bitkinex323.exe
This report is generated from a file or URL submitted to this webservice on November 14th 2017 19:25:29 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated URLs
-
bitkinex.com/ftp/client/bitkinex323.exe
hxxp://www.bitkinex.com/ftp/client/bitkinex323.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 248)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 248)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 248)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 248) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 13
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.54740434404
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"lUO\2]:ZGeykp=gNo~V^xw=+VbOXu|.]{YO]0I}Bu_Ue;Xfl*M7/7ak~z|Y9>q`lu''|SE `LMfjBj6|5fyaa|p" (Indicator: "vbox")
"v9xN4Vp!u#Jw&%~<ohE@S@gGitZXJmgss^S8psWv)^W8#E"<iSS4CU=l()]'jC_h{Nsb4q%^%0W4-3"MX],l;/ ^'gGPh'W"F1@iaOV([l'J;4T^e|<@z<Uyu
!>Xb/W]\D$*i=UX'Nr|/)yOQEMucyC}lgu]d" (Indicator: "qemu") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceA@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
- WriteProcessMemory@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\System32\msiexec.exe", Handle: 248)
- source
- API Call
- relevance
- 8/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Contains ability to write to a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"2.9.0.0"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"N!pNJJ,0j]C7T-@pvzf9vnc" (Indicator for product: Generic VNC)
"]:"7u $1I*1~V":(R<MkKq=7tEW"5 }
Nylo~2
<nHu^X<vnc=LG" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
GetFileAttributesA
GetDriveTypeA
UnhandledExceptionFilter
GetThreadContext
GetTempPathA
WriteFile
WriteProcessMemory
CopyFileA
GetModuleFileNameA
CreateThread
TerminateProcess
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetProcAddress
VirtualProtectEx
FindFirstFileA
GetTempFileNameA
CreateFileMappingA
FindNextFileA
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
CreateProcessA
Sleep
FindResourceA
VirtualAlloc
ShellExecuteA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe.bin"; Stream UID: "57576-1190-00406501")
which is directly followed by "cmp al, 06h" and "jc 00406525h". See related instructions: "...
+5 call 00423D48h
+10 sub esp, 00000EBCh
+16 push ebx
+17 push esi
+18 push edi
+19 call dword ptr [004320C0h] ;GetVersion
+25 cmp al, 06h
+27 jc 00406525h" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query the machine version
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/67 Antivirus vendors marked sample as malicious (0% detection rate)
