File name: | [www.gigapurbalingga.com]_ZemAMPr250280.rar |
Full analysis: | https://app.any.run/tasks/c2af18e2-d2fa-47fb-b6f0-2bdb2b57c1d2 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 18, 2018, 13:59:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | DFA6B92BBDEBAD06E8FCBC2E6C6101C3 |
SHA1: | CED7004FF2F7146D629B9A0CCA14C95FF6E3D6A1 |
SHA256: | 037174C9A1B3C13AEA18951ED3484AD3112F8711E02D7B2DDB273CD282C3723C |
SSDEEP: | 196608:CR/8C3H0JqrwGddjtAFWZFYsHvWyaWNOzCA+vBRk+Br1UYej+CGkluIqinI:SH0UMEoWZusHuyjNOzKvPpWEJ |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | [www.gigapurbalingga.com]_ZemAMPr250280\Crack.rar |
---|---|
PackingMethod: | Stored |
ModifyDate: | 2016:09:28 08:52:27 |
OperatingSystem: | Win32 |
UncompressedSize: | 4736185 |
CompressedSize: | 4736260 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3844 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\[www.gigapurbalingga.com]_ZemAMPr250280.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2252 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3844.7485\Crack.rar | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3084 | "C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" | C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe | explorer.exe | |
User: admin Company: Integrity Level: MEDIUM Description: Advanced Malware Protection Exit code: 0 Version: 2.50.80 | ||||
3736 | "C:\Users\admin\AppData\Local\Temp\is-5L05U.tmp\Zemana.AntiMalware.Setup.tmp" /SL5="$40110,4761266,119296,C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" | C:\Users\admin\AppData\Local\Temp\is-5L05U.tmp\Zemana.AntiMalware.Setup.tmp | — | Zemana.AntiMalware.Setup.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
3180 | "C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" /SPAWNWND=$2013A /NOTIFYWND=$40110 | C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe | Zemana.AntiMalware.Setup.tmp | |
User: admin Company: Integrity Level: HIGH Description: Advanced Malware Protection Exit code: 0 Version: 2.50.80 | ||||
3588 | "C:\Users\admin\AppData\Local\Temp\is-6L4E6.tmp\Zemana.AntiMalware.Setup.tmp" /SL5="$40140,4761266,119296,C:\Users\admin\Desktop\Zemana.AntiMalware.Setup.exe" /SPAWNWND=$2013A /NOTIFYWND=$40110 | C:\Users\admin\AppData\Local\Temp\is-6L4E6.tmp\Zemana.AntiMalware.Setup.tmp | Zemana.AntiMalware.Setup.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
2704 | "C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /get_and_set_installer_partner_id | C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe | — | Zemana.AntiMalware.Setup.tmp |
User: admin Company: Zemana Ltd. Integrity Level: HIGH Description: ZAM Exit code: 2 | ||||
3820 | "C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /get_installer_product_id | C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe | — | Zemana.AntiMalware.Setup.tmp |
User: admin Company: Zemana Ltd. Integrity Level: HIGH Description: ZAM Exit code: 2 | ||||
4000 | "C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /is_safeonline_installed | C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe | — | Zemana.AntiMalware.Setup.tmp |
User: admin Company: Zemana Ltd. Integrity Level: HIGH Description: ZAM Exit code: 0 | ||||
3632 | "C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe" /is_newer_version_installed | C:\Users\admin\AppData\Local\Temp\is-6L4E7.tmp\ZAM.exe | — | Zemana.AntiMalware.Setup.tmp |
User: admin Company: Zemana Ltd. Integrity Level: HIGH Description: ZAM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3844 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3844.7368\[www.gigapurbalingga.com]_ZemAMPr250280\Zemana.AntiMalware.Setup.exe | — | |
MD5:— | SHA256:— | |||
3844 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3844.7485\Crack.rar | — | |
MD5:— | SHA256:— | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\Forum.url | — | |
