File name: | installer_free.exe |
Full analysis: | https://app.any.run/tasks/d9e19953-31d7-46d0-becb-b21ab28e8494 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 19:55:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1F8D68C25FDE37BD4DABF528CDADB456 |
SHA1: | C21107732C42323B9017B11AA8EA2EB5879F78F6 |
SHA256: | EE873FF1AC8004B4A4052FF73A380ACD6C4B4BDA62D504C009A7C1D1F28596FF |
SSDEEP: | 24576:LTfEsP85DgJrivY05+QaJ7qKb6LmPt6qQK+ybrvoGr2p3W8dqceQ4:XcsQ6QIhAxK+sr2p3W8dFex |
.exe | | | Inno Setup installer (51.8) |
---|---|---|
.exe | | | InstallShield setup (20.3) |
.exe | | | Win32 EXE PECompact compressed (generic) (19.6) |
.dll | | | Win32 Dynamic Link Library (generic) (3.1) |
.exe | | | Win32 Executable (generic) (2.1) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:10:12 13:15:57+02:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 682496 |
InitializedDataSize: | 37888 |
UninitializedDataSize: | - |
EntryPoint: | 0xa7ed0 |
OSVersion: | 6 |
ImageVersion: | 6 |
SubsystemVersion: | 6 |
Subsystem: | Windows GUI |
FileVersionNumber: | 0.0.0.0 |
ProductVersionNumber: | 0.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | This installation was built with Inno Setup. |
CompanyName: | |
FileDescription: | |
FileVersion: | |
LegalCopyright: | |
OriginalFileName: | |
ProductName: | |
ProductVersion: | free |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 12-Oct-2019 11:15:57 |
Detected languages: |
|
Comments: | This installation was built with Inno Setup. |
CompanyName: | - |
FileDescription: | - |
FileVersion: | - |
LegalCopyright: | - |
OriginalFileName: | - |
ProductName: | - |
ProductVersion: | free |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 10 |
Time date stamp: | 12-Oct-2019 11:15:57 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000A50E8 | 0x000A5200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.36928 |
.itext | 0x000A7000 | 0x00001668 | 0x00001800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.95181 |
.data | 0x000A9000 | 0x000037A4 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.03517 |
.bss | 0x000AD000 | 0x00006778 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x000B4000 | 0x00000F1C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.79161 |
.didata | 0x000B5000 | 0x000001A4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.74582 |
.edata | 0x000B6000 | 0x0000009A | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.88107 |
.tls | 0x000B7000 | 0x00000018 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x000B8000 | 0x0000005D | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.37999 |
.rsrc | 0x000B9000 | 0x00004600 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.42337 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.13965 | 1580 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.47151 | 1384 | UNKNOWN | Dutch - Netherlands | RT_ICON |
3 | 3.91708 | 744 | UNKNOWN | Dutch - Netherlands | RT_ICON |
4 | 3.91366 | 2216 | UNKNOWN | Dutch - Netherlands | RT_ICON |
4086 | 3.16547 | 864 | UNKNOWN | UNKNOWN | RT_STRING |
4087 | 3.40938 | 608 | UNKNOWN | UNKNOWN | RT_STRING |
4088 | 3.31153 | 1116 | UNKNOWN | UNKNOWN | RT_STRING |
4089 | 3.33977 | 1036 | UNKNOWN | UNKNOWN | RT_STRING |
4090 | 3.36723 | 724 | UNKNOWN | UNKNOWN | RT_STRING |
4091 | 3.33978 | 184 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x000B063C |
__dbk_fcall_wrapper | 2 | 0x0000D3DC |
TMethodImplementationIntercept | 3 | 0x00053AC0 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3232 | "C:\Users\admin\AppData\Local\Temp\installer_free.exe" | C:\Users\admin\AppData\Local\Temp\installer_free.exe | explorer.exe | |
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: | ||||
400 | "C:\Users\admin\AppData\Local\Temp\is-9BMPJ.tmp\installer_free.tmp" /SL5="$3012E,934169,721408,C:\Users\admin\AppData\Local\Temp\installer_free.exe" | C:\Users\admin\AppData\Local\Temp\is-9BMPJ.tmp\installer_free.tmp | — | installer_free.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
1848 | "C:\Users\admin\AppData\Local\Temp\installer_free.exe" /SPAWNWND=$30150 /NOTIFYWND=$3012E | C:\Users\admin\AppData\Local\Temp\installer_free.exe | installer_free.tmp | |
User: admin Company: Integrity Level: HIGH Description: Exit code: 0 Version: | ||||
2292 | "C:\Users\admin\AppData\Local\Temp\is-MQ6SV.tmp\installer_free.tmp" /SL5="$40130,934169,721408,C:\Users\admin\AppData\Local\Temp\installer_free.exe" /SPAWNWND=$30150 /NOTIFYWND=$3012E | C:\Users\admin\AppData\Local\Temp\is-MQ6SV.tmp\installer_free.tmp | installer_free.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
