File name: | ZyxRjMXHO.rar |
Full analysis: | https://app.any.run/tasks/51042f7d-e9c1-4cc9-a382-7b01a9ff7148 |
Verdict: | Malicious activity |
Threats: | Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. |
Analysis date: | June 12, 2019, 09:44:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 580EF00234333A85C3B9A59B53EE17EE |
SHA1: | A807BBEA1B4982BB724BE6C0B7510DCD12047CF1 |
SHA256: | 06EA2D66E67020D45B83E284713BFA3D2CFC1DEDF34EADD85C917F3AAF7F71ED |
SSDEEP: | 3072:4/2//57nItbEzzyofqakJUmlHOBVghm9G5rQh:B3i9MyAqakJUmlHSghmci |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2828 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ZyxRjMXHO.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 Modules
| |||||||||||||||
4084 | "C:\Users\admin\Desktop\ZyxRjMXHO.exe" | C:\Users\admin\Desktop\ZyxRjMXHO.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
|
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\ZyxRjMXHO.rar | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2828) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (4084) ZyxRjMXHO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZyxRjMXHO_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (4084) ZyxRjMXHO.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ZyxRjMXHO_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2828 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2828.20979\ZyxRjMXHO.exe | — | |
MD5:— | SHA256:— | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\History\Chrome.txt | text | |
MD5:1DE3734FA59F3C14D749B0F5E59FDD2F | SHA256:904C145C94358195DE64E480F557D38A5D2E0DC6059BDAC266B440189BECD500 | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:65CA9477D256A2CD9324C5E8A434F1D5 | SHA256:20966454CBD1D12F7B7F4AD44C1E4937ADBEBA831812E71371D9CA4332B7B1DA | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Local\Temp\vlmi{lolz}yg.col | sqlite | |
MD5:60B51BA20224AC3783E213EA9F55F125 | SHA256:0E305BA02985F26B29B234CD79D2C2AF0A51085DA2DB2BED98D20F8C61B76254 | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Screenshot.jpeg | image | |
MD5:3A2EF4D904F7A255325EB309C7102F38 | SHA256:9D5EA1F8D0535F0389C3E0004586B8A155B8D0492045C270693AFEABF05F7FF0 | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Actions.txt | text | |
MD5:EB0E53EABFB9675DF12011C2178AC513 | SHA256:A35ACEDCB3B950AF24BF53E8F7ECCE7C7AEC84DDDF4ACF4DEBB1E1C4B29FC2C9 | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\forms.txt | text | |
MD5:B5AFC93BC39810236E1798D1710E5A30 | SHA256:5C3F4F9CC5CFE16D625D97679ACA5577F168F58F03BCF15775C86B096597B77C | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\zpar2y8s2x8q0w2y8s2x8q0w.zip | compressed | |
MD5:6505A15C1ABD874A3CB81C1455FF0CB8 | SHA256:6A4540D3F21BEEB61983AB750540534960452EF2ACF1B0FE9DC77430BEE149C2 | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Information.txt | text | |
MD5:752AF69AC6CBEA9637D44A70FEFA397F | SHA256:7E5D80732C98FCE249F66F5A91A3B7C6F975131F8C3A01F69C7A0D5143238C74 | |||
4084 | ZyxRjMXHO.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\passwords.txt | text | |
MD5:37B09376904665E078FF97E5502988EE | SHA256:ABAC5F706A15CF26ADA19FBA0079D973FEBF9EB73ECBAC4F030A321E60C5CA56 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4084 | ZyxRjMXHO.exe | GET | 200 | 185.50.25.15:80 | http://j90608gd.beget.tech/api/info.get | RU | text | 88 b | malicious |
4084 | ZyxRjMXHO.exe | POST | 200 | 185.50.25.15:80 | http://j90608gd.beget.tech/api/gate.get?p1=1&p2=0&p3=0&p4=2&p5=0&p6=0&p7=0 | RU | binary | 1 b | malicious |
4084 | ZyxRjMXHO.exe | GET | 200 | 185.50.25.15:80 | http://j90608gd.beget.tech/api/download.get | RU | binary | 1 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4084 | ZyxRjMXHO.exe | 185.50.25.15:80 | j90608gd.beget.tech | Beget Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
j90608gd.beget.tech |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
4084 | ZyxRjMXHO.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
4084 | ZyxRjMXHO.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |