analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup_file.exe

Full analysis: https://app.any.run/tasks/aba162c3-b0b2-4a77-8e35-332fb1c74f7e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 14:33:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
stealer
trojan
evasion
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

185DA0C12B9511305D96AB6DE6E527E6

SHA1:

497B09D4E74643771997FDCFEEC87ABC5007CA05

SHA256:

F7379B887D5540E5BBDFDC67C311F9193289282B86C7168A498717BA54F36F61

SSDEEP:

49152:Qc1JuMB5mriOm2rLLJHij2F0wo4rW8bXkwn+ecW:Qcp5mrBm29QlwlS8bft3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs app for hidden code execution

      • cmd.exe (PID: 2920)
      • cmd.exe (PID: 1580)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 2096)

    • Application was dropped or rewritten from another process

      • dwm.com (PID: 2584)
      • dwm.com (PID: 3080)
      • svchost.com (PID: 2136)
      • nslookup.exe (PID: 2052)
      • svchost.com (PID: 3432)
      • ipconfig.exe (PID: 2256)
      • ggoliorhwu.exe (PID: 3052)
      • ggoliorhwu.exe (PID: 3300)
      • ggoliorhwu.exe (PID: 2560)

    • Stealing of credential data

      • nslookup.exe (PID: 2052)

    • Actions looks like stealing of personal data

      • nslookup.exe (PID: 2052)

    • Changes settings of System certificates

      • WScript.exe (PID: 1628)

    • Downloads executable files from the Internet

      • ipconfig.exe (PID: 2256)

  • SUSPICIOUS

    • Starts CertUtil for decode files

      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 2096)

    • Application launched itself

      • cmd.exe (PID: 2920)
      • dwm.com (PID: 3080)
      • cmd.exe (PID: 1580)
      • svchost.com (PID: 2136)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 2096)
      • dwm.com (PID: 2584)
      • ipconfig.exe (PID: 2256)
      • svchost.com (PID: 3432)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2920)
      • setup_file.exe (PID: 2780)
      • cmd.exe (PID: 1580)
      • ipconfig.exe (PID: 2256)
      • nslookup.exe (PID: 2052)

    • Drop AutoIt3 executable file

      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 2096)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3336)
      • dwm.com (PID: 3080)
      • cmd.exe (PID: 2096)
      • svchost.com (PID: 2136)

    • Reads the cookies of Google Chrome

      • nslookup.exe (PID: 2052)

    • Reads the cookies of Mozilla Firefox

      • nslookup.exe (PID: 2052)

    • Reads Internet Cache Settings

      • nslookup.exe (PID: 2052)
      • ipconfig.exe (PID: 2256)
      • WScript.exe (PID: 1628)

    • Executes scripts

      • cmd.exe (PID: 2416)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 1628)

    • Starts CMD.EXE for self-deleting

      • nslookup.exe (PID: 2052)

    • Searches for installed software

      • nslookup.exe (PID: 2052)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • certutil.exe (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:30 04:41:07+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 98816
InitializedDataSize: 35840
UninitializedDataSize: -
EntryPoint: 0x187bf
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 8.89.18.76
ProductVersionNumber: 8.89.18.76
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Dekuma Kazablanko Denta Sob
CompanyName: Muo Geedzo Nenio Stil
FileDescription: Mi Multa PseЕ­doafikso Ial
LegalCopyright: End Ho Ge So
LegalTrademarks: Sep Kaj Sia San
ProductName: Fi Ial Iufoje Iz
FileVersion: 8.89.1876
ProductVersion: 8.89.1876
InternalName: De Io Identiga Negativaj
OriginalFileName: Tuj.exe

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Dec-2015 03:41:07
Detected languages:
  • English - United States
  • Russian - Russia
Comments: Dekuma Kazablanko Denta Sob
CompanyName: Muo Geedzo Nenio Stil
FileDescription: Mi Multa PseЕ­doafikso Ial
LegalCopyright: End Ho Ge So
LegalTrademarks: Sep Kaj Sia San
ProductName: Fi Ial Iufoje Iz
FileVersion: 8.89.1876
ProductVersion: 8.89.1876
InternalName: De Io Identiga Negativaj
OriginalFilename: Tuj.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0060
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000060

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 30-Dec-2015 03:41:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001812A
0x00018200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.68059
.rdata
0x0001A000
0x00003D5C
0x00003E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.74978
.data
0x0001E000
0x00004A90
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.52091
.rsrc
0x00023000
0x0000449A
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.13717

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.23295
838
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.30549
4392
UNKNOWN
Russian - Russia
RT_ICON
3
6.15123
9832
UNKNOWN
Russian - Russia
RT_ICON
101
2.51589
48
UNKNOWN
Russian - Russia
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
26
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start setup_file.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe ping.exe no specs certutil.exe no specs dwm.com no specs ping.exe no specs dwm.com cmd.exe no specs cmd.exe ping.exe no specs certutil.exe no specs svchost.com no specs ping.exe no specs svchost.com nslookup.exe ipconfig.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs wscript.exe cmd.exe no specs ggoliorhwu.exe no specs ggoliorhwu.exe no specs ggoliorhwu.exe

