File name:

putty.exe

Full analysis: https://app.any.run/tasks/7eaabc64-bdee-45ca-8a13-e148e830d3f9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 15, 2023, 13:44:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

E7637F78F9D76C02E1A8D13FD53DE0D4

SHA1:

83366A119391BC62C95AA295D279684924F20A79

SHA256:

E3CA09965EDF62F810D4889F9650B4669791102332ED761769F0CA9DABED1908

SSDEEP:

3072:5II1MZdE9yBLKiuMxt7aw35kzI5LwpkeELqDFu48:5eI9ypAINwAq5D8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • putty.exe (PID: 3416)

    • Steals credentials

      • putty.exe (PID: 3416)

    • Steals credentials from Web Browsers

      • putty.exe (PID: 3416)

    • Actions looks like stealing of personal data

      • putty.exe (PID: 3416)

  • SUSPICIOUS

    • Reads the Internet Settings

      • putty.exe (PID: 3416)
      • cmd.exe (PID: 3856)

    • Reads security settings of Internet Explorer

      • putty.exe (PID: 3416)

    • Reads settings of System Certificates

      • putty.exe (PID: 3416)

    • Checks Windows Trust Settings

      • putty.exe (PID: 3416)

    • Searches for installed software

      • putty.exe (PID: 3416)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • putty.exe (PID: 3416)

    • Starts CMD.EXE for commands execution

      • putty.exe (PID: 3416)

  • INFO

    • Checks supported languages

      • putty.exe (PID: 3416)
      • wmpnscfg.exe (PID: 3472)

    • Reads the computer name

      • putty.exe (PID: 3416)
      • wmpnscfg.exe (PID: 3472)

    • Checks proxy server information

      • putty.exe (PID: 3416)

    • Reads the machine GUID from the registry

      • putty.exe (PID: 3416)
      • wmpnscfg.exe (PID: 3472)

    • Creates files or folders in the user directory

      • putty.exe (PID: 3416)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3472)

    • Create files in a temporary directory

      • putty.exe (PID: 3416)

    • Reads product name

      • putty.exe (PID: 3416)

    • Reads Environment values

      • putty.exe (PID: 3416)

    • Reads CPU info

      • putty.exe (PID: 3416)

    • Creates files in the program directory

      • putty.exe (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.3)
.dll | Win32 Dynamic Link Library (generic) (14.1)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:15 10:39:31+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.28
CodeSize: 13312
InitializedDataSize: 171520
UninitializedDataSize: 512
EntryPoint: 0x12e0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start putty.exe wmpnscfg.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3416"C:\Users\admin\AppData\Local\Temp\putty.exe" C:\Users\admin\AppData\Local\Temp\putty.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\putty.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3472"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3856"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\BAAAKJDAAF.exe"C:\Windows\System32\cmd.exeputty.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 906
Read events
6 871
Write events
32
Delete events
3

Modification events

(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3416) putty.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3416) putty.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3472) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D3F3D443-DD53-4575-A60E-ECF1FFA09FFA}\{294F2636-B7C2-4639-A969-01DE1BDDC4D1}
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
14
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3416putty.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\3XS9I8JI.txttext
MD5:D90E206AB44BE9BD4606537DA1644F52
SHA256:AB1772ED12EF39C3E7B92E3326CF79DD771B7DD598C3906E0C35058687C802EA
3416putty.exeC:\Users\admin\AppData\Local\Temp\Cab7A45.tmpcompressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
3416putty.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
3416putty.exeC:\Users\admin\AppData\Local\Temp\Tar7A46.tmpbinary
MD5:9441737383D21192400ECA82FDA910EC
SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5
3416putty.exeC:\ProgramData\AKKECAFBbinary
MD5:FBD34F0AB5E3F18371CF71395F40C3C5
SHA256:17C9F4CB0FA71685013A864174352D87B1FE35CC3F3B499DF92EEDA3ABB8F862
3416putty.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\sqlite3[1].dllexecutable
MD5:1F44D4D3087C2B202CF9C90EE9D04B0F
SHA256:4841020C8BD06B08FDE6E44CBE2E2AB33439E1C8368E936EC5B00DC0584F7260
3416putty.exeC:\ProgramData\JDHIEBFHCAKEHIDGHCBAKKKJEGbinary
MD5:C944D26D2618E307D10F2C8AD90613E4
SHA256:EE55F8E332F3AF11C9D30638B11EB9E7F214DC32BA4E15EBF2CDAE9CB86D05FF
3416putty.exeC:\ProgramData\AEGIJKEHbinary
MD5:F47EB60CDF981C17722D0CE740129927
SHA256:0210071DF12CA42D70DCB679926668AE072264705AC139A24F94BBC5A129DD8F
3416putty.exeC:\ProgramData\DBFHDBGIEBFIIDGCBFBKbinary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
3416putty.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
28
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3416
putty.exe
GET
200
95.101.54.105:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?53c5d9a427bedfcd
unknown
compressed
4.66 Kb
unknown
3416
putty.exe
GET
200
95.101.54.105:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c7e50a7e320509f2
unknown
compressed
61.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3416
putty.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
4
System
192.168.100.255:138
whitelisted
3416
putty.exe
116.203.7.211:443
Hetzner Online GmbH
DE
unknown
3416
putty.exe
95.101.54.105:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 95.101.54.105
  • 95.101.54.113
whitelisted

Threats

PID
Process
Class
Message
3416
putty.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
putty.exe