Edit tour

Windows Analysis Report
ATF-Cleaner.exe

Overview

General Information

Sample name:ATF-Cleaner.exe
Analysis ID:1669046
MD5:d9de89f0faf18019bc9595f0f47bca61
SHA1:7a044dfe1c5e780f3f2b52b3bd066e463a37886e
SHA256:e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a

Detection

Score:1
Range:0 - 100
Confidence:80%

Signatures

AV process strings found (often used to terminate AV products)
Program does not show much activity (idle)
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • ATF-Cleaner.exe (PID: 7960 cmdline: "C:\Users\user\Desktop\ATF-Cleaner.exe" MD5: D9DE89F0FAF18019BC9595F0F47BCA61)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ATF-Cleaner.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-
Source: ATF-Cleaner.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ,@`D*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp
Source: ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: @*\AC:\Documents and Settings\fucked up\Desktop\vb Projects\ATF Cleaner\New Folder\Atf Cleaner3.vbp tm
Source: classification engineClassification label: clean1.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\ATF-Cleaner.exeMutant created: NULL
Source: C:\Users\user\Desktop\ATF-Cleaner.exeFile created: C:\Users\user\AppData\Local\Temp\~DF46DEC0923004EC71.TMPJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: advpack.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ATF-Cleaner.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &&C:\Users\user\Desktop\ATF-Cleaner.exe
Source: ATF-Cleaner.exe, 00000000.00000002.2441490757.00000000022C0000.00000004.00000800.00020000.00000000.sdmp, ATF-Cleaner.exe, 00000000.00000002.2440874901.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\ATF-Cleaner.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
Software Packing
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading
LSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1669046 Sample: ATF-Cleaner.exe Startdate: 19/04/2025 Architecture: WINDOWS Score: 1 4 ATF-Cleaner.exe 2 2->4         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ATF-Cleaner.exe0%ReversingLabs
ATF-Cleaner.exe6%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=atribune%40atribune%2eorgu-ATF-Cleaner.exe, 00000000.00000002.2440259445.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
    high
    No contacted IP infos
    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1669046
    Start date and time:2025-04-19 06:20:38 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 3m 46s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:11
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:ATF-Cleaner.exe
    Detection:CLEAN
    Classification:clean1.winEXE@1/1@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 184.28.213.193, 4.245.163.56
    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    No simulations
    No context
    No context
    No context
    No context
    No context
    Process:C:\Users\user\Desktop\ATF-Cleaner.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):1.5209559012846714
    Encrypted:false
    SSDEEP:48:rCDUbAsRGmEUvnEWZj2WgOv2SNIuR6u9qbe:GDUbbhE1WBfgU6unE
    MD5:FD64F3F3FFD91C0B58659D2A339F29BE
    SHA1:97A7354C16C093450185AF74D70775D268E6D314
    SHA-256:286337540C1362B4B929115CF911FDFA1DA20B938216178318EC97166F687325
    SHA-512:B3B0DF3E29213B0D610BC90D0013CB2BB122B33C590655E0E1AE6673FA4C688F44C680A07EE3DB115257BA6B2B569E12476DE2942E4A3685B6F3E102F1FE4D27
    Malicious:false
    Reputation:low
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
    Entropy (8bit):7.723256803059102
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.39%
    • UPX compressed Win32 Executable (30571/9) 0.30%
    • Win32 EXE Yoda's Crypter (26571/9) 0.26%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    File name:ATF-Cleaner.exe
    File size:50'688 bytes
    MD5:d9de89f0faf18019bc9595f0f47bca61
    SHA1:7a044dfe1c5e780f3f2b52b3bd066e463a37886e
    SHA256:e900d883001ec60353c2e8e1a54e1c5948a11513fffafbd5a28b44c1e319677a
    SHA512:236d2908eb66bf50e4645e9f1d1b6bf8f276d7d3648625c84c5fe1fed5c7a8e69383515201a6ba92804f5fa2ee2f63fcb73f32b6932990ab8d43750edcc4768e
