1478225F7467853199E
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\cs.txttext
MD5:641B90F9AEDFC68486D0D20B40F7ECA6
SHA256:87A4B9369FD51D76C9032C0E65C3C6221659E086798829072785BE589E55B839
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\af.txttext
MD5:FBBE51ACB879B525CC6B19D386697924
SHA256:3793FB69EE9FD958CF15A272B1ED54E4B3D75592836EBCD085DC0E7B1400D1CB
6120WealthdSoft.exeC:\Program Files\7-Zip\descript.iontext
MD5:EB7E322BDC62614E49DED60E0FB23845
SHA256:1DA513F5A4E8018B9AE143884EB3EAF72454B606FD51F2401B7CFD9BE4DBBF4F
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\de.txttext
MD5:40AE22F5BCBEAB6F622771562D584F2B
SHA256:06E5265A2B30807296480DC0B0D3A27E41F1381D61229E4EB239C4930D14A43E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.26.10.237:443
https://roaringsoftware.com/F4F2E8F9F2E5A1FC/37414802171/4A493CD7C631E10E/72495006408?52C6EB30C240D08A1724950064
unknown
text
32 b
GET
200
104.26.11.237:443
https://roaringsoftware.com/094904951BFBEEE2/35793164111/EEEC2D3DAB300FED/72495006640?084ADB00EFF1354C1724950066
unknown
executable
1.50 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6620
blogar-129.rar_493413.exe
104.26.11.237:443
roaringsoftware.com
CLOUDFLARENET
US
unknown
4316
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
roaringsoftware.com
  • 104.26.11.237
  • 172.67.72.183
  • 104.26.10.237
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
blogar-129.rar_493413.exe