File name:	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.exe
Full analysis:	https://app.any.run/tasks/a18b8dc9-ef6e-412f-ade8-6e97f8afc9e0
Verdict:	Malicious activity
Analysis date:	November 20, 2024, 08:26:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	antivm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	EA0EED87360C7437DF7151F8065BA8FF
SHA1:	3D08A94FCE539C87F46F96BB121E90B8D2267A1F
SHA256:	F8B7E394C94B53FA496DA5B7E9E5E684161ACC4A50BD8E227129D50A44E38D8A
SSDEEP:	98304:fwa94F8A2Z4k28KmtAFsW2gtyUr3fsdwA/+Hn2+S6cyHxpZLk1K1IC1ehAo5+K7D:rss3ClH0xrTO2EgtT

.exe	\|	Inno Setup installer (77.7)
.exe	\|	Win32 Executable Delphi generic (10)
.dll	\|	Win32 Dynamic Link Library (generic) (4.6)
.exe	\|	Win32 Executable (generic) (3.1)
.exe	\|	Win16/32 Executable Delphi generic (1.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:10:02 04:44:23+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	86016
InitializedDataSize:	58880
UninitializedDataSize:	-
EntryPoint:	0x16478
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	Office
FileVersion:
LegalCopyright:
ProductName:	Office
ProductVersion:


(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.FixPass
Value: 96E79218965EB72C92A549DD5A330112
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Main.Autorun
Value: 1
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Main.CloseButtonOperation
Value: 0
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Main.CheckUpdates
Value: 0
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.UseLocalSecuritySettings
Value: 1
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.DynPassKind
Value: 0
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.PassLifetime
Value: 0
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.CanWinAuth
Value: 1
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.AccessKind
Value: 1
(PID) Process:	(3912) ast.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\safib\ast\SS
Operation:	write	Name:	Security.CanWinLoginAnotherUser
Value: 1

PID	Process	Filename		Type
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\2gut4\is-TJAQ3.tmp		text
		MD5:0BB2B068DDEA5E95388242C9CB662DB6	SHA256:D37010E71C54B11C778E480DD34DEEBF53E26FD947DF69CE20DA3A57996D7B20
364	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\is-A8R8H.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2956	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.exe	C:\Users\admin\AppData\Local\Temp\is-37QLS.tmp\f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp		executable
		MD5:B31B65C21192530AAF98E74E86EAF197	SHA256:B3C3E4E614EA2284384FC3462DAC818B6964A264F88347D6C99180A3CA52B8E1
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\2gut4\9171v.bat		text
		MD5:0BB2B068DDEA5E95388242C9CB662DB6	SHA256:D37010E71C54B11C778E480DD34DEEBF53E26FD947DF69CE20DA3A57996D7B20
364	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\is-A8R8H.tmp\_isetup\_setup64.tmp		executable
		MD5:4FF75F505FDDCC6A9AE62216446205D9	SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\2gut4\is-QSSAJ.tmp		executable
		MD5:8002D9E5851728EB024B398CF19DE390	SHA256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\is-VKDI1.tmp\_isetup\_iscrypt.dll		executable
		MD5:A69559718AB506675E907FE49DEB71E9	SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\2gut4\astclient.dll		executable
		MD5:CDC5A8221738C1CA66564755BB58138C	SHA256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\2gut4\ast.exe		executable
		MD5:8002D9E5851728EB024B398CF19DE390	SHA256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
1472	f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.tmp	C:\Users\admin\AppData\Local\Temp\2gut4\astrct.dll		executable
		MD5:E0E559010A1CC7CB6B6F754E8833A156	SHA256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5576	RUXIMICS.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5576	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4932	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3912	ast.exe	GET	302	15.197.162.184:80	http://thief.lol/blt7/update.php?id=190041444&stat=90f12377a8e30dd9a335b3d69407dfd6	unknown	—	—	malicious
3912	ast.exe	GET	302	15.197.162.184:80	http://thief.lol/blt7/update.php?id=190041444&stat=90f12377a8e30dd9a335b3d69407dfd6	unknown	—	—	malicious
3912	ast.exe	GET	302	15.197.162.184:80	http://thief.lol/blt7/update.php?id=190041444&stat=90f12377a8e30dd9a335b3d69407dfd6&cmd=2	unknown	—	—	malicious
3912	ast.exe	GET	302	15.197.162.184:80	http://thief.lol/blt7/update.php?id=190041444&stat=90f12377a8e30dd9a335b3d69407dfd6&cmd=2	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5576	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4712	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	2.23.209.166:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4932	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4932	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5576	RUXIMICS.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4932	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
www.bing.com	2.23.209.166 2.23.209.175 2.23.209.173 2.23.209.167 2.23.209.169 2.23.209.162 2.23.209.176 2.23.209.168 2.23.209.171	whitelisted
google.com	142.250.185.142	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.106	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
id.xn--80akicokc0aablc.xn--p1ai	212.193.169.65	unknown
trs008.xn--80akicokc0aablc.xn--p1ai	81.177.97.74	unknown
thief.lol	15.197.162.184	malicious
s0cial.com	107.180.13.125	unknown
self.events.data.microsoft.com	20.189.173.27	whitelisted