    SSDEEP:768:+NhzxwvYERUcNJLLAAYZPTn68f0Ii+i3Fwv04AhDUt6dzvqcOh:4h9wvveMLJwTFi3a048okqcOh
    TLSH:8933F1952264046CE6FAC730477A463BC1A5B869A32177EBFD6E1D438F33300DE62976
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F.......................k...............Rich....................PE..L...{Y.E..................... ...0.......@........@........
    Icon Hash:43090949e1e9493b
    Entrypoint:0x44eb90
    Entrypoint Section:UPX1
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:
    Time Stamp:0x45D4597B [Thu Feb 15 13:00:43 2007 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:5f116d8e20f7d894b4b4ecbad1704009
    Instruction
    pushad
    mov esi, 00444000h
    lea edi, dword ptr [esi-00043000h]
    push edi
    or ebp, FFFFFFFFh
    jmp 00007F18B44FF4A2h
    nop
    nop
    nop
    nop
    nop
    nop
    mov al, byte ptr [esi]
    inc esi
    mov byte ptr [edi], al
    inc edi
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jc 00007F18B44FF47Fh
    mov eax, 00000001h
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc eax, eax
    add ebx, ebx
    jnc 00007F18B44FF49Dh
    jne 00007F18B44FF4BAh
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jc 00007F18B44FF4B1h
    dec eax
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc eax, eax
    jmp 00007F18B44FF466h
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc ecx, ecx
    jmp 00007F18B44FF4E4h
    xor ecx, ecx
    sub eax, 03h
    jc 00007F18B44FF4A3h
    shl eax, 08h
    mov al, byte ptr [esi]
    inc esi
    xor eax, FFFFFFFFh
    je 00007F18B44FF507h
    sar eax, 1
    mov ebp, eax
    jmp 00007F18B44FF49Dh
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jc 00007F18B44FF45Eh
    inc ecx
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jc 00007F18B44FF450h
    add ebx, ebx
    jne 00007F18B44FF499h
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    adc ecx, ecx
    add ebx, ebx
    jnc 00007F18B44FF481h
    jne 00007F18B44FF49Bh
    mov ebx, dword ptr [esi]
    sub esi, FFFFFFFCh
    adc ebx, ebx
    jnc 00007F18B44FF476h
    add ecx, 02h
    cmp ebp, FFFFFB00h
    adc ecx, 02h
    lea edx, dword ptr [eax+eax]
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x502b00xd4.rsrc
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x4f0000x12b0.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    UPX00x10000x430000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    UPX10x440000xb0000xae002ee445c9295114c0f7460ea2faf9f9acFalse0.9773033405172413data7.874752725604778IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x4f0000x20000x1400ae57805166aa636a1bca8c6d9e8d1c4eFalse0.5767578125data5.642929259501811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x4f1340x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7680505415162455
    RT_GROUP_ICON0x4f9e00x14data1.25
    RT_VERSION0x4f9f80x440dataEnglishUnited States0.41452205882352944
    RT_MANIFEST0x4fe3c0x474XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.44035087719298244
    DLLImport
    KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
    MSVBVM60.DLL
    DescriptionData
    Translation0x0409 0x04b0
    CommentsATF-Cleaner is Freeware and is provided for personal use. Please contact us at licensing@atribune.org for information on licensing ATF-Cleaner for use within your company.
    CompanyNameAtribune.org
    FileDescriptionATF Cleaner.exe
    LegalCopyright 2005 Atribune.org
    ProductNameATF Cleaner
    FileVersion3.00.0002
    ProductVersion3.00.0002
    InternalNameATF-Cleaner
    OriginalFilenameATF-Cleaner.exe
    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    No network behavior found
    050100s020406080100

    Click to jump to process

    050100s0.0051015MB

    Click to jump to process

    • File
    • Registry

    Click to dive into process behavior distribution

    Target ID:0
    Start time:00:21:37
    Start date:19/04/2025
    Path:C:\Users\user\Desktop\ATF-Cleaner.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\ATF-Cleaner.exe"
    Imagebase:0x400000
    File size:50'688 bytes
    MD5 hash:D9DE89F0FAF18019BC9595F0F47BCA61
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    No disassembly