analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

[www.gigapurbalingga.com]_ZemAMPr250280.rar

Full analysis: https://app.any.run/tasks/c2af18e2-d2fa-47fb-b6f0-2bdb2b57c1d2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 18, 2018, 13:59:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

DFA6B92BBDEBAD06E8FCBC2E6C6101C3

SHA1:

CED7004FF2F7146D629B9A0CCA14C95FF6E3D6A1

SHA256:

037174C9A1B3C13AEA18951ED3484AD3112F8711E02D7B2DDB273CD282C3723C

SSDEEP:

196608:CR/8C3H0JqrwGddjtAFWZFYsHvWyaWNOzCA+vBRk+Br1UYej+CGkluIqinI:SH0UMEoWZusHuyjNOzKvPpWEJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Zemana.AntiMalware.Setup.exe (PID: 3180)
      • Zemana.AntiMalware.Setup.exe (PID: 3084)
      • ZAM.exe (PID: 1472)
      • ZAM.exe (PID: 2704)
      • ZAM.exe (PID: 3536)
      • ZAM.exe (PID: 2212)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.exe (PID: 3524)
      • ZAM.exe (PID: 648)
      • ZAM.exe (PID: 912)
      • ZAM.exe (PID: 3296)
      • ZAM.exe (PID: 2140)
      • ZAM.exe (PID: 416)
    • Changes the autorun value in the registry

      • ZAM.exe (PID: 1472)
      • ZAM.exe (PID: 2140)
    • Registers / Runs the DLL via REGSVR32.EXE

      • ZAM.exe (PID: 1472)
      • ZAM.exe (PID: 2140)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 236)
      • svchost.exe (PID: 844)
      • regsvr32.exe (PID: 2144)
      • regsvr32.exe (PID: 3716)
      • regsvr32.exe (PID: 3788)
    • Downloads executable files from the Internet

      • ZAM.exe (PID: 2212)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • explorer.exe (PID: 236)
    • Application launched itself

      • WinRAR.exe (PID: 3844)
      • taskmgr.exe (PID: 4088)
      • ZAM.exe (PID: 2212)
      • ZAM.exe (PID: 2140)
      • taskmgr.exe (PID: 2460)
    • Reads Windows owner or organization settings

      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
    • Executable content was dropped or overwritten

      • Zemana.AntiMalware.Setup.exe (PID: 3084)
      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • Zemana.AntiMalware.Setup.exe (PID: 3180)
      • ZAM.exe (PID: 1472)
      • DllHost.exe (PID: 2728)
      • ZAM.exe (PID: 2212)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.exe (PID: 3524)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
      • ZAM.exe (PID: 2140)
      • DllHost.exe (PID: 1232)
    • Reads the Windows organization settings

      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
    • Creates files in the user directory

      • explorer.exe (PID: 236)
    • Creates files in the Windows directory

      • ZAM.exe (PID: 1472)
      • ZAM.exe (PID: 2704)
      • ZAM.exe (PID: 3536)
      • ZAM.exe (PID: 912)
    • Removes files from Windows directory

      • ZAM.exe (PID: 2704)
      • ZAM.exe (PID: 3536)
      • ZAM.exe (PID: 912)
    • Creates files in the driver directory

      • ZAM.exe (PID: 1472)
    • Creates files in the program directory

      • ZAM.exe (PID: 1472)
      • ZAM.exe (PID: 2140)
    • Creates COM task schedule object

      • regsvr32.exe (PID: 2144)
      • regsvr32.exe (PID: 3788)
    • Reads CPU info

      • ZAM.exe (PID: 2212)
      • ZAM.exe (PID: 1472)
      • ZAM.exe (PID: 416)
    • Searches for installed software

      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
    • Creates or modifies windows services

      • ZAM.exe (PID: 3048)
    • Reads internet explorer settings

      • ZAM.exe (PID: 416)
  • INFO

    • Application was dropped or rewritten from another process

      • ZAM.exe (PID: 3820)
      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • Zemana.AntiMalware.Setup.tmp (PID: 3736)
      • ZAM.exe (PID: 2704)
      • ZAM.exe (PID: 4000)
      • ZAM.exe (PID: 3632)
      • ZAM.exe (PID: 3300)
      • ZAM.exe (PID: 3908)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
      • ZAM.exe (PID: 2320)
      • ZAM.exe (PID: 3048)
      • ZAM.exe (PID: 3796)
      • ZAM.exe (PID: 1948)
      • ZAM.exe (PID: 2688)
      • ZAM.exe (PID: 2752)
      • ZAM.exe (PID: 2520)
    • Loads dropped or rewritten executable