MD5:— | SHA256:— | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\GigaPurbalingga.com_Free Download Software Full Version.url | — | |
MD5:— | SHA256:— | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\Install Instruction.txt | — | |
MD5:— | SHA256:— | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\Read Me!!!.txt | — | |
MD5:— | SHA256:— | |||
2252 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2252.8316\Crack\ZAM.exe | — | |
MD5:— | SHA256:— | |||
236 | explorer.exe | C:\Users\admin\Desktop\Crack | — | |
MD5:— | SHA256:— | |||
3588 | Zemana.AntiMalware.Setup.tmp | C:\Program Files\Zemana AntiMalware\is-4EMQA.tmp | — | |
MD5:— | SHA256:— | |||
3588 | Zemana.AntiMalware.Setup.tmp | C:\Program Files\Zemana AntiMalware\is-J69D8.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2212 | ZAM.exe | POST | — | 168.62.20.37:80 | http://zamcloud.zemana.com/api/ig2/check/2050080 | US | — | — | whitelisted |
1472 | ZAM.exe | GET | 200 | 45.79.153.218:80 | http://cdn9.zemana.com/CacheControl.bin | US | text | 12 b | whitelisted |
2212 | ZAM.exe | GET | 200 | 45.79.153.218:80 | http://cdn9.zemana.com/CacheControl.bin | US | text | 12 b | whitelisted |
416 | ZAM.exe | GET | 200 | 45.79.153.218:80 | http://dl12.zemana.com/CacheControl.bin | US | text | 12 b | whitelisted |
416 | ZAM.exe | POST | 200 | 168.62.20.37:80 | http://zamcloud.zemana.com/api/ig2/check/2074150?cuid=122F47044D0197891995B5 | US | text | 211 b | whitelisted |
2212 | ZAM.exe | GET | 200 | 45.79.153.218:80 | http://dl12.zemana.com/AntiMalware/2.74.2.150/Zemana.AntiMalware.Setup.exe | US | executable | 6.32 Mb | whitelisted |
416 | ZAM.exe | GET | — | 45.79.154.56:80 | http://cdn.go.zemana.com/?db=9128042&Operation=Download&cuid=122F47044D0197891995B5&vi=2074150 | US | — | — | whitelisted |
1472 | ZAM.exe | POST | — | 168.62.20.37:80 | http://zamcloud.zemana.com/api/client/settings/122F47044D0197891995B5/2/2/2050080 | US | — | — | whitelisted |
416 | ZAM.exe | POST | 200 | 168.62.20.37:80 | http://zamcloud.zemana.com/api/client/settings/122F47044D0197891995B5/2/2/2074150 | US | text | 1.41 Kb | whitelisted |
2212 | ZAM.exe | POST | 200 | 168.62.20.37:80 | http://zamcloud.zemana.com/api/client/settings/122F47044D0197891995B5/2/2/2050080 | US | text | 1.41 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1472 | ZAM.exe | 168.62.20.37:80 | zamcloud.zemana.com | Microsoft Corporation | US | whitelisted |
416 | ZAM.exe | 52.160.40.218:80 | check.zemana.com | Microsoft Corporation | US | unknown |
2212 | ZAM.exe | 168.62.20.37:80 | zamcloud.zemana.com | Microsoft Corporation | US | whitelisted |
1472 | ZAM.exe | 45.79.153.218:80 | cdn9.zemana.com | Linode, LLC | US | suspicious |
416 | ZAM.exe | 168.62.20.37:80 | zamcloud.zemana.com | Microsoft Corporation | US | whitelisted |
416 | ZAM.exe | 208.67.220.220:53 | — | OpenDNS, LLC | US | suspicious |
416 | ZAM.exe | 45.79.153.218:80 | cdn9.zemana.com | Linode, LLC | US | suspicious |
2212 | ZAM.exe | 45.79.153.218:80 | cdn9.zemana.com | Linode, LLC | US | suspicious |
416 | ZAM.exe | 45.79.154.56:80 | cdn.go.zemana.com | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
cdn9.zemana.com |
| whitelisted |
zamcloud.zemana.com |
| whitelisted |
dl12.zemana.com |
| whitelisted |
cdn.go.zemana.com |
| whitelisted |
check.zemana.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1472 | ZAM.exe | A Network Trojan was detected | MALWARE [PTsecurity] FakeAV.C1773776 Request |
2212 | ZAM.exe | A Network Trojan was detected | MALWARE [PTsecurity] FakeAV.C1773776 Request |
2212 | ZAM.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
416 | ZAM.exe | A Network Trojan was detected | MALWARE [PTsecurity] FakeAV.C1773776 Request |
416 | ZAM.exe | A Network Trojan was detected | MALWARE [PTsecurity] FakeAV.C1773776 Response |
416 | ZAM.exe | unknown | SURICATA IPv4 invalid checksum |
416 | ZAM.exe | A Network Trojan was detected | MALWARE [PTsecurity] FakeAV.C1773776 Request |