0/40 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "pIB=x`0x@.text2@ `.datahPP@.reloc<``@BAAAAtA@ZA>A AAA@@F?R?d?p?????????@$@0@J@Z@p@@@AuO,Is120gy|*????>>>>>>>>3@\ChSxsCaPendDelsxsdelcasxsdelca tried opening wow64key sxsdelca tried opening key w/o wow64key Software\Microsoft\Windows\CurrentVersion\SideBySide\PatchedComponentssxsdelca: Moved file to pending path0123456789abcdefsxsca_DeleteFilestraceopscavengeSELECT `FileName` FROM `File` WHERE `Component_` = ?SELECT `Directory_`, `ComponentId` FROM `Component` WHERE `Component` = ?Component_ValueNameKeyRootRegistrySELECT * FROM `Registry`sxscdelca_%08lxProductCodewow64 key not present, not scavengingbase key not present, not scavengingsxsdelca: Skipping component sxsdelca: Added reg value for [~]ALTER TABLE `Registry` HOLDSELECT `Component_`, `Guid` FROM `SxsMsmGenComponents`|SxsMsmCleanupSxsMsmInstall completed(P@xP@HP@0@RSDSv-AoIAh:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb79UVtP&E^]VtP&&^Vt"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{318E5EF0-5F6E-48C6-A19E-9140021E61A3}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{318E5EF0-5F6E-48C6-A19E-9140021E61A3}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{318E5EF0-5F6E-48C6-A19E-9140021E61A3}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~4254.tmp"
"<Input Sample>" created file "%TEMP%\{318E5EF0-5F6E-48C6-A19E-9140021E61A3}\BitKinex.msi" - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6A740000
- source
- Loaded Module
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{318E5EF0-5F6E-48C6-A19E-9140021E61A3}\BitKinex.msi" SETUPEXEDIR="C:"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=VeriSign Time Stamping Services CA, O="VeriSign
Inc.", C=US" (SHA1: AD:A8:AA:A6:43:FF:7D:C3:8D:D4:0F:A4:C9:7A:D5:59:FF:48:46:DE; see report for more information)
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D; see report for more information)
The input sample is signed with a certificate issued by "CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US" (SHA1: CD:31:65:15:D3:2A:10:09:6F:EE:E7:18:FC:7F:AF:50:B2:93:8A:01; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"BitKinex.msi" has type "Composite Document File V2 Document Can't read SAT"
"~4254.tmp" has type "ASCII text with CRLF line terminators"
"0x0409.ini" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\msi.dll"
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%WINDIR%\System32\msiexec.exe"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "fBx,vD.lR"
Heuristic match: "=h)w{
AJt.Dk"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "http://www.usertrust.com1"
Pattern match: "https://secure.comodo.net/CPS0B"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl04"
Pattern match: "http://ocsp.comodoca.com0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEEIa8pQJhBkfUgpLxiQmp0s%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com"