PID	Process	Class	Message
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE Win32.Spy/TVRat Checkin
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE SpyAgent C&C Activity (Request)
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE SpyAgent C&C Activity (Request)
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE Win32.Spy/TVRat Checkin
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE SpyAgent C&C Activity (Request)
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE SpyAgent C&C Activity (Request)
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE SpyAgent C&C Activity (Request)
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE Win32.Spy/TVRat Checkin
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE SpyAgent C&C Activity (Request)
3912	ast.exe	Malware Command and Control Activity Detected	ET MALWARE Win32.Spy/TVRat Checkin

Process	Message
ast.exe	GetExeName=C:\Users\admin\AppData\Roaming\imagej\ast.exe
ast.exe	!LOG-LOST (errno=22) C+Start Started Assistant Client 4.4.2108.1901 for Windows (build Aug 19 2021 06:59:42)
ast.exe	!LOG-LOST (errno=22) C+Start.aofidsrv Auto disconnect IdSrv timeout: 30 sec
ast.exe	!LOG-LOST (errno=22) C+Start.fshtrs Find shared trs: 1
ast.exe	!LOG-LOST (errno=22) C+Start.cmln "C:\Users\admin\AppData\Roaming\imagej\ast.exe"
ast.exe	!LOG-LOST (errno=22) C+Start.tz Timezone -0000 (Coordinated Universal Time)
ast.exe	!LOG-LOST (errno=22) C+Start.StSwtcCmd Find other TRS when cmd-channel failed connect: on
ast.exe	!LOG-LOST (errno=22) Cwinver Winver 10.0
ast.exe	!LOG-LOST (errno=22) C+Start.uname admin
ast.exe	!LOG-LOST (errno=22) C+Start.amd no-adm-mode

General Info

f8b7e394c94b53fa496da5b7e9e5e684161acc4a50bd8e227129d50a44e38d8a.exe

EA0EED87360C7437DF7151F8065BA8FF

3D08A94FCE539C87F46F96BB121E90B8D2267A1F

F8B7E394C94B53FA496DA5B7E9E5E684161ACC4A50BD8E227129D50A44E38D8A

98304:fwa94F8A2Z4k28KmtAFsW2gtyUr3fsdwA/+Hn2+S6cyHxpZLk1K1IC1ehAo5+K7D:rss3ClH0xrTO2EgtT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Connects to the CnC server

SUSPICIOUS

Process drops legitimate windows executable

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

The process drops C-runtime libraries

Process drops SQLite DLL files

There is functionality for VM detection VirtualBox (YARA)

Connects to unusual port

Executing commands from a ".bat" file

Contacting a server suspected of hosting an CnC

The executable file from the user directory is run by the CMD process

INFO

Reads the computer name

Create files in a temporary directory

Process checks computer location settings

Checks supported languages

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings