analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

saver.zip

Full analysis: https://app.any.run/tasks/8b8ea706-4f02-4dc2-b3e3-341b06c3ccc0
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 15, 2018, 10:57:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
betabot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EF9DC91243110F897FB5C99C3674B12F

SHA1:

01DF5D33AAE5E55D826B4B945A4A314809F6C5FE

SHA256:

023204B46DFD833B5E4EB972B57A3DF5FD5D6CAF9F3EFA5311CCC8D0CD4393E7

SSDEEP:

6144:TXQeeC4ekPwoduRd2KgxtNxETLPvphKXf37UVIcxo7eUcD99y5:TXD4ekP5kRdg9yTDv3KXP7UVINeUa9y5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • saver.scr (PID: 1904)
      • saver.scr (PID: 3600)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 1904)
      • saver.scr (PID: 3600)
      • saver.scr (PID: 3212)
      • saver.scr (PID: 2220)
    • Detected BetaBot Trojan

      • saver.scr (PID: 3212)
      • saver.scr (PID: 3600)
      • WinRAR.exe (PID: 3144)
      • explorer.exe (PID: 3488)
      • saver.scr (PID: 2220)
    • Changes internet zones settings

      • explorer.exe (PID: 3488)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 3488)
      • saver.scr (PID: 3600)
    • Connects to CnC server

      • explorer.exe (PID: 3488)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3144)
      • saver.scr (PID: 1904)
    • Application launched itself

      • saver.scr (PID: 1904)
    • Starts application with an unusual extension

      • saver.scr (PID: 1904)
      • saver.scr (PID: 3600)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2018:11:11 22:58:14
ZipCRC: 0x4c29cf58
ZipCompressedSize: 283935
ZipUncompressedSize: 302582
ZipFileName: saver.scr
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BETABOT winrar.exe saver.scr #BETABOT saver.scr #BETABOT saver.scr no specs #BETABOT explorer.exe #BETABOT saver.scr no specs

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\saver.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1904"C:\Users\admin\Desktop\saver.scr" /SC:\Users\admin\Desktop\saver.scr
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3600"C:\Users\admin\Desktop\saver.scr" /SC:\Users\admin\Desktop\saver.scr
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3212"C:\Users\admin\Desktop\saver.scr" /SC:\Users\admin\Desktop\saver.scr
saver.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3488C:\Windows\explorer.exeC:\Windows\explorer.exe
saver.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2220"C:\Users\admin\Desktop\saver.scr" /SC:\Users\admin\Desktop\saver.scr
saver.scr
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
799
Read events
686
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1904saver.scrC:\Users\admin\AppData\Local\Temp\Maraboubinary
MD5:851AED89C5F86565FAEA4A2547B8BC9E
SHA256:3D8FF51B61ED9C26958E90A93BD9A9AA4BE3FB65ED3F8989641BFB501402C0C1
3144WinRAR.exeC:\Users\admin\Desktop\saver.screxecutable
MD5:7723283807A9C8176E741F489CD3CFCF
SHA256:78B095CB056A5A8F91FDA1062B62E08C8575416D3F79321F9C1A287738447E80
1904saver.scrC:\Users\admin\AppData\Local\Temp\penalisation.dllexecutable
MD5:AF01229ADB25AC310922F3FEF7343AD9
SHA256:B879BF1E60CB6121CE95B58CD946A5CC15848BFB8D681FFC0E5F50F0FC71AF69
1904saver.scrC:\Users\admin\AppData\Local\Temp\made.rtftext
MD5:8274425DE767B30B2FFF1124AB54ABB5
SHA256:0D6AFB7E939F0936F40AFDC759B5A354EA5427EC250A47E7B904AB1EA800A01D
1904saver.scrC:\Users\admin\AppData\Local\Temp\nsr4984.tmp\System.dllexecutable
MD5:75ED96254FBF894E42058062B4B4F0D1
SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3488
explorer.exe
POST
91.243.80.52:80
http://radburgsoft.com/bet/nite/logout.php
NL
malicious
3488
explorer.exe
POST
91.243.80.52:80
http://radburgsoft.com/bet/nite/logout.php?pid=443
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3488
explorer.exe
91.243.80.52:80
radburgsoft.com
Sinarohost LTD
NL
malicious
3488
explorer.exe
216.58.215.238:80
google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.215.238
whitelisted
radburgsoft.com
  • 91.243.80.52
malicious

Threats

PID
Process
Class
Message
3488
explorer.exe
A Network Trojan was detected
ET TROJAN Win32/Neurevt.A/Betabot Check-in 4
3488
explorer.exe
A Network Trojan was detected
ET TROJAN Win32/Neurevt.A/Betabot Check-in 4
3488
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] Neurevt.A/Betabot Client Check-in
2 ETPRO signatures available at the full report
No debug info