File name:

AndroidSideloader (1).exe

Full analysis: https://app.any.run/tasks/b0d43a4d-4f7b-4477-9f9f-eb94894122ae
Verdict: Malicious activity
Analysis date: December 13, 2024, 21:32:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
arch-exec
arch-doc
arch-html
rclone
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7217E01AE397FCA628AE75E48D5AFC01

SHA1:

BD7785122291870BC118D81E215B9BC0B2FC7D06

SHA256:

E7557E48EA1E5FAF1880FD50AAB3EC04A15A6A617EA65C090FF8A619B8FC3B22

SSDEEP:

98304:UcEQQLhicXQ+9nWuWqVM5XflB2bz14ZPQ:I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • AndroidSideloader (1).exe (PID: 6240)

    • Executable content was dropped or overwritten

      • AndroidSideloader (1).exe (PID: 6240)
      • 7z.exe (PID: 6776)

    • Drops 7-zip archiver for unpacking

      • AndroidSideloader (1).exe (PID: 6240)

    • RCLONE has been detected

      • rclone.exe (PID: 4520)
      • rclone.exe (PID: 4120)
      • rclone.exe (PID: 6212)

    • Application launched itself

      • adb.exe (PID: 7008)

  • INFO

    • Disables trace logs

      • AndroidSideloader (1).exe (PID: 6240)

    • Reads the machine GUID from the registry

      • AndroidSideloader (1).exe (PID: 6240)

    • Checks proxy server information

      • AndroidSideloader (1).exe (PID: 6240)

    • The process uses the downloaded file

      • AndroidSideloader (1).exe (PID: 6240)

    • Checks supported languages

      • AndroidSideloader (1).exe (PID: 6240)
      • 7z.exe (PID: 6876)
      • 7z.exe (PID: 6776)
      • adb.exe (PID: 6944)
      • adb.exe (PID: 7008)
      • adb.exe (PID: 7112)
      • rclone.exe (PID: 4520)
      • rclone.exe (PID: 4120)
      • rclone.exe (PID: 6212)

    • Reads the computer name

      • AndroidSideloader (1).exe (PID: 6240)
      • 7z.exe (PID: 6776)
      • 7z.exe (PID: 6876)
      • adb.exe (PID: 7112)
      • rclone.exe (PID: 4520)
      • rclone.exe (PID: 6212)

    • Create files in a temporary directory

      • AndroidSideloader (1).exe (PID: 6240)
      • 7z.exe (PID: 6876)
      • adb.exe (PID: 7112)

    • The sample compiled with english language support

      • 7z.exe (PID: 6776)
      • AndroidSideloader (1).exe (PID: 6240)

    • Reads the software policy settings

      • AndroidSideloader (1).exe (PID: 6240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2092:08:12 03:01:05+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 3984896
InitializedDataSize: 413184
UninitializedDataSize: -
EntryPoint: 0x3cec0e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Rookie Sideloader
CompanyName: Rookie.AndroidSideloader
FileDescription: AndroidSideloader
FileVersion: 2.0.0.0
InternalName: AndroidSideloader.exe
LegalCopyright: Copyright © 2020
LegalTrademarks: -
OriginalFileName: AndroidSideloader.exe
ProductName: AndroidSideloader
ProductVersion: 2.0.0.0
AssemblyVersion: 2.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
16
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start androidsideloader (1).exe 7z.exe conhost.exe no specs 7z.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs adb.exe no specs conhost.exe no specs adb.exe no specs THREAT rclone.exe no specs THREAT rclone.exe no specs conhost.exe no specs conhost.exe no specs THREAT rclone.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6240"C:\Users\admin\AppData\Local\Temp\AndroidSideloader (1).exe" C:\Users\admin\AppData\Local\Temp\AndroidSideloader (1).exe
explorer.exe
User:
admin
Company:
Rookie.AndroidSideloader
Integrity Level:
MEDIUM
Description:
AndroidSideloader
Exit code:
4294967295
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\androidsideloader (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6776"7z.exe" x "C:\Users\admin\AppData\Local\Temp\dependencies.7z" -y -o"C:\RSL\platform-tools" -bsp1C:\Users\admin\AppData\Local\Temp\7z.exe
AndroidSideloader (1).exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
23.01
Modules
Images
c:\users\admin\appdata\local\temp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6784\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6876"7z.exe" x "C:\Users\admin\AppData\Local\Temp\rclone.zip" -y -o"C:\Users\admin\AppData\Local\Temp" -bsp1C:\Users\admin\AppData\Local\Temp\7z.exeAndroidSideloader (1).exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
23.01
Modules
Images
c:\users\admin\appdata\local\temp\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6944"C:\RSL\platform-tools\adb.exe" kill-serverC:\RSL\platform-tools\adb.exeAndroidSideloader (1).exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6952\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeadb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7008"C:\RSL\platform-tools\adb.exe" start-serverC:\RSL\platform-tools\adb.exeAndroidSideloader (1).exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7016\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeadb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7112adb -L tcp:5037 fork-server server --reply-fd 608C:\RSL\platform-tools\adb.exeadb.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\rsl\platform-tools\adb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
10 544
Read events
10 530
Write events
14
Delete events
0

