File name: | f7 |
Full analysis: | https://app.any.run/tasks/07a0131f-b112-42ee-94ac-c908cb2c0d8e |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 12:24:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7D265EA7035922292B59693A9D4AD0ED |
SHA1: | 287303AC197166B3EA5B5703C2F4908E6D869833 |
SHA256: | F75783A827D84B2C7995132D4D27C5A03007148D2E5D946C48654552E4072AD9 |
SSDEEP: | 24576:bHKoXjY2v3brDf63P7+4ptmDX00mQhSLPr+:bHKKrb6T9A00m+S2 |
.exe | | | Win32 Executable Delphi generic (31.9) |
---|---|---|
.scr | | | Windows screen saver (29.4) |
.dll | | | Win32 Dynamic Link Library (generic) (14.8) |
.exe | | | Win32 Executable (generic) (10.1) |
.exe | | | Win16/32 Executable Delphi generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 1991:12:23 00:08:34+01:00 |
PEType: | PE32 |
LinkerVersion: | 2.25 |
CodeSize: | 836608 |
InitializedDataSize: | 168960 |
UninitializedDataSize: | - |
EntryPoint: | 0xcd22c |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 22-Dec-1991 23:08:34 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 22-Dec-1991 23:08:34 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x000CC274 | 0x000CC400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.5467 |
DATA | 0x000CE000 | 0x0000ACDC | 0x0000AE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.23137 |
BSS | 0x000D9000 | 0x00000F6D | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x000DA000 | 0x000028D2 | 0x00002A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.9784 |
.tls | 0x000DD000 | 0x00000010 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x000DE000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.195201 |
.reloc | 0x000DF000 | 0x0000F0DC | 0x0000F200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.60376 |
.rsrc | 0x000EF000 | 0x0000C7D4 | 0x0000C800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 5.14099 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.07513 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 2.80231 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | Latin 1 / Western European | UNKNOWN | RT_CURSOR |
263 | 5.93489 | 223 | Latin 1 / Western European | English - United States | RT_MENU |
264 | 4.90929 | 223 | Latin 1 / Western European | English - United States | RT_MENU |
265 | 5.01353 | 223 | Latin 1 / Western European | English - United States | RT_MENU |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
version.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1928 | "C:\Users\admin\AppData\Local\Temp\f7.exe" | C:\Users\admin\AppData\Local\Temp\f7.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2120 | "C:\Users\admin\AppData\Local\Temp\f7.exe" | C:\Users\admin\AppData\Local\Temp\f7.exe | f7.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3144 | "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\admin\AppData\Local\Temp\f7.exe" >> NUL | C:\Windows\system32\cmd.exe | — | f7.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4072 | ping 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2120 | f7.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
2120 | f7.exe | 91.211.245.184:80 | crasyhost.com | UAB Esnet | LT | suspicious |
Domain | IP | Reputation |
---|---|---|
crasyhost.com |
| malicious |
iplogger.org |
| shared |