File name: | bth.exe |
Full analysis: | https://app.any.run/tasks/77fc4b3c-168c-4a5c-83bf-eb386bfbdf61 |
Verdict: | Malicious activity |
Analysis date: | November 15, 2018, 07:25:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 36386CFA7B792FFE1FA6E1A0D8DC5E19 |
SHA1: | 15FC5E118BD1A85A512C53FCF1750C7E64A3F105 |
SHA256: | FAFDC58832B67E0E4B185DA5EE89B9A6F48C4E4EF4D4FC4D8DF7C97FA2DBE564 |
SSDEEP: | 6144:jGky/okjm7rT6mFSMxubLUlHN4Ymdea+mVd1HZY5cjNWTn3+9dKxEqoDqidbEDuw:IBm7rT6ms0oLUpXmdea/71PAWiDP |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2006:09:16 20:53:14+02:00 |
PEType: | PE32 |
LinkerVersion: | 8 |
CodeSize: | 474624 |
InitializedDataSize: | 172032 |
UninitializedDataSize: | - |
EntryPoint: | 0x75d0e |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 13.8.14.4 |
ProductVersionNumber: | 13.8.14.4 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
Comments: | etazetugiruzuw |
CompanyName: | K-Mart Corp. |
FileDescription: | AD certmap authentication provider |
FileVersion: | 13.8.14.4 |
InternalName: | blee.exe |
LegalCopyright: | Copyright © 2018 K-Mart Corp. |
OriginalFileName: | blee.exe |
ProductName: | AD certmap authentication provider |
ProductVersion: | 13.8.14.4 |
AssemblyVersion: | 0.0.0.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 16-Sep-2006 18:53:14 |
Comments: | etazetugiruzuw |
CompanyName: | K-Mart Corp. |
FileDescription: | AD certmap authentication provider |
FileVersion: | 13.8.14.4 |
InternalName: | blee.exe |
LegalCopyright: | Copyright © 2018 K-Mart Corp. |
OriginalFilename: | blee.exe |
ProductName: | AD certmap authentication provider |
ProductVersion: | 13.8.14.4 |
Assembly Version: | 0.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 16-Sep-2006 18:53:14 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00073D14 | 0x00073E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.27129 |
.rsrc | 0x00076000 | 0x00029C6C | 0x00029E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.56228 |
.reloc | 0x000A0000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
2 | 3.43725 | 67624 | Latin 1 / Western European | UNKNOWN | RT_ICON |
3 | 4.29252 | 38056 | Latin 1 / Western European | UNKNOWN | RT_ICON |
4 | 4.18625 | 21640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
5 | 3.72673 | 16936 | Latin 1 / Western European | UNKNOWN | RT_ICON |
6 | 4.53517 | 9640 | Latin 1 / Western European | UNKNOWN | RT_ICON |
7 | 4.24838 | 4264 | Latin 1 / Western European | UNKNOWN | RT_ICON |
8 | 4.99785 | 2440 | Latin 1 / Western European | UNKNOWN | RT_ICON |
9 | 4.74874 | 1128 | Latin 1 / Western European | UNKNOWN | RT_ICON |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3352 | "C:\Users\admin\AppData\Local\Temp\bth.exe" | C:\Users\admin\AppData\Local\Temp\bth.exe | explorer.exe | |
User: admin Company: K-Mart Corp. Integrity Level: MEDIUM Description: AD certmap authentication provider Exit code: 0 Version: 13.8.14.4 | ||||
3764 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | bth.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.6.1055.0 built by: NETFXREL2 | ||||
2932 | "C:\Windows\System32\cmd.exe" cmd /c bfsvc.exe "true" "true" "true" "true" | C:\Windows\System32\cmd.exe | — | RegAsm.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3396 | bfsvc.exe "true" "true" "true" "true" | C:\Users\admin\AppData\Local\Temp\bfsvc.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Description: Ranger.BrowserLogging.Tests Exit code: 0 Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3396 | bfsvc.exe | C:\Users\admin\AppData\Local\Temp\data | text | |
MD5:EA11D4F4F7A41A11F0475C7A5539E7FA | SHA256:ED0917D24ED73CDD991AFB7E0F86D1CE29C8E0B9C1CDB1418C2CFC97E6C04507 | |||
3396 | bfsvc.exe | C:\Users\admin\AppData\Local\Temp\ranger.browserlogging.vault.dll | executable | |
MD5:203A65F044E610957503BEF112566E87 | SHA256:4D8FD614BAA65B40EAD4225FAFF90A38D5A0F7FDB166ABB09778B5255C8576B4 | |||
3764 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\TMP_4728 | text | |
MD5:7544C0F26F23878B173A3B24BE4F3F46 | SHA256:CE8CF0F1B22C86536417DE664B67515760C9D32385C8DE5CA42F628A7C63BF5A | |||
3396 | bfsvc.exe | C:\Users\admin\AppData\Local\Temp\Ranger.BrowserLogging.dll | executable | |
MD5:E38908149F2825B604F7D8F2D91194CA | SHA256:71CAAAAA2CD513485F1D5901090EF022C943185F9F53713123AF9C6C5F24A22D | |||
3764 | RegAsm.exe | C:\Users\admin\AppData\Local\Temp\bfsvc.exe | executable | |
MD5:7BFCF811A47C0CA77EE2C95333F0476E | SHA256:F740DF4D3A6C0B378116B48C1ED18A36E82938CF7DCAABA58F0BA8101F3E3531 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3764 | RegAsm.exe | GET | 200 | 104.24.28.29:80 | http://puu.sh/jMSLc.txt | US | text | 28 b | shared |
3764 | RegAsm.exe | GET | 200 | 104.20.17.242:80 | http://icanhazip.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3396 | bfsvc.exe | 104.24.28.29:443 | puu.sh | Cloudflare Inc | US | shared |
3764 | RegAsm.exe | 104.24.28.29:80 | puu.sh | Cloudflare Inc | US | shared |
3764 | RegAsm.exe | 104.20.17.242:80 | icanhazip.com | Cloudflare Inc | US | shared |
3764 | RegAsm.exe | 213.180.204.38:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
Domain | IP | Reputation |
---|---|---|
puu.sh |
| shared |
icanhazip.com |
| shared |
smtp.yandex.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3764 | RegAsm.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
3764 | RegAsm.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |
3764 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] Posible Upatre puu.sh double encoded base64 artifact |