analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

jonko softaim hack.exe

Full analysis: https://app.any.run/tasks/a643bb4f-fa72-4025-832a-39a7936f33ab
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 24, 2022, 22:43:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
redline
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A52ACE49B8D9D2AA755EF7BE4C33B41C

SHA1:

0383037AC23D5AE6C86AC54050389F4BF078F298

SHA256:

F756E9D3A61E888F55528616F049BB38C67FBD2706EE850EE26061C25B8677FC

SSDEEP:

49152:PXZfeujy2Ms2IBzxR6+zOCIshxq4DGgLMkQ7HMYcteef/zNoG+a1r+JoDNaAtz18:PXZfNMOKyCqbQTVcMeGG+krPZ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • AppLaunch.exe (PID: 3160)

    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 3160)

    • REDLINE was detected

      • AppLaunch.exe (PID: 3160)

    • Connects to CnC server

      • AppLaunch.exe (PID: 3160)

  • SUSPICIOUS

    • Checks supported languages

      • jonko softaim hack.exe (PID: 2376)
      • AppLaunch.exe (PID: 3160)

    • Reads the cookies of Google Chrome

      • AppLaunch.exe (PID: 3160)

    • Reads the computer name

      • AppLaunch.exe (PID: 3160)

    • Reads the cookies of Mozilla Firefox

      • AppLaunch.exe (PID: 3160)

    • Reads Environment values

      • AppLaunch.exe (PID: 3160)

    • Drops a file with too old compile date

      • AppLaunch.exe (PID: 3160)

    • Drops a file with a compile date too recent

      • AppLaunch.exe (PID: 3160)

    • Executable content was dropped or overwritten

      • AppLaunch.exe (PID: 3160)

    • Searches for installed software

      • AppLaunch.exe (PID: 3160)

  • INFO

    • Reads settings of System Certificates

      • AppLaunch.exe (PID: 3160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:20 13:30:45+01:00
PEType: PE32
LinkerVersion: 14.29
CodeSize: 140288
InitializedDataSize: 179712
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Jan-2022 12:30:45
Detected languages:
  • English - United States
  • Russian - Russia

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 9
Time date stamp: 20-Jan-2022 12:30:45
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x001B8000
0x00322000
0x002F5000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99994
.rsrc
0x004DA000
0x0001A000
0x00019A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.23347
.d3HM4H
0x004F4000
0x0004B000
0x0004B000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.91879
.adata
0x0053F000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST
101
7.2381
103936
UNKNOWN
Russian - Russia
RT_RCDATA

Imports

kernel32.dll
oleaut32.dll
user32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start jonko softaim hack.exe #REDLINE applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
2376"C:\Users\admin\Desktop\jonko softaim hack.exe" C:\Users\admin\Desktop\jonko softaim hack.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\jonko softaim hack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3160"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
jonko softaim hack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
6 173
Read events
6 139
Write events
34
Delete events
0

Modification events

(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3160) AppLaunch.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
2
Suspicious files
3
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3160AppLaunch.exeC:\Users\admin\AppData\Local\Temp\a.exeexecutable
MD5:9E32AD1BB66853A4CA83098367D575FA
SHA256:E9B8EBE70D57FE8F539909981A6FC3B1C5A49F6CB45AB6952CA8FE4324061270
3160AppLaunch.exeC:\Users\admin\AppData\Local\Temp\Tar3085.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
3160AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:7399F9F9357D71EBFC02557B761AA282
SHA256:E6CB23267702C718B931E9361C44FCFB34F8F42A784BFBDEAA9CC9B58DFF6877
3160AppLaunch.exeC:\Users\admin\AppData\Local\Temp\c.exeexecutable
MD5:973F8CDFFF045F2E22669C54BE395D50
SHA256:8C7024BD7C1F48F3634C5D0E7B48F2FDB126A7FF96127B8243F10A66D2CAC1A2
3160AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
3160AppLaunch.exeC:\Users\admin\AppData\Local\Temp\Cab3084.tmpcompressed
MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
SHA256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3160
AppLaunch.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4da5074e3a8b1c83
US
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3160
AppLaunch.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3160
AppLaunch.exe
5.206.227.11:63730
Dotsi, Unipessoal Lda.
NL
malicious
3160
AppLaunch.exe
144.76.136.153:443
transfer.sh
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
transfer.sh
  • 144.76.136.153
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
3160
AppLaunch.exe
Potential Corporate Privacy Violation
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
27 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
jonko softaim hack.exe