File name:

1a4d58e281103fea2a4ccbfab93f74d2.exe

Full analysis: https://app.any.run/tasks/61d146e5-3b7a-44d8-971d-ef729fc165f9
Verdict: Malicious activity
Analysis date: January 15, 2021, 02:18:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1A4D58E281103FEA2A4CCBFAB93F74D2

SHA1:

1A2CD9B94A70440A962D9AD78E5E46D7D22070D0

SHA256:

F5872F49943C39B73026FC3982B85330953A138CC27C23487A28103337BFDBB5

SSDEEP:

3072:wB1bQtWqA7UI/8W9uWU0UnyVMBQJoo0sGe60AxvxNGOOTBfRPGQ4LbGi:wQ8qA7UI/8W9uWU0UnyuuNbGehAx5NG6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • 1a4d58e281103fea2a4ccbfab93f74d2.exe (PID: 2464)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 2.2.14.0
ProductName: Cisco EAP-FAST Module
OriginalFileName: CiscoEapFast.exe
LegalCopyright: Copyright (C) 2006-2009
InternalName: Cisco EAP-FAST Module
FileVersion: 2.2.14.0
FileDescription: Cisco EAP-FAST Module
CompanyName: Cisco Systems, Inc.
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Unknown
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.2.14.0
FileVersionNumber: 2.2.14.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x14b8f
UninitializedDataSize: -
InitializedDataSize: 46592
CodeSize: 131584
LinkerVersion: 10
PEType: PE32
TimeStamp: 2012:08:18 21:12:04+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Aug-2012 19:12:04
Detected languages:
  • English - United States
CompanyName: Cisco Systems, Inc.
FileDescription: Cisco EAP-FAST Module
FileVersion: 2.2.14.0
InternalName: Cisco EAP-FAST Module
LegalCopyright: Copyright (C) 2006-2009
OriginalFilename: CiscoEapFast.exe
ProductName: Cisco EAP-FAST Module
ProductVersion: 2.2.14.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 18-Aug-2012 19:12:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002012D
0x00020200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.6233
.rdata
0x00022000
0x00007940
0x00007A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.99028
.data
0x0002A000
0x00003020
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.47614
.rsrc
0x0002E000
0x00000620
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.80116
.reloc
0x0002F000
0x0000223C
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.60344

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.94904
607
Latin 1 / Western European
English - United States
RT_MANIFEST

Imports

KERNEL32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1a4d58e281103fea2a4ccbfab93f74d2.exe

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\Users\admin\AppData\Local\Temp\1a4d58e281103fea2a4ccbfab93f74d2.exe" C:\Users\admin\AppData\Local\Temp\1a4d58e281103fea2a4ccbfab93f74d2.exe
explorer.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
Cisco EAP-FAST Module
Version:
2.2.14.0
Total events
3
Read events
3
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
31
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
8.8.8.8:53
Google Inc.
US
whitelisted
208.67.222.222:53
OpenDNS, LLC
US
malicious

DNS requests

Domain
IP
Reputation
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWn.z.teriava.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuy.z.teriava.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABG8.z.teriava.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAABfH.z.tulationeva.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAB3S.z.tulationeva.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAACPd.z.tulationeva.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAACno.z.notificeva.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAADIG.z.notificeva.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAADok.z.notificeva.com
unknown
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAEJC.z.vieweva.com
unknown

Threats

PID
Process
Class
Message
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
2464
1a4d58e281103fea2a4ccbfab93f74d2.exe
Misc activity
ET INFO Suspicious NULL DNS Request
31 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2023 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1a4d58e281103fea2a4ccbfab93f74d2.exe