File name:

f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe

Full analysis: https://app.any.run/tasks/37356468-a8a4-4e64-9211-c1d91f988e43
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 19:25:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
modiloader
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

63C59B483043C0D4C519310F1C21795D

SHA1:

3016F733C8A539E1D82EC31499E885F275EAC82D

SHA256:

F9740F9DDCFF00CED727B4F9DCC3C56BD0315915ED946374BC63567051AAF8C0

SSDEEP:

3072:4uFKrLyiKndiQR6QC9WbiOQ9PE3YSAtM7:fKrLyvdiQR/3iOQ9PE3YS5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 4264)
    • MODILOADER mutex has been found

      • Flaseher.exe (PID: 1544)
  • SUSPICIOUS

    • Application launched itself

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5684)
      • Flaseher.exe (PID: 2940)
    • Executing commands from a ".bat" file

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Starts CMD.EXE for commands execution

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5452)
    • Executable content was dropped or overwritten

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Reads security settings of Internet Explorer

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Starts itself from another location

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • There is functionality for communication over UDP network (YARA)

      • Flaseher.exe (PID: 1544)
  • INFO

    • Checks supported languages

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5684)
      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
      • Flaseher.exe (PID: 1544)
    • Reads the computer name

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
      • Flaseher.exe (PID: 1412)
      • Flaseher.exe (PID: 1544)
    • The sample compiled with english language support

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5684)
      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Create files in a temporary directory

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Creates files or folders in the user directory

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • The process uses the downloaded file

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • Process checks computer location settings

      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
    • UPX packer has been detected

      • Flaseher.exe (PID: 1412)
      • f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (56.4)
.exe | Win64 Executable (generic) (19)
.exe | UPX compressed Win32 Executable (18.6)
.exe | Win32 Executable (generic) (3.1)
.exe | Generic Win/DOS Executable (1.3)

EXIF

EXE

OriginalFileName: glower.exe
InternalName: glower
ProductVersion: 7.06.0005
FileVersion: 7.06.0005
ProductName: intercalated
LegalTrademarks: headband opinion
LegalCopyright: ammonium reintrod panderer 1998
FileDescription: lighter meshy allergin
CompanyName: refutations nomenclatures
Comments: Acknowle crescend indestru
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 7.6.0.5
FileVersionNumber: 7.6.0.5
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 7.6
OSVersion: 4
EntryPoint: 0x14f0
UninitializedDataSize: 57344
InitializedDataSize: 12288
CodeSize: 65536
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp: 2012:06:27 06:07:09+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
9
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe no specs f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe cmd.exe no specs conhost.exe no specs reg.exe flaseher.exe no specs flaseher.exe no specs #MODILOADER flaseher.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
5684"C:\Users\admin\Desktop\f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe" C:\Users\admin\Desktop\f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exeexplorer.exe
User:
admin
Company:
refutations nomenclatures
Integrity Level:
MEDIUM
Description:
lighter meshy allergin
Exit code:
0
Version:
7.06.0005
Modules
Images
c:\users\admin\desktop\f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5548"C:\Users\admin\Desktop\f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe"C:\Users\admin\Desktop\f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe
f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe
User:
admin
Company:
refutations nomenclatures
Integrity Level:
MEDIUM
Description:
lighter meshy allergin
Exit code:
1
Version:
7.06.0005
Modules
Images
c:\users\admin\desktop\f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5452C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\TFCGB.bat" "C:\Windows\SysWOW64\cmd.exef9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5752\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4264REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exe" /fC:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2940"C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exe" C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exef9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exe
User:
admin
Company:
refutations nomenclatures
Integrity Level:
MEDIUM
Description:
lighter meshy allergin
Exit code:
0
Version:
7.06.0005
Modules
Images
c:\users\admin\appdata\roaming\..flash\flaseher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1412"C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exeFlaseher.exe
User:
admin
Company:
refutations nomenclatures
Integrity Level:
MEDIUM
Description:
lighter meshy allergin
Version:
7.06.0005
Modules
Images
c:\users\admin\appdata\roaming\..flash\flaseher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1544"C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exe
Flaseher.exe
User:
admin
Company:
refutations nomenclatures
Integrity Level:
MEDIUM
Description:
lighter meshy allergin
Version:
7.06.0005
Modules
Images
c:\users\admin\appdata\roaming\..flash\flaseher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
1 061
Read events
1 060
Write events
1
Delete events
0

Modification events

(PID) Process:(4264) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:.Flasfh
Value:
C:\Users\admin\AppData\Roaming\..Flash\Flaseher.exe
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5548f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exeC:\Users\admin\AppData\Local\Temp\TFCGB.txttext
MD5:5741F3583D8102D805ADE9717DD9976D
SHA256:0A147AADDE4E5BD3781CE4F3DA812B2ACBC7AB54AA322E4C6FF2C3D882DFB36B
5548f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exeC:\Users\admin\AppData\Roaming\..Flash\Flaseher.exeexecutable
MD5:0EB21EDE59CB9892BA0BAD28D11766BF
SHA256:E45A42852FD1D88EFA61D0A32B9E4DF342BDD3DC344612586C0C6D3FFCCF4AA5
5548f9740f9ddcff00ced727b4f9dcc3c56bd0315915ed946374bc63567051aaf8c0.exeC:\Users\admin\AppData\Local\Temp\TFCGB.battext
MD5:5741F3583D8102D805ADE9717DD9976D
SHA256:0A147AADDE4E5BD3781CE4F3DA812B2ACBC7AB54AA322E4C6FF2C3D882DFB36B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
32
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2224
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2224
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2224
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2224
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2224
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.162
  • 104.126.37.130
  • 104.126.37.171
  • 104.126.37.185
  • 104.126.37.137
  • 104.126.37.186
  • 104.126.37.178
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.145
  • 23.48.23.166
  • 23.48.23.177
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
justgonnatry.hopto.org
unknown
self.events.data.microsoft.com
  • 20.189.173.2
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.hopto .org
No debug info