File name: | Purple Bit - Linkvertise Downloader_kCHx-K1.exe |
Full analysis: | https://app.any.run/tasks/56ef1ff3-cbcd-4717-82cb-a962534b56d8 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | October 05, 2022, 05:44:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | CDC432222C4365D28E17521565387064 |
SHA1: | 41E716ABA50EE0CD10DB20FEBC8F3A160305E3AC |
SHA256: | E6DE6CAB2E7845B05CE76A32566DC5C023C1029CE2956A29F55BF5254FC0693E |
SSDEEP: | 98304:cSiF6hoXOWZ3lsuUxqxgWphviLx137O5M:zoXOM1ughC7SM |
.exe | | | Inno Setup installer (67.7) |
---|---|---|
.exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
.exe | | | Win32 Executable (generic) (2.7) |
.exe | | | Win16/32 Executable Delphi generic (1.2) |
.exe | | | Generic Win/DOS Executable (1.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Jun-03 08:09:11 |
Detected languages: |
|
Comments: | This installation was built with Inno Setup. |
CompanyName: | - |
FileDescription: | Linkvertise GmbH & Co. KG |
FileVersion: | 2.0.0.15 |
LegalCopyright: | - |
OriginalFileName: | - |
ProductName: | Linkvertise GmbH & Co. KG |
ProductVersion: | 2.0.0.15 |
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 10 |
TimeDateStamp: | 2021-Jun-03 08:09:11 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 734748 | 735232 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.35606 |
.itext | 741376 | 5768 | 6144 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.97275 |
.data | 749568 | 14244 | 14336 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.0444 |
.bss | 765952 | 28136 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 794624 | 3894 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.8987 |
.didata | 798720 | 420 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.75636 |
.edata | 802816 | 154 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.87222 |
.tls | 806912 | 24 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rdata | 811008 | 93 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.38389 |
.rsrc | 815104 | 472684 | 473088 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.9711 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.53418 | 74792 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 3.30061 | 19496 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 4.23227 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 4.59583 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 5.29635 | 1736 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 4.32066 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 3.50817 | 270376 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 4.33111 | 67624 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 5.37856 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 5.68979 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
advapi32.dll |
comctl32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 779836 |
__dbk_fcall_wrapper | 2 | 53408 |
TMethodImplementationIntercept | 3 | 344160 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
892 | "C:\Users\admin\AppData\Local\Temp\Purple Bit - Linkvertise Downloader_kCHx-K1.exe" | C:\Users\admin\AppData\Local\Temp\Purple Bit - Linkvertise Downloader_kCHx-K1.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: Linkvertise GmbH & Co. KG Exit code: 0 Version: 2.0.0.15 Modules
| |||||||||||||||
4048 | "C:\Users\admin\AppData\Local\Temp\is-15NSU.tmp\Purple Bit - Linkvertise Downloader_kCHx-K1.tmp" /SL5="$20138,3586129,1235456,C:\Users\admin\AppData\Local\Temp\Purple Bit - Linkvertise Downloader_kCHx-K1.exe" | C:\Users\admin\AppData\Local\Temp\is-15NSU.tmp\Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | — | Purple Bit - Linkvertise Downloader_kCHx-K1.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
872 | "C:\Users\admin\AppData\Local\Temp\Purple Bit - Linkvertise Downloader_kCHx-K1.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\Purple Bit - Linkvertise Downloader_kCHx-K1.exe | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: Linkvertise GmbH & Co. KG Exit code: 0 Version: 2.0.0.15 Modules
| |||||||||||||||
520 | "C:\Users\admin\AppData\Local\Temp\is-JS0LH.tmp\Purple Bit - Linkvertise Downloader_kCHx-K1.tmp" /SL5="$2013A,3586129,1235456,C:\Users\admin\AppData\Local\Temp\Purple Bit - Linkvertise Downloader_kCHx-K1.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\is-JS0LH.tmp\Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | Purple Bit - Linkvertise Downloader_kCHx-K1.exe | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
2668 | "C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod0_extract\cookie_mmm_irs_ppi_902_451_o.exe" /silent /ws /psh:92pTtLC14DkVy5lBWvVWtPJdxYeFPEST4YHLBQw4ZiK3L6AyyrLPOtogzAJTzRnQHJSjsEPUSOqtRc | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod0_extract\cookie_mmm_irs_ppi_902_451_o.exe | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | ||||||||||||
User: admin Company: AVG Technologies CZ, s.r.o. Integrity Level: HIGH Description: AVG Antivirus Installer Version: 2.1.1279.0 Modules
| |||||||||||||||
2904 | "C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod1_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV4UAYr8qpCK5eFBRftbAHWgNIDkSkHNfbkYNHwJD1NUGawKuE6MTYA1fLdqjZtzUiqrIJHcFVtH0 /make-default | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod1_extract\avg_secure_browser_setup.exe | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | ||||||||||||
User: admin Integrity Level: HIGH Description: AVG Secure Browser Setup Version: 8.3.1.4932 Modules
| |||||||||||||||
3908 | "C:\Program Files\Internet Explorer\iexplore.exe" https://rentry.co/yp9zm | C:\Program Files\Internet Explorer\iexplore.exe | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2332 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3908 CREDAT:275457 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2888 | "C:\Windows\Temp\asw.daff02292c355969\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTtLC14DkVy5lBWvVWtPJdxYeFPEST4YHLBQw4ZiK3L6AyyrLPOtogzAJTzRnQHJSjsEPUSOqtRc /cookie:mmm_irs_ppi_902_451_o /ga_clientid:0bd8de41-dc2f-4078-9383-f73f315604a4 /edat_dir:C:\Windows\Temp\asw.daff02292c355969 | C:\Windows\Temp\asw.daff02292c355969\avg_antivirus_free_setup.exe | cookie_mmm_irs_ppi_902_451_o.exe | ||||||||||||
User: admin Company: AVG Technologies CZ, s.r.o. Integrity Level: HIGH Description: AVG Antivirus Version: 22.9.7554.0 Modules
| |||||||||||||||
1064 | "C:\Windows\Temp\asw.9df8a55a6b1b87ea\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.9df8a55a6b1b87ea /edition:15 /prod:ais /guid:e4ec6b25-ded4-4807-b36f-3f14fbbfb545 /ga_clientid:0bd8de41-dc2f-4078-9383-f73f315604a4 /silent /ws /psh:92pTtLC14DkVy5lBWvVWtPJdxYeFPEST4YHLBQw4ZiK3L6AyyrLPOtogzAJTzRnQHJSjsEPUSOqtRc /cookie:mmm_irs_ppi_902_451_o /ga_clientid:0bd8de41-dc2f-4078-9383-f73f315604a4 /edat_dir:C:\Windows\Temp\asw.daff02292c355969 | C:\Windows\Temp\asw.9df8a55a6b1b87ea\instup.exe | avg_antivirus_free_setup.exe | ||||||||||||
User: admin Company: AVG Technologies CZ, s.r.o. Integrity Level: HIGH Description: AVG Antivirus Installer Version: 22.9.7554.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\is-OKI72.tmp | compressed | |
MD5:C2F7E5F946CF2F9DBCD32253757BDAAC | SHA256:5DBC52B1BB048E5E04BC5950F1058A823C2D0D02D3877C7A4B879793EA27073F | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod1 | compressed | |
MD5:C2F7E5F946CF2F9DBCD32253757BDAAC | SHA256:5DBC52B1BB048E5E04BC5950F1058A823C2D0D02D3877C7A4B879793EA27073F | |||
892 | Purple Bit - Linkvertise Downloader_kCHx-K1.exe | C:\Users\admin\AppData\Local\Temp\is-15NSU.tmp\Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | executable | |
MD5:06E087E48E6D73EFD7F353855AACB570 | SHA256:9A0815E309DB4D6FEEBF90CE5E91CC78892B2016DCBE07FD436AFD655477320D | |||
872 | Purple Bit - Linkvertise Downloader_kCHx-K1.exe | C:\Users\admin\AppData\Local\Temp\is-JS0LH.tmp\Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | executable | |
MD5:06E087E48E6D73EFD7F353855AACB570 | SHA256:9A0815E309DB4D6FEEBF90CE5E91CC78892B2016DCBE07FD436AFD655477320D | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod0 | compressed | |
MD5:3306273378D0D40FC1E6F28E3F52DD37 | SHA256:3D70BA97A68A00EFA090F26B70F30ABE0EE3172B711F2C446FD3782806B2C353 | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\AVG_BRW.png | image | |
MD5:0B4FA89D69051DF475B75CA654752EF6 | SHA256:60A9085CEA2E072D4B65748CC71F616D3137C1F0B7EED4F77E1B6C9E3AA78B7E | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\is-3010D.tmp | image | |
MD5:5EF5291810C454A35F76D976105F37CC | SHA256:03E69E8C87732C625DF2F628AC63BD145268F9DEA9C5F3DD3670B1CF349A995C | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod0.zip | compressed | |