Heuristic match: "GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRtl6lMY2%2BiPob4twryIF%2BFfgUdvwQUK8NGq7oOyWUqRtF5R8Ri4uHa%2FLgCEQDPwIbnbp4SlSeSvs9CQSsC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.comodoca.com"
Pattern match: "http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0++0U0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://crl.thawte.com/ThawteCodeSigningCA.crl0U%0+"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "www.macrovision.com0"
Heuristic match: "bWw@a?->RP^@OsIEWp-4I}Fl4C/U\RCl1>,^6i{3ZUDkh@|JVVA@r8Llb2eI(\m]b~c.Kn"
Heuristic match: "T:\.%.ZW"
Pattern match: "Xnoc36qdVLT0.Jo/}:;R$v"
Heuristic match: "7W<bIs9K#+kXbAd$.RF4YI[@hof*@*Te~v.ax"
Pattern match: "1.eM/{Y$rhfs6Oo+0P@#"
Pattern match: "QGC9YTHq.Kw/m57oR&O5%2Vg?GY`N'7RV"
Pattern match: "c.Kp/ihA"
Pattern match: "nJ0.LCVE/&XHattm%,df"
Pattern match: "x.ZF/hPj9iEv'z}\8:0Q"
Pattern match: "3.WK/en5"
Heuristic match: "e.R_aOW{Q]}D)*YLg3~kD.GY"
Heuristic match: "M&%iKI}P2s*{[ael\7xQdq+q2nYLsOm/C&'/SKkivgA}UE)6b#2.8;wwV@N)h4%X=o(a|Z\?^ad.3w|@!QPvH+0)P9IM.A]Q=;|h.w}bup=sfMD(<i2N&H.Hwc#:?.pS"
Heuristic match: "('l8[0He%;wbXuW~eNxI1eB}z/oU&1Xlf(Ch8?Nn$ v0\*a[)M1gY!tZ0;AKzs3ZUh<Wow;UEc{/:\3kBU|8s|Hm>lhZ9xvC7]iuy1v Ry{U'(:j:+T.CsPjS(UKper2)g&?ZKOi9/VCzD1+@mS/.Eg"
Pattern match: "H.DYg/GrF}[@so"
Heuristic match: "A%PJ@%W3gRl!#q>J~S oWw.:OG_i`%M.[uJ ]7fMufV}2gV.SJ"
Heuristic match: "o<dc:Lv %Q.Tp"
Heuristic match: "JDUj?h^N=-$_q|R9% uo^pgJDCQ'W}7<F\D$f{QdeEP%TLKp0A*tJUzQ $M$G[;4JC.ab!bE$36>Dv1a.tAL.lb"
Pattern match: "3U.vc/=Yi337$7w6"
Pattern match: "Q.VTK/U8EETbGKBd@DPX"
Pattern match: "I.ON/lU]nsL8"
Heuristic match: "cma'e{0Uu!3/jHYP?%$#t9+'~+iX;A4J!P>1.La"
Heuristic match: "-J>^VXzCEB}.Y{u.8v8qq3p6` T^qr,m98KcmWDZyqIb@,]|>AI.C9&\-qgG&|.be"
Pattern match: "IxsZFH.dQN/2ac3gBi?U]/O3vea'+k'cx2Zx7f"
Pattern match: "Zx.IE/S{4"
Pattern match: "CPYm7.ah/}[5L%"
Heuristic match: "b%]]PciGuDnV[mGT%BS.:0]bmfqjv$4^L-j?GBF6=NUlwDMzi.mN"
Heuristic match: ",MIoRN,NwjT?b=Q:#EH*c&^+e5w1zyAL^If%X,/X1*2.be1bs}p;h(K1OkT(sQ6FB\v/?E0Mi'8$p;KC.Cf"
Pattern match: "AC.sRro/L0Hr\ug(kayxKyE\&eO?ps#)!hSprikcOi3F,`5!7%w"
Pattern match: "2.zTke/i;\r|irnf{4&i'/+"
Pattern match: "B.gS/Ds"
Pattern match: "a.ab/.kQM`N3"
Pattern match: "ysUDD.wJXr/6l,Q?Z%&bymEZm"
Pattern match: "3si3lLCnU.yd/Uj2/Pb6"
Pattern match: "hO.pPJ/'|YRd0HaKlBnJ/\Gs+zQ~:2-Jiu?vywfANe"
Pattern match: "w.sWRR/+ci:$whA!;=V'^"
Pattern match: "y.vv/i%Ee.#NZl"
Pattern match: "Q.Cs/Rw0AruyIlqo$Q^4`Jq*cC=,pIm;`b7WM3yA/XX^etFN07PSmLx"
Heuristic match: "B7\RpQZxo~^*Z'N.Ng"
Heuristic match: "LVCK.qeQV#rXKf:#(YGS=N3GL=*[ aiXek)Ag.|i;? u[`'#J`~^dB;Z9X)S[`}Wqz\R$UljO6MT-.$(t2bulb.sh"