Process information

PID
CMD
Path
Indicators
Parent process
2780"C:\Users\admin\AppData\Local\Temp\setup_file.exe" C:\Users\admin\AppData\Local\Temp\setup_file.exeexplorer.exe
User:
admin
Company:
Muo Geedzo Nenio Stil
Integrity Level:
MEDIUM
Description:
Mi Multa PseЕ­doafikso Ial
Exit code:
0
Version:
8.89.1876
864"C:\Windows\System32\cmd.exe" /c echo FSryQC:\Windows\System32\cmd.exesetup_file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2920"C:\Windows\System32\cmd.exe" /c cmd < FHEdYfbCrOUjIyo.comC:\Windows\System32\cmd.exesetup_file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3336cmd C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2352ping -n 1 Uotq.IYzC:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2604certutil -decode iWFckeTfp.com VC:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3080dwm.com VC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\dwm.comcmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 2
3312ping 127.0.0.1 -n 3C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2584C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\dwm.com VC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\dwm.com
dwm.com
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Exit code:
0
Version:
3, 3, 15, 2
1580"C:\Windows\System32\cmd.exe" /c cmd < BfvsVFmuPRmzOjx.comC:\Windows\System32\cmd.exesetup_file.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 655
Read events
1 603
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
7
Text files
245
Unknown types
11

Dropped files

PID
Process
Filename
Type
3320certutil.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\S
MD5:
SHA256:
2780setup_file.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\BfvsVFmuPRmzOjx.comtext
MD5:F3849D6B6A40449F79BDAA56F5EF8E67
SHA256:B9EBA6407086441BF34CDE6AA25146E89B7C61D1EA594EF0601522E85AF49796
2780setup_file.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\hbNGLOY.comtext
MD5:E9FB08D24DD18277E20E0BFFA4550D64
SHA256:7C5C3D78F3D168D9A57EE30F478540D328681F2516762AA6B1D7AC1A8330FCE5
2604certutil.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\Vtext
MD5:45146F59F29FF2233552F6F741666494
SHA256:1E4A92A1D23E677AC7419FB51001CF35858C14DFE546AFB53FA40E733512EF68
2052nslookup.exeC:\Users\admin\AppData\Local\Temp\z2heDPxh\_Files\_AllPasswords_list.txttext
MD5:456BA549B52FAE21D4D51A9F9A0456C5
SHA256:F992BA2F96C67BC7BF726F950F6111984E0C657CA8A9403453706BBC2611C38A
2780setup_file.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\wzBULQPwz.combinary
MD5:95DE82B1E94A53BF55AF4D33A6C6753A
SHA256:A3BA5B61435F35A13C59A859016E031F865BEED9899BC6CF819033F1B8D21415
2096cmd.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\svchost.comexecutable
MD5:7FFA2880F9E74E9A1B82A9C0514D5521
SHA256:FF471EE848A4EC3AEA91C2628D956C3C0CBD67F354A24CAEAC39B6B64EC6B95B
2780setup_file.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\FHEdYfbCrOUjIyo.comtext
MD5:691393DBC2578DA52BCFAE47AEAA179B
SHA256:43A540E7CB89738893FDBE258DC2C9F485B6214DDB1A21C410AED8781C8145B3
2052nslookup.exeC:\Users\admin\AppData\Local\Temp\z2heDPxh\BkhPfu.tmpsqlite
MD5:D65C63E291763BB88AF0811EF8042520
SHA256:6BFF2C5F2E10488D755C4817FF477FA8B7DA91C0A08ED2126BB5113D4A921CFA
2780setup_file.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\WQVrWqhJiLKTkJZJ.comfli
MD5:6E6738DD1C3069515F3451CDA7EF6CEB
SHA256:2E50B34EA6A172814078FA0FC0D5FBE76A2E3610281BCFF4D8A5B297C462DDCB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
13
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2256
ipconfig.exe
GET
302
8.211.23.107:80
http://nffiiload06.top/download.php?file=6.exe
US
malicious
1628
WScript.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2256
ipconfig.exe
GET
200
8.211.23.107:80
http://nffiiload06.top/downfiles/6.exe
US
executable
2.07 Mb
malicious
2256
ipconfig.exe
GET
302
8.211.23.107:80
http://nffiiload06.top/download.php?file=4.exe
US
malicious
GET
200
8.211.23.107:80
http://nffiiload06.top/downfiles/4.exe
US
executable
906 Kb
malicious
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
text
258 b
shared
GET
200
208.95.112.1:80
http://ip-api.com/line
unknown
text
117 b
shared
2052
nslookup.exe
POST
200
82.118.23.37:80
http://moraass05.top/index.php
UA
text
3 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1628
WScript.exe
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
2256
ipconfig.exe
8.211.23.107:80
nffiiload06.top
Level 3 Communications, Inc.
US
malicious
2052
nslookup.exe
78.155.205.71:80
bibinene03.top
OOO Network of data-centers Selectel
RU
malicious
1628
WScript.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
2052
nslookup.exe
82.118.23.37:80
moraass05.top
ITL Company
UA
malicious
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
8.211.23.107:80
nffiiload06.top
Level 3 Communications, Inc.
US
malicious
208.95.112.1:80
ip-api.com
IBURST
malicious
45.141.156.96:80
suomenen.com
malicious

DNS requests

Domain
IP
Reputation
Uotq.IYz
unknown
ytDVFmXnAob.ytDVFmXnAob
unknown
JFBznD.hBMHa
unknown
OeYI.OeYI
unknown
bibinene03.top
  • 78.155.205.71
  • 45.143.138.186
malicious
moraass05.top
  • 82.118.23.37
  • 45.144.179.24
malicious
nffiiload06.top
  • 8.211.23.107
malicious
iplogger.org
  • 88.99.66.31
shared
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.35
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.11
  • 2.16.186.27
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2052
nslookup.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2052
nslookup.exe
A Network Trojan was detected
ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2256
ipconfig.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2256
ipconfig.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2256
ipconfig.exe
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
2256
ipconfig.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2256
ipconfig.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2256
ipconfig.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
1628
WScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
13 ETPRO signatures available at the full report
Process
Message
ggoliorhwu.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup_file.exe