File name: | api |
Full analysis: | https://app.any.run/tasks/6409ad34-24a6-4e9c-8305-c60387e32e84 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | February 18, 2019, 09:52:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 6609998C66B9B6DF12F31010EB814436 |
SHA1: | 328DB637D2D5EE552B9EBF509443E93741B538B7 |
SHA256: | FDE2C7E81D55D3037062BA6940792C1012F3B837880ECFBCEAE61A7DD4D6517F |
SSDEEP: | 393216:a7A4NqkGYO1Khx4qCwEz2HrGu0OJsv6tWKFdu9CFWE12L8uk:+hNtOYhx4qClqHrGS2L8R |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:18 08:36:38+01:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 16304640 |
InitializedDataSize: | 10856960 |
UninitializedDataSize: | - |
EntryPoint: | 0xce35c4 |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 13.1.5.0 |
ProductVersionNumber: | 13.1.5.0 |
FileFlagsMask: | 0x003f |
FileFlags: | Debug |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | English (U.S.) |
CharacterSet: | Windows, Latin1 |
CompanyName: | Adlice Software |
FileDescription: | Anti-Malware Scan and Removal |
FileVersion: | 13.1.5.0 |
InternalName: | RogueKiller Anti-Malware |
LegalCopyright: | Copyright Adlice Software(C) 2018 |
LegalTrademarks1: | Adlice Software |
LegalTrademarks2: | Adlice Software |
OriginalFileName: | RogueKiller Anti-Malware |
ProductName: | RogueKiller Anti-Malware |
ProductVersion: | 13.1.5.0 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 18-Feb-2019 07:36:38 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Adlice Software |
FileDescription: | Anti-Malware Scan and Removal |
FileVersion: | 13.1.5.0 |
InternalName: | RogueKiller Anti-Malware |
LegalCopyright: | Copyright Adlice Software(C) 2018 |
LegalTrademarks1: | Adlice Software |
LegalTrademarks2: | Adlice Software |
OriginalFilename: | RogueKiller Anti-Malware |
ProductName: | RogueKiller Anti-Malware |
ProductVersion: | 13.1.5.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000150 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 18-Feb-2019 07:36:38 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00F8C9DE | 0x00F8CA00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60151 |
.rdata | 0x00F8E000 | 0x004A8B82 | 0x004A8C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.29987 |
.data | 0x01437000 | 0x0004B2A0 | 0x0002C000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.76392 |
.tls | 0x01483000 | 0x0000000D | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.qtmetadL\x02 | 0x01484000 | 0x0000024C | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 3.15593 |
.gfids | 0x01485000 | 0x000007CC | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.1122 |
_RDATA | 0x01486000 | 0x00000124 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.51793 |
.rsrc | 0x01487000 | 0x004C01C8 | 0x004C0200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.8823 |
.reloc | 0x01948000 | 0x000A5614 | 0x000A5800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.64787 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.21878 | 667 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.08492 | 296 | UNKNOWN | English - United States | RT_ICON |
3 | 4.32673 | 3752 | UNKNOWN | English - United States | RT_ICON |
4 | 4.69 | 2216 | UNKNOWN | English - United States | RT_ICON |
5 | 4.96085 | 1384 | UNKNOWN | English - United States | RT_ICON |
6 | 7.96471 | 21897 | UNKNOWN | English - United States | RT_ICON |
7 | 3.53747 | 16936 | UNKNOWN | English - United States | RT_ICON |
8 | 3.87766 | 9640 | UNKNOWN | English - United States | RT_ICON |
9 | 4.07378 | 6760 | UNKNOWN | English - United States | RT_ICON |
10 | 4.36584 | 4264 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
CRYPT32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
MPR.dll |
OLEAUT32.dll |
OPENGL32.dll |
PSAPI.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2300 | "C:\Users\admin\Desktop\api.exe" | C:\Users\admin\Desktop\api.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3120 | "C:\Users\admin\Desktop\api.exe" | C:\Users\admin\Desktop\api.exe | explorer.exe | |
User: admin Integrity Level: HIGH | ||||
3600 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4084 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3600 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\uploads[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\uploads[1].exe | — | iexplore.exe |
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 | ||||
3824 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | uploads[1].exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Version: 8.0.50727.5420 | ||||
