analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin

Full analysis: https://app.any.run/tasks/4f4325c7-64c8-4f36-9104-39fa83feae65
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: September 30, 2020, 07:52:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7AA6FAC52F2ECA007F92B805EAC91A89

SHA1:

68F4D967FDA7D4E07563DA73F838309ED58ED349

SHA256:

F300F627317CDAC126ADE8FB8E6499564C9A8FDFCF41F93A379BF72D72F14840

SSDEEP:

196608:eEfRWO+57bC8CAe8TMjNHN+PI9xcoMPsgR7/A1YP:DWO+pC8CPjv+PCw/2YP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • temp2.tem (PID: 2632)
      • temp1.tem (PID: 3812)
    • Connects to CnC server

      • temp2.tem (PID: 2632)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • 589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe (PID: 2828)
    • Executable content was dropped or overwritten

      • temp1.tem (PID: 3812)
      • 589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe (PID: 2828)
    • Reads Internet Cache Settings

      • temp2.tem (PID: 2632)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35)
.exe | Win64 Executable (generic) (31)
.scr | Windows screen saver (14.7)
.dll | Win32 Dynamic Link Library (generic) (7.3)
.exe | Win32 Executable (generic) (5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x3831
UninitializedDataSize: -
InitializedDataSize: 20480
CodeSize: 20480
LinkerVersion: 4
PEType: PE32
TimeStamp: 2000:05:19 12:11:55+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-May-2000 10:11:55
Detected languages:
  • Chinese - PRC

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 19-May-2000 10:11:55
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00004D9C
0x00005000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.51417
.rdata
0x00006000
0x00000A4A
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.56327
.data
0x00007000
0x00001F58
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.86104
.ecode
0x00009000
0x00001000
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.38129
.rsrc
0x0000A000
0x00000BA8
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.56552

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.45415
296
UNKNOWN
Chinese - PRC
RT_ICON
2
2.84053
744
UNKNOWN
Chinese - PRC
RT_ICON
3
2.61843
1640
UNKNOWN
Chinese - PRC
RT_ICON
129
2.71034
48
UNKNOWN
Chinese - PRC
RT_GROUP_ICON

Imports

KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start 589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe temp1.tem temp2.tem

Process information

PID
CMD
Path
Indicators
Parent process
2828"C:\Users\admin\AppData\Local\Temp\589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe" C:\Users\admin\AppData\Local\Temp\589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3812C:\Users\admin\AppData\Local\Temp\temp1.temC:\Users\admin\AppData\Local\Temp\temp1.tem
589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe
User:
admin
Integrity Level:
MEDIUM
Description:
易语言程序
Version:
1.0.0.0
2632C:\Users\admin\AppData\Local\Temp\temp2.temC:\Users\admin\AppData\Local\Temp\temp2.tem
589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exe
User:
admin
Company:
Microsoft Windows Operating System
Integrity Level:
MEDIUM
Description:
Microsoft Windows Operating System
Version:
1.0.0.0
Total events
585
Read events
431
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2632temp2.temC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\哈哈[1].exe
MD5:
SHA256:
2828589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exeC:\Users\admin\AppData\Local\Temp\temp1.temexecutable
MD5:A8E70FB76F7B63D797EA5774DD69D311
SHA256:4630C730FB75627898C0433764A49B26C82285A0754734E043CCFD343B89A980
3812temp1.temC:\Users\admin\AppData\Local\Temp\E_N60005\Figures.fneexecutable
MD5:6ABA94B221B0E19A062BEA9F9BCC5484
SHA256:560801EB752AE4EF6A9F71356A946A4E6F840126BA8B044643E2FC667E0CAAB1
2828589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exeC:\Users\admin\AppData\Local\Temp\temp2.temexecutable
MD5:E5A1E3B933A6F29CC2A9EFFE60CB12FB
SHA256:F2E444926757413D66B267901D91475C440C574E073DD2A3B1D6659F546CE0E1
3812temp1.temC:\Users\admin\AppData\Local\Temp\E_N60005\spec.fneexecutable
MD5:BD6EEF5EA9A52A412A8F57490D8BD8E4
SHA256:0C9E6EB8648F4BF5C585D5344035E91C3249BB9686A302503B4681B7BA828DC0
3812temp1.temC:\Users\admin\AppData\Local\Temp\E_N60005\iext.fnrexecutable
MD5:856495A1605BFC7F62086D482B502C6F
SHA256:8C8254CB49F7287B97C7F952C81EDABC9F11F3FA3F02F265E67D5741998CF0BF
2828589a6a0e396f9af1f7b5b46ef5f91fb22ff35dbbece6a36d337b6c39ae43b017.bin.exeC:\Users\admin\AppData\Local\Temp\E_4\krnln.fnrexecutable
MD5:97C8FE752E354B2945E4C593A87E4A8B
SHA256:820D8DD49BAED0DA44D42555AD361D78E068115661DCE72AE6578DCDAB6BAEAD
3812temp1.temC:\Users\admin\AppData\Local\Temp\E_N60005\krnln.fnrexecutable
MD5:142AEEBFE85BDE2A411116E39D8FD505
SHA256:C77A0F67C3392DEE0FB04F0544D8FD8A3B6EF072D371303AFD3A2C468DDA7A35
3812temp1.temC:\Users\admin\AppData\Local\Temp\E_N60005\xplib.fneexecutable
MD5:8F385E7C8CF1F8EBDAE0448473977CC7
SHA256:D1A1C6BAC6A498ADCCDAFAB9D600A372AA9D5B826A33CFA06AAA9F75357C5B23
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
temp2.tem
GET
200
45.64.112.247:80
http://steam7.top/rj.txt
HK
text
120 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2632
temp2.tem
45.64.112.247:80
steam7.top
Cloudie Limited
HK
malicious
2632
temp2.tem
59.111.179.135:80
note.youdao.com
Guangzhou NetEase Computer System Co., Ltd.
CN
suspicious

DNS requests

Domain
IP
Reputation
steam7.top
  • 45.64.112.247
malicious
note.youdao.com
  • 59.111.179.135
  • 123.58.182.251
  • 59.111.179.137
  • 123.58.182.252
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2632
temp2.tem
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
2632
temp2.tem
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Win32.Renaz.czjehx
2632
temp2.tem
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
1 ETPRO signatures available at the full report
No debug info