Pattern match: "V.LdiB/u'ffxv%bZ"
Pattern match: "E.cC/YI3"
Pattern match: "B.x.BE/^2xz|/_R|oaFVyaF1~b1$MB1basF/`1`AK&H9eVef0a&3"
Heuristic match: "aGyr[!9$]h$n.Fc0^tgRwi'Z]4Q.Eg"
Heuristic match: "(KAgWXDVhn@Q$J-2vVsn@b#N!')x4Q5p&;q,*+..kP"
Pattern match: "ksp.ocMC/*h&BxG^!,hy!.=q0j?}E595VRifcx=5h"
Pattern match: "uXo.dvA/`2H,4?TTZrhzN/$:4{wZ+VKKq,/@[6MR._es#q2:0cuge5JseYTMvF"
Pattern match: "F.NbIP/]|hrDi"
Heuristic match: "3>4/iGR9dWgLJ#eCkjon=54dAutB~[;hR=?=JjvWhu-&%hN{{EWbctl.H/R;zq_!#L~1zDJ\;A-St,O+'c\5F Uu1F(SOC!Rq>+Qyk~CFVW].nI"
Pattern match: "I.bMt/NWw@iwPHn3G%NxG5?1's%}/8BA;;:fGS7Km"
Heuristic match: ">$o7F]oH3hOeZ9,6(6dI]+%WxeC38I=S`u_D`S*bE,_>^$9k<KwjrDvQjNi#~;n;!\Z9os`?-mgH.mq"
Heuristic match: "jrD.jnpXcA|$Z6jH.to"
Pattern match: "wp1Dw.BfSb/79m"
Heuristic match: "@/P/.LR"
Pattern match: "Vw.ysrc/Fp1V&jQr[1f\o"
Pattern match: "N.td/1en/LR]TnWsZu}Y9fjdX8rqhFTivdKsV"
Heuristic match: ">&Zyoqi1>i;ee7,wp{nHc1cRh)~f=`>cs;`~u50N5iLdbEh=:1l@S]Gui%0]!'U+]gSG']*nvB.Tr"
Pattern match: "KD96I.Ez/C(!9dZ~Vl@9;VdPQ?)her"
Heuristic match: "XX9i[\M.fj"
Heuristic match: ",5<v!k|UtAmCPjz0).NA"
Pattern match: "oR.SS/r_J.6`54dUL!aA"
Pattern match: "4CcW.sS/dCiH!+lD5mVDRn\N0"
Heuristic match: "{QM$/jy@W{.ThhRnZz7R7te>k`lIyrVhd.Q2?4w9BDy&2nHk-nso$;C[\.vE"
Pattern match: "PjBe.RK/S%L0SL1e%SFFemGDu"
Heuristic match: "939DSIQY\r1#Ar$rQ%War&rq'r(r)Wr*r+r,r-Wr.Np"
Pattern match: "l1.mc/=G"
Pattern match: "f4QtRf33L5FV5.55.Yh/#`Idh3iVW!ttp]Qc##BC2G9H"
Heuristic match: "<_9s:YR.uz"
Pattern match: "Nl.ZhK/db$pJEv_2"
Pattern match: "P.Zbc/hhFQ8@,F"
Pattern match: "Ln.Moj/|Qe7Td"
Heuristic match: "-SaJyto/.?%1v+oW;r|'Icvwxs`$n.$egYGYd.KN"
Heuristic match: "g8ni%[X_El1C.hU"
Pattern match: "S.Ag/jb"
Heuristic match: "=uN8}-^7Sr4Y.Z,KRrbN)-'A=u5~H$\g0(tPR]#5(1EaMuZ .D{+k1].CA"
Pattern match: "zqDzE4G.7L.jH/a*&,Dps2GL4&B%b^`Bg\#'8&=Bw'/Wd1Xv%VY%-lBaV2YUa+A;AxB0lrLt4_PA+zMF3d;eJn'[{a"
Pattern match: "L.ehV/1SBh.fFJM7.p6uX:MR%/j"
Pattern match: "RR.WJ/xSlB5O!/!F3H"
Pattern match: "http://www.installengine.com/Msiengine30/WindowsInstaller-KB893803-x86.exe" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
bitkinex323.exe
- Filename
- bitkinex323.exe
- Size
- 8.1MiB (8465752 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc
- MD5
- 79025d5c3bc8de6cecd8f4aaa2c81736
- SHA1
- 1b78c656b20813ebd599bd814013b771357d2e0c
- ssdeep
- 196608:QjEnVvwlecRlpaZ9SCQX3OW5rA/ngSXronCK/Dc:CEJw0cADq+gongk0CK/4
- imphash
- 8fc44b6baee0f63424e7fdfd8a71500e
- authentihash
- 7cd9980daa32c43cbef46e1135a58a0093238621e3f158de53a96c828257515b
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (C) 2006 Macrovision Corporation
- InternalName
- Setup
- FileVersion
- 3.2.3
- CompanyName
- Barad-Dur, LLC.
