File name: | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.gz |
Full analysis: | https://app.any.run/tasks/d4c0339d-01ec-42e7-a66f-ea508018d216 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 14:56:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/gzip |
File info: | gzip compressed data, max compression, from Unix |
MD5: | 8E2B3DB0C9E3B725EFA45AF9AF20379F |
SHA1: | 258B9FFE503B08DEA703D21AE600BDAF60BC480E |
SHA256: | 0421B90D58D8D47B5FB3656449351BBEA58AA56FA7CB87B5933FF0E5AA295978 |
SSDEEP: | 24576:acN7yi/XDAjx+voqrouFuJtP7y62JoRGZ5QsfMXo7VPHma0v9gwpbKpppn:a2OiroqrouFYtP7y6OoS5dWop/GVbUTn |
.z/gz/gzip | | | GZipped data (100) |
---|
OperatingSystem: | Unix |
---|---|
ExtraFlags: | Maximum Compression |
ModifyDate: | 0000:00:00 00:00:00 |
Flags: | (none) |
Compression: | Deflated |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2964 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.gz" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2520 | "C:\Users\admin\Desktop\0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe" | C:\Users\admin\Desktop\0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3572 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3908 | "netsh.exe" advfirewall firewall add rule name="kraken.exe" profile=any enable=yes DIR=in program="C:\Users\admin\Desktop\0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe" Action=Allow | C:\Windows\system32\netsh.exe | — | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2964.23095\0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin | — | |
MD5:— | SHA256:— | |||
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | C:\Users\admin\Desktop\loader.dll | executable | |
MD5:CF6A5B1C382C8325E9A21B6C71937DF7 | SHA256:99668918590715AB34B9182144ABD54C2E42ECB85164E0AA9484940BB59882A4 | |||
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | C:\ProgramData\Isolated Storage\36A92875\90424E7E | binary | |
MD5:BF565BDFC5DD1697D8D225BC9DBFFEC0 | SHA256:01D8EB441C0B654A122F7A631555D752427E487D2307139E91B1F1E4E77DE93F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | GET | 200 | 104.20.16.242:80 | http://icanhazip.com/ | US | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | 139.162.217.110:33445 | — | Linode, LLC | GB | unknown |
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | 185.64.89.42:33445 | mrflibble.c4.ee | Pulsant (Scotland) Ltd | GB | unknown |
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | 108.61.165.198:33445 | — | Choopa, LLC | NL | unknown |
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | 104.20.16.242:80 | icanhazip.com | Cloudflare Inc | US | shared |
— | — | 94.130.54.112:33445 | tox.deadteam.org | Hetzner Online GmbH | DE | unknown |
— | — | 108.61.165.198:33445 | — | Choopa, LLC | NL | unknown |
— | — | 138.94.71.250:33445 | home.vikingmakt.com.br | Intervel Informatica Ltda | BR | unknown |
— | — | 83.137.53.211:1813 | d4rk4.ru | SVS Communication | RU | unknown |
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | 5.180.34.44:33445 | biribiri.org | — | — | malicious |
— | — | 139.162.217.110:33445 | — | Linode, LLC | GB | unknown |
Domain | IP | Reputation |
---|---|---|
icanhazip.com |
| shared |
mrflibble.c4.ee |
| unknown |
d4rk4.ru |
| malicious |
home.vikingmakt.com.br |
| unknown |
tox.deadteam.org |
| unknown |
biribiri.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
2520 | 0725b370325fc8144d5af7087cf6a97131e72f6b3dede2b42bb92290e9944a35.bin.exe | A Network Trojan was detected | MALWARE [PTsecurity] Kraken |