1552 | "C:\Program Files\Best Free Key Logger\7za.exe" x "C:\Program Files\Best Free Key Logger\base components" -p"X8g8y9P58X64FwY8FUNn" -aoa -o"C:\ProgramData\BFKData" | C:\Program Files\Best Free Key Logger\7za.exe | — | installer_free.tmp |
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Standalone Console Exit code: 0 Version: 19.00 | ||||
3212 | "C:\Program Files\Best Free Key Logger\7za.exe" x "C:\Program Files\Best Free Key Logger\runtime package" -p"HRLefJpaPOI1gBmscwqn" -aoa | C:\Program Files\Best Free Key Logger\7za.exe | installer_free.tmp | |
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Standalone Console Exit code: 0 Version: 19.00 | ||||
2460 | "C:\Program Files\Best Free Key Logger\syscrb.exe" | C:\Program Files\Best Free Key Logger\syscrb.exe | installer_free.tmp | |
User: admin Company: bestxsoftware Integrity Level: MEDIUM Description: syscrb Version: 7.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2292 | installer_free.tmp | C:\Users\admin\AppData\Local\Temp\CabF186.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\Users\admin\AppData\Local\Temp\TarF187.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\ProgramData\BFKData\is-GGEBN.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\Program Files\Best Free Key Logger\is-IPKT8.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\Program Files\Best Free Key Logger\is-S0687.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\Program Files\Best Free Key Logger\is-MMNV9.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\Windows\Fonts\is-QSVJQ.tmp | — | |
MD5:— | SHA256:— | |||
2292 | installer_free.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3366DB6435D7F5CB0D4A60FD5731AFA9 | der | |
MD5:BDCD52D3B95F3E7E8CB806BEFDBE2C4D | SHA256:4BD6615BDF22A8147D240A50C5A2D3400295FDC7EF42B342651C8DDC0D5DC304 | |||
2292 | installer_free.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:539E194B374318A9F4DBD9406B7529CB | SHA256:C9382E725EDA90C72AA7E5C736AB099F73EB231C695CD132836BD6106757DCC2 | |||
2292 | installer_free.tmp | C:\Users\admin\AppData\Local\Temp\is-075N2.tmp\runtime package | compressed | |
MD5:979B13F52E99D98E190D3F3AF3231CC2 | SHA256:4BF832B4454440BF09EC450FF4F0253AE8D99C63A852DD3EE26172A91B6113A9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2292 | installer_free.tmp | HEAD | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/config | US | — | — | malicious |
2292 | installer_free.tmp | HEAD | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/License-Agreement.rtf | US | — | — | malicious |
2292 | installer_free.tmp | HEAD | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/AVException.rtf | US | — | — | malicious |
2292 | installer_free.tmp | HEAD | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/base-components | US | — | — | malicious |
2292 | installer_free.tmp | GET | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/config | US | html | 253 b | malicious |
2292 | installer_free.tmp | HEAD | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/runtime-package-4.5 | US | — | — | malicious |
2292 | installer_free.tmp | HEAD | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/7za.exe | US | — | — | malicious |
2292 | installer_free.tmp | GET | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/7za.exe | US | html | 254 b | malicious |
2292 | installer_free.tmp | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
2292 | installer_free.tmp | GET | 301 | 198.54.115.130:80 | http://bestxserver.com/releases/kelg7/runtime-package-4.5 | US | html | 266 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2292 | installer_free.tmp | 151.139.128.14:80 | ocsp.comodoca.com | Highwinds Network Group, Inc. | US | suspicious |
2292 | installer_free.tmp | 198.54.115.130:443 | bestxserver.com | Namecheap, Inc. | US | malicious |
2292 | installer_free.tmp | 198.54.115.130:80 | bestxserver.com | Namecheap, Inc. | US | malicious |
2460 | syscrb.exe | 151.101.65.195:443 | bfk.bestxsoftware.com | Fastly | US | malicious |
Domain | IP | Reputation |
---|---|---|
bestxserver.com |
| malicious |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
bfk.bestxsoftware.com |
| malicious |
Process | Message |
---|---|
syscrb.exe | Native library pre-loader is trying to load native SQLite library "C:\Program Files\Best Free Key Logger\x86\SQLite.Interop.dll"...
|