File name:

bec522c3d290276b6a4cf9f6ab480061.vir

Full analysis: https://app.any.run/tasks/b7f7cb26-05f5-466f-8e20-ca514b834298
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: August 04, 2021, 21:10:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

BEC522C3D290276B6A4CF9F6AB480061

SHA1:

62A64C21B4D249C6A05B76502F17212EC753CDD6

SHA256:

EA3C83CA175D6F5C43902E9BA904D0985590BE4475EE6D053967DF72A3D1DA55

SSDEEP:

49152:jrowpetmi5N2f9kg0pSnj86XEmAjXCO74MrGqmGrR:bpeFN2f9kFShNotvsGrR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)

    • Actions looks like stealing of personal data

      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

  • SUSPICIOUS

    • Reads the computer name

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)
      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

    • Checks supported languages

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)
      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

    • Creates files in the user directory

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)

    • Creates files in the Windows directory

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)
      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

    • Removes files from Windows directory

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)
      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

    • Executable content was dropped or overwritten

      • bec522c3d290276b6a4cf9f6ab480061.vir.exe (PID: 3220)
      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

    • Changes the started page of IE

      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

    • Creates or modifies windows services

      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)

  • INFO

    • Reads the hosts file

      • bec22c3d290276b6a4cf9f6ab480061.vir.exe (PID: 1540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x3af28f
UninitializedDataSize: -
InitializedDataSize: 1015296
CodeSize: 300032
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2012:10:09 07:16:32+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Oct-2012 05:16:32
Detected languages:
  • Chinese - PRC

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 10
Time date stamp: 09-Oct-2012 05:16:32
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x000492E8
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
DATA
0x0004B000
0x000EC5C8
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
BSS
0x00138000
0x00000DA5
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00139000
0x000012CC
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.tls
0x0013B000
0x0000000C
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x0013C000
0x00000018
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0
.vmp0
0x0013D000
0x000A154D
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.vmp1
0x001DF000
0x001DD14D
0x001DD200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.86279
.reloc
0x003BD000
0x000000B4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
1.84467
.rsrc
0x003BE000
0x000010BD
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.46735

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.95651
349
UNKNOWN
Chinese - PRC
RT_MANIFEST
2
6.15332
2216
UNKNOWN
Chinese - PRC
RT_ICON
MAINICON
2.32824
34
UNKNOWN
Chinese - PRC
RT_GROUP_ICON

Imports

advapi32.dll
kernel32.dll
ntdll.dll
oleaut32.dll
shell32.dll
user32.dll
wsock32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start bec522c3d290276b6a4cf9f6ab480061.vir.exe bec22c3d290276b6a4cf9f6ab480061.vir.exe bec522c3d290276b6a4cf9f6ab480061.vir.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1540"C:\Users\admin\AppData\Roaming\RxFAxSF\bec22c3d290276b6a4cf9f6ab480061.vir.exe"C:\Users\admin\AppData\Roaming\RxFAxSF\bec22c3d290276b6a4cf9f6ab480061.vir.exe
bec522c3d290276b6a4cf9f6ab480061.vir.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\rxfaxsf\bec22c3d290276b6a4cf9f6ab480061.vir.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3220"C:\Users\admin\AppData\Local\Temp\bec522c3d290276b6a4cf9f6ab480061.vir.exe" C:\Users\admin\AppData\Local\Temp\bec522c3d290276b6a4cf9f6ab480061.vir.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\bec522c3d290276b6a4cf9f6ab480061.vir.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3576"C:\Users\admin\AppData\Local\Temp\bec522c3d290276b6a4cf9f6ab480061.vir.exe" C:\Users\admin\AppData\Local\Temp\bec522c3d290276b6a4cf9f6ab480061.vir.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\bec522c3d290276b6a4cf9f6ab480061.vir.exe
c:\windows\system32\ntdll.dll
Total events
608
Read events
598
Write events
10
Delete events
0

Modification events

(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\a1i60yzS5Jd
Operation:writeName:Type
Value:
1
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\a1i60yzS5Jd
Operation:writeName:Start
Value:
3
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\a1i60yzS5Jd
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\a1i60yzS5Jd
Operation:writeName:Devname
Value:
a1i60yzS5Jd
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\a1i60yzS5Jd
Operation:writeName:ImagePath
Value:
\DosDevices\C:\Windows\system32\10e30f\CDClient_EX.sys
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\a1i60yzS5Jd
Operation:writeName:ImagePath
Value:
\??\C:\Windows\system32\10e30f\CDClient_EX.sys
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:PopupsUseNewWindow
Value:
1
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:ShortcutBehavior
Value:
1
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:Start Page
Value:
https://www.2345.com/?90166-00006
(PID) Process:(1540) bec22c3d290276b6a4cf9f6ab480061.vir.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:Local Page
Value:
https://www.2345.com/?90166-00006
Executable files
2
Suspicious files
2
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
3220bec522c3d290276b6a4cf9f6ab480061.vir.exeC:\Users\admin\AppData\Roaming\RxFAxSF\bec22c3d290276b6a4cf9f6ab480061.vir.exeexecutable
MD5:
SHA256:
3220bec522c3d290276b6a4cf9f6ab480061.vir.exeC:\Windows\Mxkcxlf.dlltext
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Windows\CooQie\WLyELfv.dllbinary
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Windows\CooQie\KGJuDLAHc.dlltext
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Windows\mTSfgr.dlltext
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Windows\CooQie\npHWAaaU.dlltext
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Windows\system32\10e30f\CDClient_EX.sysexecutable
MD5:1D019A122D29DB235933EFCCA3265B95
SHA256:889D76F95269A02AAC8E6CF2FED79509135241AE1C5F42B2D34CBF800E338627
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Users\Public\Desktop\Firefox.lnklnk
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Users\Public\Desktop\Google Chrome.lnklnk
MD5:
SHA256:
1540bec22c3d290276b6a4cf9f6ab480061.vir.exeC:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnklnk
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
3
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1540
bec22c3d290276b6a4cf9f6ab480061.vir.exe
GET
200
163.171.132.119:80
http://dld.jxwan.com/d2/CDClient.dll
US
binary
741 Kb
malicious
1540
bec22c3d290276b6a4cf9f6ab480061.vir.exe
HEAD
200
163.171.132.119:80
http://dld.jxwan.com/d2/CDClient.dll
US
malicious
1540
bec22c3d290276b6a4cf9f6ab480061.vir.exe
GET
200
119.97.143.64:80
http://udo.jxwan.com/index/getcfg?id=73653
CN
compressed
551 b
malicious
1540
bec22c3d290276b6a4cf9f6ab480061.vir.exe
GET
200
163.171.132.119:80
http://dld.jxwan.com/d2/x86a.dll
US
binary
123 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1540
bec22c3d290276b6a4cf9f6ab480061.vir.exe
163.171.132.119:80
dld.jxwan.com
US
malicious
1540
bec22c3d290276b6a4cf9f6ab480061.vir.exe
119.97.143.64:80
udo.jxwan.com
No.31,Jin-rong Street
CN
malicious

DNS requests

Domain
IP
Reputation
udo.jxwan.com
  • 119.97.143.64
  • 119.97.143.63
malicious
dld.jxwan.com
  • 163.171.132.119
malicious

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bec522c3d290276b6a4cf9f6ab480061.vir