      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
    • Creates files in the program directory

      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
    • Creates a software uninstall entry

      • Zemana.AntiMalware.Setup.tmp (PID: 3588)
      • update_{50C19D88-EEE3-4265-9B1C-57A627C75BD1}.tmp (PID: 2576)
    • Dropped object may contain Bitcoin addresses

      • ZAM.exe (PID: 2140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: [www.gigapurbalingga.com]_ZemAMPr250280\Crack.rar
PackingMethod: Stored
ModifyDate: 2016:09:28 08:52:27
OperatingSystem: Win32
UncompressedSize: 4736185
CompressedSize: 4736260
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
101
Monitored processes
44
Malicious processes
12
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs winrar.exe no specs zemana.antimalware.setup.exe zemana.antimalware.setup.tmp no specs zemana.antimalware.setup.exe zemana.antimalware.setup.tmp zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe zam.exe no specs regsvr32.exe no specs explorer.exe no specs svchost.exe Copy/Move/Rename/Delete/Link Object no specs taskmgr.exe no specs taskmgr.exe Copy/Move/Rename/Delete/Link Object zam.exe zam.exe zam.exe no specs update_{50c19d88-eee3-4265-9b1c-57a627c75bd1}.exe update_{50c19d88-eee3-4265-9b1c-57a627c75bd1}.tmp zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe no specs zam.exe zam.exe no specs regsvr32.exe no specs regsvr32.exe no specs zam.exe taskmgr.exe no specs taskmgr.exe Copy/Move/Rename/Delete/Link Object zam.exe no specs notepad.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\[www.gigapurbalingga.com]_ZemAMPr250280.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2252"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3844.7485\Crack.rarC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3084"C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Advanced Malware Protection
Exit code:
0
Version:
2.50.80
3736"C:\Users\admin\AppData\Local\Temp\is-5L05U.tmp\Zemana.AntiMalware.Setup.tmp" /SL5="$40110,4761266,119296,C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" C:\Users\admin\AppData\Local\Temp\is-5L05U.tmp\Zemana.AntiMalware.Setup.tmpZemana.AntiMalware.Setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3180"C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" /SPAWNWND=$2013A /NOTIFYWND=$40110 C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe
Zemana.AntiMalware.Setup.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
Advanced Malware Protection
Exit code:
0
Version:
2.50.80
3588"C:\Users\admin\AppData\Local\Temp\is-6L4E6.tmp\Zemana.AntiMalware.Setup.tmp" /SL5="$40140,4761266,119296,C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" /SPAWNWND=$2013A /NOTIFYWND=$40110 C:\Users\admin\AppData\Local\Temp\is-6L4E6.tmp\Zemana.AntiMalware.Setup.tmp
Zemana.AntiMalware.Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
2704"C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /get_and_set_installer_partner_idC:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exeZemana.AntiMalware.Setup.tmp
User:
admin
Company:
Zemana Ltd.
Integrity Level:
HIGH
Description:
ZAM
Exit code:
2
3820"C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /get_installer_product_idC:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exeZemana.AntiMalware.Setup.tmp
User:
admin
Company:
Zemana Ltd.
Integrity Level:
HIGH
Description:
ZAM
Exit code:
2
4000"C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /is_safeonline_installedC:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exeZemana.AntiMalware.Setup.tmp
User:
admin
Company:
Zemana Ltd.
Integrity Level:
HIGH
Description:
ZAM
Exit code:
0
3632"C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /is_newer_version_installedC:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exeZemana.AntiMalware.Setup.tmp
User:
admin
Company:
Zemana Ltd.
Integrity Level:
HIGH
Description:
ZAM
Exit code:
0
Total events
10 637
Read events
9 835
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
33
Text files
127
Unknown types
47

