analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

00f4a1f42c4f14b3abaac3aba9f3e96a

Full analysis: https://app.any.run/tasks/5a0aca3f-4a6e-4f13-9025-cf1e3350420e
Verdict: Malicious activity
Analysis date: March 31, 2023, 20:04:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

00F4A1F42C4F14B3ABAAC3ABA9F3E96A

SHA1:

D03C6F1FDD55BAF30EF75B388619182E48F0B6F6

SHA256:

E5AF7DF2863F9E16ACAB231850B56FB62421FB7F4E25A6FB1D04A25EFD302DB6

SSDEEP:

6144:SEqvWowyGiLdzcDWDYjR6q0u7jij2uBw6aBUqMrGQPA:YPwWdGR6ejij2uyn2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the Internet Settings

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Reads settings of System Certificates

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Checks Windows Trust Settings

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Reads security settings of Internet Explorer

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Executable content was dropped or overwritten

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Process requests binary or script from the Internet

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
  • INFO

    • Reads the computer name

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Checks proxy server information

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Reads the machine GUID from the registry

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Checks supported languages

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • The process checks LSA protection

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Creates files or folders in the user directory

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
    • Create files in a temporary directory

      • 00f4a1f42c4f14b3abaac3aba9f3e96a.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName: Imba
LegalCopyright: Copyright (C) 2023, shmaer
InternalName: GodGuest
FilesVersion: 19.62.99
CharacterSet: Unknown (01F2)
LanguageCode: Manipuri
FileSubtype: -
ObjectFileType: Unknown
FileOS: Unknown (0x20461)
FileFlags: (none)
FileFlagsMask: 0x121a
ProductVersionNumber: 26.0.0.0
FileVersionNumber: 2.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x60b0
UninitializedDataSize: -
InitializedDataSize: 494592
CodeSize: 242176
LinkerVersion: 9
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2022:01:05 13:19:49+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Jan-2022 13:19:49
Detected languages:
  • Spanish - Mexico
Debug artifacts:
  • C:\wic namufehod82.pdb
FilesVersion: 19.62.99
InternalName: GodGuest
LegalCopyright: Copyright (C) 2023, shmaer
ProductName: Imba

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 05-Jan-2022 13:19:49
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0003B15C
0x0003B200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.7352
.data
0x0003D000
0x0006F69C
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.22017
.rsrc
0x000AD000
0x000070C8
0x00007200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.87064
.reloc
0x000B5000
0x000021FA
0x00002200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.89755

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.34304
460
UNKNOWN
UNKNOWN
RT_VERSION
2
5.75964
2216
UNKNOWN
Spanish - Mexico
RT_ICON
3
4.93378
1736
UNKNOWN
Spanish - Mexico
RT_ICON
4
5.88563
1384
UNKNOWN
Spanish - Mexico
RT_ICON
5
5.20052
9640
UNKNOWN
Spanish - Mexico
RT_ICON
6
5.43051
4264
UNKNOWN
Spanish - Mexico
RT_ICON
7
5.57964
2440
UNKNOWN
Spanish - Mexico
RT_ICON
8
5.56173
1128
UNKNOWN
Spanish - Mexico
RT_ICON
22
3.13936
412
UNKNOWN
UNKNOWN
RT_STRING
23
3.22078
620
UNKNOWN
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
28
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 00f4a1f42c4f14b3abaac3aba9f3e96a.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Users\admin\AppData\Local\Temp\00f4a1f42c4f14b3abaac3aba9f3e96a.exe" C:\Users\admin\AppData\Local\Temp\00f4a1f42c4f14b3abaac3aba9f3e96a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\00f4a1f42c4f14b3abaac3aba9f3e96a.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\msvcrt.dll
Total events
1 692
Read events
1 658
Write events
34
Delete events
0

Modification events

(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000008B000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1616) 00f4a1f42c4f14b3abaac3aba9f3e96a.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
4
Suspicious files
8
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:46700A7C7008C8A4BB066908E450F37F
SHA256:725D9044499E39E7BF49032E2CB72C9F3FD869D8C064F4417939CD63CFF0B279
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCCbinary
MD5:29A82AE90894C94B52AAF5609C613F04
SHA256:3C570CF71BCCAB31928CF969F6243773F155AB51B396CA3EEF68011147437BFF
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCder
MD5:E4A68AC854AC5242460AFD72481B2A44
SHA256:CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\Local\Temp\TarB780.tmpcat
MD5:BE2BEC6E8C5653136D3E72FE53C98AA3
SHA256:1919AAB2A820642490169BDC4E88BD1189E22F83E7498BF8EBDFB62EC7D843FD
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\Local\Temp\CabB77F.tmpcompressed
MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\Local\Temp\rAQBc8\dxwebsetup.exeexecutable
MD5:2CBD6AD183914A0C554F0739069E77D7
SHA256:2CF71D098C608C56E07F4655855A886C3102553F648DF88458DF616B26FD612F
161600f4a1f42c4f14b3abaac3aba9f3e96a.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\dxwebsetup[1].exeexecutable
MD5:2CBD6AD183914A0C554F0739069E77D7
SHA256:2CF71D098C608C56E07F4655855A886C3102553F648DF88458DF616B26FD612F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
GET
302
23.35.228.223:80
http://download.microsoft.com/download/1/7/1/1718CCC4-6315-4D8E-9543-8E28A4E18C4C/dxwebsetup.exe
US
whitelisted
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
GET
200
192.229.221.95:80
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
US
der
914 b
whitelisted
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
GET
200
67.27.233.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?93ba203b454fa379
US
compressed
61.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
192.229.221.95:80
cacerts.digicert.com
EDGECAST
US
whitelisted
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
23.35.228.223:80
download.microsoft.com
AKAMAI-AS
DE
malicious
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
23.35.228.223:443
download.microsoft.com
AKAMAI-AS
DE
malicious
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
67.27.233.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious

DNS requests

Domain
IP
Reputation
download.microsoft.com
  • 23.35.228.223
whitelisted
cacerts.digicert.com
  • 192.229.221.95
whitelisted
ctldl.windowsupdate.com
  • 67.27.233.254
  • 8.241.9.254
  • 8.238.30.126
  • 67.27.157.254
  • 67.26.75.254
whitelisted

Threats

PID
Process
Class
Message
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
1616
00f4a1f42c4f14b3abaac3aba9f3e96a.exe
Unknown Traffic
ET JA3 Hash - [Abuse.ch] Possible Tofsee
No debug info