analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bot1.exe

Full analysis: https://app.any.run/tasks/ef5d9956-27ce-436a-b6da-3df6c2a49d08
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: June 12, 2019, 06:33:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
trojan
tinynuke
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E0BF7A71753C6BDDC01C2BC6D4DAA078

SHA1:

EA125F63704DD005B32E0CE94833D50A32BD55C4

SHA256:

FBC9B3D3398C01AFF3FE563B031332DB6C73506E6F01FB5905C4132B896B38A4

SSDEEP:

6144:Oadvy0LhDF9ZTMOFfop8LcxkFYWC8I+EviuLfJC8C/sO+RjbK5tXsUrYXuMYI+h:OadaCnfo8QxkyW9Onj25HYXF+h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • D8D914BC32101291311131.exe (PID: 2720)
    • Changes internet zones settings

      • D8D914BC32101291311131.exe (PID: 2720)
    • TINYNUKE was detected

      • D8D914BC32101291311131.exe (PID: 2720)
    • Changes the autorun value in the registry

      • bot1.exe (PID: 916)
  • SUSPICIOUS

    • Starts itself from another location

      • bot1.exe (PID: 916)
    • Executable content was dropped or overwritten

      • bot1.exe (PID: 916)
    • Creates files in the user directory

      • bot1.exe (PID: 916)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

ProductVersion: 3.1.3.8
ProductName: Adware
Comments: Incompatible Radial Newalbum
LegalCopyright: (C)Cisco Systems
InternalName: Adware
FileDescription: Incompatible Radial Newalbum
LegalTrademarks: (C)Cisco Systems
FileVersion: 3.1.3.8
CompanyName: Cisco Systems
OriginalFileName: Adware.exe
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.1.3.8
FileVersionNumber: 3.1.3.8
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2c683
UninitializedDataSize: -
InitializedDataSize: 176128
CodeSize: 339968
LinkerVersion: 8
PEType: PE32
TimeStamp: 2018:10:11 15:54:03+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 11-Oct-2018 13:54:03
Detected languages:
  • English - United States
Debug artifacts:
  • C:\c\Release\circumstance.pdb
OriginalFilename: Adware.exe
CompanyName: Cisco Systems
FileVersion: 3.1.3.8
LegalTrademarks: (C)Cisco Systems
FileDescription: Incompatible Radial Newalbum
InternalName: Adware
LegalCopyright: (C)Cisco Systems
Comments: Incompatible Radial Newalbum
ProductName: Adware
ProductVersion: 3.1.3.8

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 11-Oct-2018 13:54:03
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00052D12
0x00053000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.61051
.rdata
0x00054000
0x00011DF8
0x00012000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.25519
.data
0x00066000
0x00007700
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.44941
.rsrc
0x0006E000
0x00015164
0x00016000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.30224

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.98304
604
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.95264
16936
Latin 1 / Western European
English - United States
RT_ICON
3
6.25973
9640
Latin 1 / Western European
English - United States
RT_ICON
4
6.01804
4264
Latin 1 / Western European
English - United States
RT_ICON
5
6.37529
2440
Latin 1 / Western European
English - United States
RT_ICON
6
6.128
1128
Latin 1 / Western European
English - United States
RT_ICON
7
0.833805
40
Latin 1 / Western European
English - United States
RT_STRING
100
3.27178
224
Latin 1 / Western European
English - United States
RT_DIALOG
102
3.25454
382
Latin 1 / Western European
English - United States
RT_DIALOG
128
2.98586
90
Latin 1 / Western European
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
GDI32.dll
IMM32.dll
KERNEL32.dll
MSVFW32.dll
NETAPI32.dll
ODBC32.dll
OLEACC.dll (delay-loaded)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start bot1.exe #TINYNUKE d8d914bc32101291311131.exe

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Users\admin\AppData\Local\Temp\bot1.exe" C:\Users\admin\AppData\Local\Temp\bot1.exe
explorer.exe
User:
admin
Company:
Cisco Systems
Integrity Level:
MEDIUM
Description:
Incompatible Radial Newalbum
Exit code:
0
Version:
3.1.3.8
2720"C:\Users\admin\AppData\Roaming\D8D914BC32101291311131\D8D914BC32101291311131.exe"C:\Users\admin\AppData\Roaming\D8D914BC32101291311131\D8D914BC32101291311131.exe
bot1.exe
User:
admin
Company:
Cisco Systems
Integrity Level:
MEDIUM
Description:
Incompatible Radial Newalbum
Version:
3.1.3.8
Total events
8
Read events
4
Write events
4
Delete events
0

Modification events

(PID) Process:(916) bot1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:
Value:
C:\Users\admin\AppData\Roaming\D8D914BC32101291311131\D8D914BC32101291311131.exe
(PID) Process:(2720) D8D914BC32101291311131.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:TabProcGrowth
Value:
0
(PID) Process:(2720) D8D914BC32101291311131.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:NoProtectedModeBanner
Value:
1
(PID) Process:(2720) D8D914BC32101291311131.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Operation:writeName:2500
Value:
3
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
916bot1.exeC:\Users\admin\AppData\Local\Temp\D8D914BC32101291311131text
MD5:D24DBDE8E8FA131101C403A3C447A89B
SHA256:FB6B67EB1A107560E4484C320C910DB5FEE81D70164F027D9C031AC5C9C9FF16
2720D8D914BC32101291311131.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:10755194BEE1A614619075CB04D7C21A
SHA256:4CFD55C673AFCED5864E7D7892692D6E94079D365CDCAEAAB37B7C7F4D7DCA6A
916bot1.exeC:\Users\admin\AppData\Roaming\D8D914BC32101291311131\D8D914BC32101291311131.exeexecutable
MD5:E0BF7A71753C6BDDC01C2BC6D4DAA078
SHA256:FBC9B3D3398C01AFF3FE563B031332DB6C73506E6F01FB5905C4132B896B38A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2720
D8D914BC32101291311131.exe
POST
411
185.238.1.189:80
http://185.238.1.189/saite/gate.php?D8D914BC32101291311131
unknown
xml
357 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
D8D914BC32101291311131.exe
185.238.1.189:80
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2720
D8D914BC32101291311131.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
2720
D8D914BC32101291311131.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2720
D8D914BC32101291311131.exe
A Network Trojan was detected
ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
1 ETPRO signatures available at the full report
No debug info