Dropped files

PID
Process
Filename
Type
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3844.7368\[www.gigapurbalingga.com]_ZemAMPr250280\Zemana.AntiMalware.Setup.exe
MD5:
SHA256:
3844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3844.7485\Crack.rar
MD5:
SHA256:
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\Forum.url
MD5:
SHA256:
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\GigaPurbalingga.com_Free Download Software Full Version.url
MD5:
SHA256:
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\Install Instruction.txt
MD5:
SHA256:
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\Read Me!!!.txt
MD5:
SHA256:
2252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\ZAM.exe
MD5:
SHA256:
236explorer.exeC:\Users\admin\Desktop\Crack
MD5:
SHA256:
3588Zemana.AntiMalware.Setup.tmpC:\Program Files\Zemana AntiMalware\is-4EMQA.tmp
MD5:
SHA256:
3588Zemana.AntiMalware.Setup.tmpC:\Program Files\Zemana AntiMalware\is-J69D8.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
13
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2212
ZAM.exe
POST
168.62.20.37:80
http://zamcloud.zemana.com/api/ig2/check/2050080
US
whitelisted
1472
ZAM.exe
GET
200
45.79.153.218:80
http://cdn9.zemana.com/CacheControl.bin
US
text
12 b
whitelisted
2212
ZAM.exe
GET
200
45.79.153.218:80
http://cdn9.zemana.com/CacheControl.bin
US
text
12 b
whitelisted
416
ZAM.exe
GET
200
45.79.153.218:80
http://dl12.zemana.com/CacheControl.bin
US
text
12 b
whitelisted
416
ZAM.exe
POST
200
168.62.20.37:80
http://zamcloud.zemana.com/api/ig2/check/2074150?cuid=122F47044D0197891995B5
US
text
211 b
whitelisted
2212
ZAM.exe
GET
200
45.79.153.218:80
http://dl12.zemana.com/AntiMalware/2.74.2.150/Zemana.AntiMalware.Setup.exe
US
executable
6.32 Mb
whitelisted
416
ZAM.exe
GET
45.79.154.56:80
http://cdn.go.zemana.com/?db=9128042&Operation=Download&cuid=122F47044D0197891995B5&vi=2074150
US
whitelisted
1472
ZAM.exe
POST
168.62.20.37:80
http://zamcloud.zemana.com/api/client/settings/122F47044D0197891995B5/2/2/2050080
US
whitelisted
416
ZAM.exe
POST
200
168.62.20.37:80
http://zamcloud.zemana.com/api/client/settings/122F47044D0197891995B5/2/2/2074150
US
text
1.41 Kb
whitelisted
2212
ZAM.exe
POST
200
168.62.20.37:80
http://zamcloud.zemana.com/api/client/settings/122F47044D0197891995B5/2/2/2050080
US
text
1.41 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1472
ZAM.exe
168.62.20.37:80
zamcloud.zemana.com
Microsoft Corporation
US
whitelisted
416
ZAM.exe
52.160.40.218:80
check.zemana.com
Microsoft Corporation
US
unknown
2212
ZAM.exe
168.62.20.37:80
zamcloud.zemana.com
Microsoft Corporation
US
whitelisted
1472
ZAM.exe
45.79.153.218:80
cdn9.zemana.com
Linode, LLC
US
suspicious
416
ZAM.exe
168.62.20.37:80
zamcloud.zemana.com
Microsoft Corporation
US
whitelisted
416
ZAM.exe
208.67.220.220:53
OpenDNS, LLC
US
suspicious
416
ZAM.exe
45.79.153.218:80
cdn9.zemana.com
Linode, LLC
US
suspicious
2212
ZAM.exe
45.79.153.218:80
cdn9.zemana.com
Linode, LLC
US
suspicious
416
ZAM.exe
45.79.154.56:80
cdn.go.zemana.com
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
cdn9.zemana.com
  • 45.79.153.218
whitelisted
zamcloud.zemana.com
  • 168.62.20.37
whitelisted
dl12.zemana.com
  • 45.79.153.218
whitelisted
cdn.go.zemana.com
  • 45.79.154.56
whitelisted
check.zemana.com
  • 52.160.40.218
whitelisted

Threats

PID
Process
Class
Message
1472
ZAM.exe
A Network Trojan was detected
MALWARE [PTsecurity] FakeAV.C1773776 Request
2212
ZAM.exe
A Network Trojan was detected
MALWARE [PTsecurity] FakeAV.C1773776 Request
2212
ZAM.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
416
ZAM.exe
A Network Trojan was detected
MALWARE [PTsecurity] FakeAV.C1773776 Request
416
ZAM.exe
A Network Trojan was detected
MALWARE [PTsecurity] FakeAV.C1773776 Response
416
ZAM.exe
unknown
SURICATA IPv4 invalid checksum
416
ZAM.exe
A Network Trojan was detected
MALWARE [PTsecurity] FakeAV.C1773776 Request
No debug info