Modification events

(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6240) AndroidSideloader (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\AndroidSideloader (1)_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
16
Suspicious files
2
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
6240AndroidSideloader (1).exeC:\Users\admin\AppData\Local\Temp\dependencies.7z
MD5:
SHA256:
6240AndroidSideloader (1).exeC:\Users\admin\AppData\Local\Temp\CleanupInstall.cmdtext
MD5:90B4AFB2EAA57F8C8C2DD43EB9F3339E
SHA256:B3AC3DC1F31FC857A53A5670740EB9666682F03B0552EB1E4AE4E48A51DDC259
6240AndroidSideloader (1).exeC:\Users\admin\AppData\Local\Temp\settings.jsonbinary
MD5:0F242917356505631FBC083BBDD88AB4
SHA256:7641FC841919815AB250CAA8110CCB7BBCCFB9E989F3FB0D82C3BF8CE3EB039C
67767z.exeC:\RSL\platform-tools\etc1tool.exeexecutable
MD5:7E69E9643C14F5D64BF55407C77E58A1
SHA256:DCAA07F97F357564847D2375FD15C4E39CADB5DB0FC70C6BC971049B65AC646F
67767z.exeC:\RSL\platform-tools\AdbWinApi.dllexecutable
MD5:D79A7C0A425F768FC9F9BCF2AA144D8F
SHA256:1AD523231DE449AF3BA0E8664D3AF332F0C5CC4F09141691CA05E35368FA811A
67767z.exeC:\RSL\platform-tools\fastboot.exeexecutable
MD5:72CC783D50EEDD9646A9CB46B4A1AA88
SHA256:7277F971C67F5A60142903FD461D7DD8F40D00A0287D2D06D292A0BAE8C27E36
67767z.exeC:\RSL\platform-tools\hprof-conv.exeexecutable
MD5:1952192783C64352A6C93F2562FAAA56
SHA256:35D9734B4F8A0F82698578F3529E946C6FE21F70AE245ABA61AADE6B52CC6E14
6240AndroidSideloader (1).exeC:\Users\admin\AppData\Local\Temp\debuglog.txttext
MD5:D85BF0E65B56BD56EFF7C62B8A43B85C
SHA256:64F7E806BE24F936CB4CC20292CA606FF212D5B122E55F451A09815E155890CC
67767z.exeC:\RSL\platform-tools\libwinpthread-1.dllexecutable
MD5:D7B17C4E12B60746F5524989D206B02A
SHA256:8E20F1E118135BB70350E529ED03E4CE32B2D570EAA9FD98D9DECF6AFCAF6FBF
6240AndroidSideloader (1).exeC:\Users\admin\AppData\Local\Temp\7z.dllexecutable
MD5:71EBAC040D32560BB9D76A552A7CB986
SHA256:1AA51AA9BB50B26BB652D9C442208DB76546286B0DB169C8882DE97D1117029D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
38
DNS requests
21
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6148
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6148
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
396
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
396
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4308
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1480
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.149:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.140
whitelisted
google.com
  • 172.217.23.110
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.136
  • 20.190.160.20
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
github.com
  • 140.82.121.3
shared
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
shared

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AndroidSideloader (1).exe