- ProductName
- BitKinex
- OLESelfRegister
- -
- ProductVersion
- 3.2.3
- FileDescription
- Setup Launcher
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 48.1% (.EXE) InstallShield setup
- 34.9% (.EXE) Win32 Executable MS Visual C++ (generic)
- 7.3% (.DLL) Win32 Dynamic Link Library (generic)
- 5.0% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (4.2KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=VeriSign Time Stamping Services Signer - G2, O="VeriSign, Inc.", C=US | CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US Serial: 3825d7faf861af9ef490e726b5d65ad5 |
06/15/2007 01:00:00 06/15/2012 00:59:59 |
3B:2A:74:96:89:37:03:9B:31:E5:40:9C:D0:09:D1:FE AD:A8:AA:A6:43:FF:7D:C3:8D:D4:0F:A4:C9:7A:D5:59:FF:48:46:DE |
CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 47bf1995df8d524643f7db6d480d31a4 |
12/04/2003 01:00:00 12/04/2013 00:59:59 |
68:23:26:7A:B3:5E:C7:A5:44:99:04:BB:4D:80:41:A7 F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D |
CN=Barad-Dur, O=Barad-Dur, STREET=Purkynova 6, L=Teplice, ST=Czech Republic, OID.2.5.4.17=41501, C=CZ | CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US Serial: cfc086e76e9e12952792becf42412b02 |
06/18/2010 01:00:00 06/19/2011 00:59:59 |
3B:2D:A2:CF:20:6A:90:80:63:88:64:79:F0:E0:FA:1C CD:31:65:15:D3:2A:10:09:6F:EE:E7:18:FC:7F:AF:50:B2:93:8A:01 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2984)
- msiexec.exe /i "%TEMP%\{318E5EF0-5F6E-48C6-A19E-9140021E61A3}\BitKinex.msi" SETUPEXEDIR="C:" (PID: 3596)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 57576-477-00411CF7 |
2.0.0.0 | Domain/IP reference | 57576-477-00411CF7 |
2.9.0.0 | Domain/IP reference | 57576-478-0041A674 |
Extracted Strings
Extracted Files
-
Informative Selection 2
-
-
BitKinex.msi
- Size
- 5MiB (5241856 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe (PID: 2984)
- MD5
- 1d58cda5da0fd030a62ff5631a81e499
- SHA1
- c18f3e639be046aec287e64dd806c2dcef711198
- SHA256
- cfb2056df7dfad8cb751258190f365bee6ceca492706101216bd509216d6ee3d
-
Setup.INI
- Size
- 1.9KiB (1956 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe (PID: 2984)
- MD5
- 614421577ed1fe7e716aa0d4eade50df
- SHA1
- 9f433bc253f470231762cb4bcfd71405ccfb789a
- SHA256
- 022aeac01a4e2089eb525d605f1a77e336867ffe0320d751a9a772bea773f532
-
-
Informative 3
-
-
0x0409.ini
- Size
- 6KiB (6129 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe (PID: 2984)
- MD5
- 52d179ad79966752ec40a678fd8b0062
- SHA1
- f12df9b03090286d1093b5421aea3acc358cc032
- SHA256
- 57e020c41ad0566fb55415a40167a0c3da89584bc4e5f961d8e8c646f80c5590
-
_ISMSIDEL.INI
- Size
- 307B (307 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe (PID: 2984)
- MD5
- 3c27593fd1e2c244394c3e01d1584081
- SHA1
- 4735eb24987059d20c5e33998d825f10972d9b7d
- SHA256
- ce524ede6d0e254b735831247fdd5b6e84ac560af80bfea1be52865948e08f2f
-
~4254.tmp
- Size
- 1.9KiB (1956 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- f24a48e1f2950241370ffb605ff46de4d9ad063fa6a565f08d71f7cf9b0e36bc.exe (PID: 2984)
- MD5
- 614421577ed1fe7e716aa0d4eade50df
- SHA1
- 9f433bc253f470231762cb4bcfd71405ccfb789a
- SHA256
- 022aeac01a4e2089eb525d605f1a77e336867ffe0320d751a9a772bea773f532
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "BitKinex.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/cfb2056df7dfad8cb751258190f365bee6ceca492706101216bd509216d6ee3d/analysis/1510684469/")
- Not all IP/URL string resources were checked online
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
Anonymous commented 5 years ago updated