3888 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://adlice.com/thanks-downloading-roguekiller/?utm_campaign=roguekiller&utm_source=soft&utm_medium=btn" | C:\Program Files\Internet Explorer\iexplore.exe | api.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2508 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3888 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
392 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1472 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:392 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8DA4026A8A3EB162.TMP | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{4BBB6F4B-AC5C-11E8-969E-5254004AAD11}.dat | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5BED5CB145171260.TMP | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFC18F9A1BADBE5C79.TMP | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0DA09F43-3363-11E9-91D7-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3888 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3888 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2508 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\thanks-downloading-roguekiller[1].txt | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3960 | 90059C37132041A4B58DB.exe | POST | — | 51.15.80.29:80 | http://pagefinder52.uz/page/gate.php?90059C37132041A4B58DB | FR | — | — | malicious |
3960 | 90059C37132041A4B58DB.exe | POST | — | 51.15.80.29:80 | http://pagefinder52.uz/page/gate.php?90059C37132041A4B58DB | FR | — | — | malicious |
2644 | iexplore.exe | GET | 200 | 158.69.37.215:80 | http://xhencheng.tk/test2.exe | CA | executable | 152 Kb | suspicious |
4084 | iexplore.exe | GET | 200 | 66.70.176.223:80 | http://acnexplained.com/wp.contents/uploads.exe | CA | executable | 734 Kb | suspicious |
3960 | 90059C37132041A4B58DB.exe | POST | — | 51.15.80.29:80 | http://pagefinder52.uz/page/gate.php?90059C37132041A4B58DB | FR | — | — | malicious |
2640 | iexplore.exe | GET | 200 | 217.160.0.15:80 | http://www.iremart.es/farmautils/FarmaUtils.exe | DE | executable | 1.29 Mb | malicious |
2496 | iexplore.exe | GET | — | 184.168.168.208:80 | http://mysuperspy.com/cn/qq_ruanxing.exe | US | — | — | suspicious |
1472 | iexplore.exe | GET | 200 | 185.62.103.150:80 | http://yzbek.co.ug/a/loader32.exe | RU | executable | 95.5 Kb | malicious |
3132 | iexplore.exe | GET | 200 | 217.160.0.15:80 | http://www.iremart.es/farmautils/AMH_Update.exe | DE | executable | 36.0 Kb | malicious |
1004 | FarmaUtils[1].exe | GET | 200 | 217.160.0.15:80 | http://www.iremart.es/farmautils/AMH_Update.exe | DE | executable | 36.0 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2508 | iexplore.exe | 104.27.165.26:443 | adlice.com | Cloudflare Inc | US | shared |
4084 | iexplore.exe | 66.70.176.223:80 | acnexplained.com | OVH SAS | CA | suspicious |
2508 | iexplore.exe | 172.217.18.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3600 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3888 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2508 | iexplore.exe | 216.58.208.34:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
2508 | iexplore.exe | 172.217.22.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3120 | api.exe | 178.33.106.117:443 | download.adlice.com | OVH SAS | FR | suspicious |
2508 | iexplore.exe | 216.58.207.46:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
3824 | vbc.exe | 197.210.62.66:8088 | moneybag123.ddns.net | MTN NIGERIA Communication limited | NG | unknown |
Domain | IP | Reputation |
---|---|---|
download.adlice.com |
| whitelisted |
www.bing.com |
| whitelisted |
acnexplained.com |
| suspicious |
moneybag123.ddns.net |
| malicious |
adlice.com |
| whitelisted |
www.adlice.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
cdnjs.cloudflare.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4084 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1472 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3960 | 90059C37132041A4B58DB.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3960 | 90059C37132041A4B58DB.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
3960 | 90059C37132041A4B58DB.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/TinyNuke |
2644 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2644 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3960 | 90059C37132041A4B58DB.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3960 | 90059C37132041A4B58DB.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
3960 | 90059C37132041A4B58DB.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/TinyNuke |
Process | Message |
---|---|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|
api.exe | libpng warning: iCCP: known incorrect sRGB profile
|