| File name: | bifit_signer_8.23.exe |
| Full analysis: | https://app.any.run/tasks/33541c04-d257-431a-8e20-70a6086773ac |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | February 07, 2024, 07:43:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 5904318F8419E708C9E6238963B6A88A |
| SHA1: | 7B8DB59AF938A92FECE34AEEC1CE6FAD3CE75D6E |
| SHA256: | FF08F85313A23735CDEE6E70AC52D4371726A003FCF58C2BAFE62DA67B9664DE |
| SSDEEP: | 196608:yhyE9AHKQwSEATalF9JSofA4QCFIAH/l5:yhyNHK+a3LfAhcIA/l5 |
MALICIOUS
Drops the executable file immediately after the start
- bifit_signer_8.23.exe (PID: 1652)
Actions looks like stealing of personal data
- bifit_signer_8.23.exe (PID: 1652)
Steals credentials
- BSHControlPanel.exe (PID: 3156)
- WinRAR.exe (PID: 1384)
SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- bifit_signer_8.23.exe (PID: 1652)
The process creates files with name similar to system file names
- bifit_signer_8.23.exe (PID: 1652)
Executable content was dropped or overwritten
- bifit_signer_8.23.exe (PID: 1652)
Starts application with an unusual extension
- bifit_signer_8.23.exe (PID: 1652)
Uses WMIC.EXE
- ns6DD7.tmp (PID: 2628)
Reads the Internet Settings
- WMIC.exe (PID: 2032)
- bifit_signer_8.23.exe (PID: 1652)
- BSHControlPanel.exe (PID: 3156)
- eventvwr.exe (PID: 120)
Application launched itself
- BIFITSignerHost.exe (PID: 3040)
Uses NSLOOKUP.EXE to check DNS info
- BSHControlPanel.exe (PID: 3156)
Searches for installed software
- BSHControlPanel.exe (PID: 3156)
Reads settings of System Certificates
- BSHControlPanel.exe (PID: 3156)
Uses WEVTUTIL.EXE to export log
- BSHControlPanel.exe (PID: 3156)
Reads Internet Explorer settings
- mmc.exe (PID: 4008)
Start notepad (likely ransomware note)
- WinRAR.exe (PID: 1384)
INFO
Checks supported languages
- bifit_signer_8.23.exe (PID: 1652)
- ns6D58.tmp (PID: 3468)
- ns6DD7.tmp (PID: 2628)
- BSHControlPanel.exe (PID: 3156)
- BIFITSignerHost.exe (PID: 3040)
- BIFITSignerHost.exe (PID: 2768)
- BSHControlPanel.exe (PID: 3412)
- wmpnscfg.exe (PID: 2672)
Reads the computer name
- bifit_signer_8.23.exe (PID: 1652)
- BIFITSignerHost.exe (PID: 3040)
- BIFITSignerHost.exe (PID: 2768)
- BSHControlPanel.exe (PID: 3156)
- wmpnscfg.exe (PID: 2672)
Creates files or folders in the user directory
- bifit_signer_8.23.exe (PID: 1652)
- BIFITSignerHost.exe (PID: 3040)
- BSHControlPanel.exe (PID: 3156)
- mmc.exe (PID: 4008)
Create files in a temporary directory
- bifit_signer_8.23.exe (PID: 1652)
- WMIC.exe (PID: 2032)
- BSHControlPanel.exe (PID: 3156)
Checks proxy server information
- bifit_signer_8.23.exe (PID: 1652)
- BSHControlPanel.exe (PID: 3156)
Manual execution by a user
- BSHControlPanel.exe (PID: 3412)
- WinRAR.exe (PID: 1384)
- wmpnscfg.exe (PID: 2672)
Reads the machine GUID from the registry
- BSHControlPanel.exe (PID: 3156)
Creates files in the program directory
- mmc.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:08:01 04:52:49+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26112 |
| InitializedDataSize: | 428544 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x35d8 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.8.23.0 |
| ProductVersionNumber: | 0.8.23.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Russian |
| CharacterSet: | Windows, Cyrillic |
| CompanyName: | BIFIT |
| FileDescription: | BIFIT Signer 8.23 |
| FileVersion: | 8.23 |
| LegalCopyright: | © 2015-2023 "AO БИФИТ" |
| ProductName: | BIFIT Signer |
| ProductVersion: | 8.23 |
Total processes
67
Monitored processes
18
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\admin\AppData\Local\Temp\Rar$DIa1384.43334\Application.evtx" | C:\Windows\System32\eventvwr.exe | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1172 | ping -n 1 signer.bifit.com | C:\Windows\System32\PING.EXE | — | ns6D58.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1384 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\tmp\info.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1652 | "C:\Users\admin\AppData\Local\Temp\bifit_signer_8.23.exe" | C:\Users\admin\AppData\Local\Temp\bifit_signer_8.23.exe | explorer.exe | ||||||||||||
User: admin Company: BIFIT Integrity Level: MEDIUM Description: BIFIT Signer 8.23 Exit code: 0 Version: 8.23 Modules
| |||||||||||||||