MD5:3306273378D0D40FC1E6F28E3F52DD37 | SHA256:3D70BA97A68A00EFA090F26B70F30ABE0EE3172B711F2C446FD3782806B2C353 | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\AVG_AV.png | image | |
MD5:5EF5291810C454A35F76D976105F37CC | SHA256:03E69E8C87732C625DF2F628AC63BD145268F9DEA9C5F3DD3670B1CF349A995C | |||
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | C:\Users\admin\AppData\Local\Temp\is-84F91.tmp\prod1.zip | compressed | |
MD5:C2F7E5F946CF2F9DBCD32253757BDAAC | SHA256:5DBC52B1BB048E5E04BC5950F1058A823C2D0D02D3877C7A4B879793EA27073F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3908 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
2332 | iexplore.exe | GET | 200 | 2.16.218.170:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOzJpQ%2FGujoyQ4OpCfBtBDStQ%3D%3D | unknown | der | 503 b | shared |
2332 | iexplore.exe | GET | 200 | 23.45.105.185:80 | http://x1.c.lencr.org/ | NL | der | 717 b | whitelisted |
2332 | iexplore.exe | GET | 200 | 67.27.235.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?996670185c6dcf7b | US | compressed | 60.9 Kb | whitelisted |
2668 | cookie_mmm_irs_ppi_902_451_o.exe | POST | 204 | 34.117.223.223:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | US | — | — | whitelisted |
2668 | cookie_mmm_irs_ppi_902_451_o.exe | POST | 204 | 34.117.223.223:80 | http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi | US | — | — | whitelisted |
2904 | avg_secure_browser_setup.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1064 | instup.exe | GET | 200 | 2.22.146.136:80 | http://s8784910.iavs9x.avg.u.avcdn.net/avg/iavs9x/servers.def.vpx | GB | binary | 1.36 Kb | suspicious |
2332 | iexplore.exe | GET | 200 | 67.27.235.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d78716e20aef36f8 | US | compressed | 60.9 Kb | whitelisted |
1064 | instup.exe | GET | 200 | 2.22.146.136:80 | http://k8136955.iavs9x.avg.u.avcdn.net/avg/iavs9x/prod-pgm.vpx | GB | binary | 572 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2888 | avg_antivirus_free_setup.exe | 142.250.187.110:80 | www.google-analytics.com | GOOGLE | US | whitelisted |
2904 | avg_secure_browser_setup.exe | 67.27.235.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
2904 | avg_secure_browser_setup.exe | 104.22.64.125:443 | stats.avgbrowser.com | CLOUDFLARENET | — | unknown |
2668 | cookie_mmm_irs_ppi_902_451_o.exe | 34.117.223.223:80 | v7event.stats.avast.com | GOOGLE-CLOUD-PLATFORM | US | unknown |
2332 | iexplore.exe | 67.27.235.254:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
2332 | iexplore.exe | 107.189.8.5:443 | rentry.co | PONYNET | LU | unknown |
520 | Purple Bit - Linkvertise Downloader_kCHx-K1.tmp | 99.86.1.227:443 | d2khbwcectqqex.cloudfront.net | AMAZON-02 | US | unknown |
2668 | cookie_mmm_irs_ppi_902_451_o.exe | 142.250.187.110:80 | www.google-analytics.com | GOOGLE | US | whitelisted |
2888 | avg_antivirus_free_setup.exe | 34.117.223.223:443 | v7event.stats.avast.com | GOOGLE-CLOUD-PLATFORM | US | unknown |
2668 | cookie_mmm_irs_ppi_902_451_o.exe | 2.16.107.98:80 | iavs9x.avg.u.avcdn.net | Akamai International B.V. | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
d2khbwcectqqex.cloudfront.net |
| suspicious |
iavs9x.avg.u.avcdn.net |
| whitelisted |
v7event.stats.avast.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
stats.avgbrowser.com |
| suspicious |
rentry.co |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
v7event.stats.avcdn.net |
| whitelisted |
analytics.ff.avast.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2668 | cookie_mmm_irs_ppi_902_451_o.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2920 | AVGBrowserUpdate.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
---|---|
instup.exe | [2022-10-05 05:45:26.997] [error ] [shepsync ] [ 4004: 3860] [F13050: 194] Exception: WinHttpSendRequest failed. WinHTTP error code: 12175. 'A security error occurred'
Code: 0x00002f8f (12175)
|
avg_antivirus_free_setup.exe | [2022-10-05 05:45:27.997] [error ] [sfxstats ] [ 2888: 1700] [7997C7: 153] Unable to send statistics with error 0x00002f8f (Unable to send statistics!)
|
instup.exe | [2022-10-05 05:45:48.060] [error ] [shepsync ] [ 4004: 3860] [F13050: 194] Exception: CURL request failed (https://shepherd.avcdn.net/). CURL error code: 28. Timeout was reached. Failed to connect to shepherd.avcdn.net port 443 after 526 ms: Timed out
Code: 0x0000001c (28)
|