File name:

blogar-129.rar_493413.exe

Full analysis: https://app.any.run/tasks/6c4f6f9a-197e-4faa-bbfe-d183b51c7fcb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 29, 2024, 16:47:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7DCDE8CE9C29B7960594F56896BB093E

SHA1:

F0A180D1D4C37AD694CDD5007476ED94D396F0FB

SHA256:

E2872C560E8EA1A5DA8223CBC2610A3B45183E62DDBCEABF42B9C38F2CB43194

SSDEEP:

98304:oYHkf+ckHsD3pccveJBv8bDD+k9MA2VRePblDHDogHEf6eCsb5+DOdNhZx1Se9rp:eS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Drops the executable file immediately after the start

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Searches for installed software

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Reads the date of Windows installation

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Application launched itself

      • blogar-129.rar_493413.exe (PID: 4008)

    • Drops 7-zip archiver for unpacking

      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Executable content was dropped or overwritten

      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Creates a software uninstall entry

      • WealthdSoft.exe (PID: 6120)

    • Creates/Modifies COM task schedule object

      • WealthdSoft.exe (PID: 6120)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 4920)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 4920)

  • INFO

    • Checks supported languages

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)
      • default-browser-agent.exe (PID: 4920)

    • The process uses the downloaded file

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Reads the computer name

      • blogar-129.rar_493413.exe (PID: 6620)
      • blogar-129.rar_493413.exe (PID: 4008)
      • WealthdSoft.exe (PID: 6120)

    • Process checks computer location settings

      • blogar-129.rar_493413.exe (PID: 4008)
      • blogar-129.rar_493413.exe (PID: 6620)

    • Creates files in the program directory

      • blogar-129.rar_493413.exe (PID: 6620)
      • WealthdSoft.exe (PID: 6120)

    • Application launched itself

      • firefox.exe (PID: 7048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:08 17:24:50+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 10433024
InitializedDataSize: 695296
UninitializedDataSize: -
EntryPoint: 0x9680d2
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Wealth Soft Team Solutions
LegalCopyright: © 2022
FileDescription: Wealth Soft
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
OriginalFileName: WealthSoft.exe
ProductName: WealthSoft
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start blogar-129.rar_493413.exe no specs blogar-129.rar_493413.exe wealthdsoft.exe default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4008"C:\Users\admin\Desktop\blogar-129.rar_493413.exe" C:\Users\admin\Desktop\blogar-129.rar_493413.exeexplorer.exe
User:
admin
Company:
Wealth Soft Team Solutions
Integrity Level:
MEDIUM
Description:
Wealth Soft
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\blogar-129.rar_493413.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
4920"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
2147500037
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6120"C:\Program Files (x86)\WealthnifSoft\WealthdSoft.exe" C:\Program Files (x86)\WealthnifSoft\WealthdSoft.exe
blogar-129.rar_493413.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Installer
Exit code:
0
Version:
22.01
Modules
Images
c:\program files (x86)\wealthnifsoft\wealthdsoft.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
6620"C:\Users\admin\Desktop\blogar-129.rar_493413.exe" ==fulC:\Users\admin\Desktop\blogar-129.rar_493413.exe
blogar-129.rar_493413.exe
User:
admin
Company:
Wealth Soft Team Solutions
Integrity Level:
HIGH
Description:
Wealth Soft
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\blogar-129.rar_493413.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
7048"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exedefault-browser-agent.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
7140"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask defaultagent do-task 308046B0AF4A39CBC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
3
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
4 641
Read events
4 597
Write events
44
Delete events
0

Modification events

(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4008) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6620) blogar-129.rar_493413.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6120) WealthdSoft.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path64
Value:
C:\Program Files\7-Zip\
(PID) Process:(6120) WealthdSoft.exeKey:HKEY_CURRENT_USER\SOFTWARE\7-Zip
Operation:writeName:Path
Value:
C:\Program Files\7-Zip\
Executable files
10
Suspicious files
7
Text files
99
Unknown types
0

Dropped files

PID
Process
Filename
Type
6120WealthdSoft.exeC:\Program Files\7-Zip\7-zip.chmbinary
MD5:34208890A28244903621CD32CC3FBDFC
SHA256:4B6939646570C9DDB5BFD39B8503EED99D8C64337E72F6DD4F9DDCFB4AC76703
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\ca.txttext
MD5:1657720023A267B5B625DE17BF292299
SHA256:ED8748DA8FA99DB775FF621D3E801E2830E6C04DA42C0B701095580191A700A6
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\af.txttext
MD5:FBBE51ACB879B525CC6B19D386697924
SHA256:3793FB69EE9FD958CF15A272B1ED54E4B3D75592836EBCD085DC0E7B1400D1CB
6120WealthdSoft.exeC:\Program Files\7-Zip\History.txttext
MD5:B1206A5ABF93BC64601A3CAA2DFF47D4
SHA256:24A8A7C00F0BB8AC3096F58F53BD47FA392B8D220C1C43D372100BD692C68E5F
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\be.txttext
MD5:3C21135144AC7452E7DB66F0214F9D68
SHA256:D095879B8BBC67A1C9875C5E9896942BACF730BD76155C06105544408068C59E
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\ast.txttext
MD5:1F86AE235BC747A279C9E9EC72675CE4
SHA256:8FCD1B8CE6FED05F406C4B81AEA821132800BC494D3FD6F42A4258A81F8998EC
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\an.txttext
MD5:BF8564B2DAD5D2506887F87AEE169A0A
SHA256:0E8DD119DFA6C6C1B3ACA993715092CDF1560947871092876D309DBC1940A14A
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\ar.txttext
MD5:1C45E6A6ECB3B71A7316C466B6A77C1C
SHA256:972261B53289DE2BD8A65E787A6E7CD6DEFC2B5F7E344128F2FE0492ED30CCF1
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\az.txttext
MD5:81B732A8B4206FB747BFBFE524DDE192
SHA256:CAEC460E73BD0403C2BCDE7E773459BEA9112D1BFACBE413D4F21E51A5762BA6
6120WealthdSoft.exeC:\Program Files\7-Zip\Lang\co.txttext
MD5:8E9EBA50A1FD7469D183A3CF4E806BB3
SHA256:0F485681C606F422F6EB7311A1F151873B47EED2832A129C2550B868E6610CD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.26.11.237:443
https://roaringsoftware.com/094904951BFBEEE2/35793164111/EEEC2D3DAB300FED/72495006640?084ADB00EFF1354C1724950066
unknown
executable
1.50 Mb
unknown
GET
200
104.26.10.237:443
https://roaringsoftware.com/F4F2E8F9F2E5A1FC/37414802171/4A493CD7C631E10E/72495006408?52C6EB30C240D08A1724950064
unknown
text
32 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6620
blogar-129.rar_493413.exe
104.26.11.237:443
roaringsoftware.com
CLOUDFLARENET
US
unknown
4316
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
roaringsoftware.com
  • 104.26.11.237
  • 172.67.72.183
  • 104.26.10.237
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
blogar-129.rar_493413.exe