| 2032 | C:\Windows\system32\wbem\wmic /record:'C:\Users\admin\AppData\Local\Temp\nsw6DD6.tmp' path Win32_PingStatus where "Address='signer.bifit.com' and StatusCode=0 and ProtocolAddress='127.0.0.1'" | C:\Windows\System32\wbem\WMIC.exe | — | ns6DD7.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2136 | nslookup signer.bifit.com | C:\Windows\System32\nslookup.exe | BSHControlPanel.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2628 | "C:\Users\admin\AppData\Local\Temp\nsz4397.tmp\ns6DD7.tmp" C:\Windows\system32\wbem\wmic /record:'C:\Users\admin\AppData\Local\Temp\nsw6DD6.tmp' path Win32_PingStatus where "Address='signer.bifit.com' and StatusCode=0 and ProtocolAddress='127.0.0.1'" | C:\Users\admin\AppData\Local\Temp\nsz4397.tmp\ns6DD7.tmp | — | bifit_signer_8.23.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2672 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2768 | "C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\BIFITSignerHost.exe" | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\BIFITSignerHost.exe | — | BIFITSignerHost.exe | |||||||||||
User: admin Company: BIFIT Integrity Level: MEDIUM Description: BIFIT Signer Exit code: 0 Version: 2.8.23.5 Modules
| |||||||||||||||
| 2844 | "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\admin\AppData\Local\Temp\Rar$DIa1384.43334\Application.evtx" | C:\Windows\System32\eventvwr.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
31 020
Read events
30 968
Write events
52
Delete events
0
Modification events
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionReason |
Value: 1 | |||
| (PID) Process: | (3156) BSHControlPanel.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47} |
| Operation: | write | Name: | WpadDecisionTime |
Value: 8EC543949959DA01 | |||
Executable files
18
Suspicious files
28
Text files
46
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\jcverify.txt | text | |
MD5:98460C0E84B5B852052ED267E849D134 | SHA256:0E514F0AEB590959BDB712BD79C0439614E2FCEA3DE22E691A74494B725FFC00 | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\BSHControlPanel.json | binary | |
MD5:5EE171B99E9D0A09AC61D6168277046B | SHA256:3F9C95FCBAD457B05BE73D82ACE392DCA811BB1B5A98522A818773524FC41D24 | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\tokenmac-pkcs.dll | executable | |
MD5:06188783DC519C8088C1B5FED7B86C6E | SHA256:F7C549DBCC508E07D26785E1462BAB5B117BC111693653F9143A83325CBC3CA9 | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\BSHControlPanel.exe | executable | |
MD5:8B9D62D4EE0D4A2765D79A6CD3E5BD72 | SHA256:1DD14DF7F097AE4BAB02D021C7E03ADF2053E5CE806CA776BC70659546F6B4EC | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\jcverify.exe | executable | |
MD5:EED38E1DCCE9ED84C432AF3F8C8D7EAF | SHA256:E74CA04FFDE08C6296FCAD2BC50B58FC7C0A7C3A285DF8B15BDA82773A607BBD | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\Temp\nsz4397.tmp\nsDialogs.dll | executable | |
MD5:466179E1C8EE8A1FF5E4427DBB6C4A01 | SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172 | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\Temp\nsz4397.tmp\modern-wizard.bmp | image | |
MD5:759C21F1006F6115163A665B89CD254B | SHA256:59F95436832AFD017A4F73CD7C92855F1EEE5A4AF3BD87D26E435F8AEC2C5B61 | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\fix_domain.bat | text | |
MD5:07D557DB2F41EBC39E4C99130F92777C | SHA256:D19C02C4BE2ED65786409E17A42FA9622A561759CFB3F94D5D3A6ED9A0121F0F | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\BIFIT\BIFIT Signer Host\favicon.ico | image | |
MD5:3A98A05B470DA34BE9B6F1E449001CA7 | SHA256:E03E426424706684AC62485B544D576E2A13168B8E794BB94567E333A391774F | |||
| 1652 | bifit_signer_8.23.exe | C:\Users\admin\AppData\Local\Temp\nsz4397.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
49
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3156 | BSHControlPanel.exe | GET | 200 | 151.101.2.133:80 | http://secure.globalsign.com/cacert/gsalphasha2g2r1.crt | unknown | binary | 1.08 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3156 | BSHControlPanel.exe | 151.101.2.133:80 | secure.globalsign.com | FASTLY | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
signer.bifit.com |
| unknown |
secure.globalsign.com |
| whitelisted |
2.100.168.192.in-addr.arpa |
| unknown |
Threats
Process | Message |
|---|---|
mmc.exe | ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | Getting next publisher from enum failed-259-No more data is available
|
mmc.exe | Failed to get ChannelConfigOwningPublisher -122-The data area passed to a system call is too small
|
mmc.exe | ExpandNode:After EventsNode:InsertChildren CountOfChildren = 5
|
mmc.exe | ProcessCommandLineArguments: Loading log file C:\Users\admin\AppData\Local\Temp\Rar$DIa1384.43334\Application.evtx.: Microsoft.EventViewer.SnapIn.EventViewerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Got a node to select: Microsoft.EventViewer.SnapIn.EventViewerSnapIn
|