File name: | Kraken.bin.zip |
Full analysis: | https://app.any.run/tasks/80061f0d-7c14-4579-a93c-882604caad14 |
Verdict: | Malicious activity |
Threats: | Kraken is a trojan malware with infostealing capabilities that was first spotted in May of 2023. The malware can perform a wide range of malicious activities, including logging users’ keystrokes. The data then can be sent to the attacker using several protocols. The operators behind the Kraken stealer usually distribute it via phishing emails. |
Analysis date: | January 11, 2019, 13:03:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 2A31FC84EBA675C8AA74673FD7EFFD9D |
SHA1: | 40479BCBDB8D3791B7DFA38381923412BC988E20 |
SHA256: | 094922019198988CA8554CDD1D9C29D72E1DD5A4FBF3F665AEBC454B7F02ECA9 |
SSDEEP: | 768:nfQfXA9MPEXvLFYcVBm7Lu166D1NR/aJYvmsBx/zn+y8pSyc+4enfLWu6whg4:nIfX0MPaBkLufDnAJur/8cA4nc |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 2018-10-04_19-37-40.bin |
---|---|
ZipUncompressedSize: | 100864 |
ZipCompressedSize: | 48561 |
ZipCRC: | 0x03dca1fc |
ZipModifyDate: | 2018:10:04 13:36:26 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2800 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Kraken.bin.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2832 | "C:\Users\admin\Desktop\2018-10-04_19-37-40.exe" | C:\Users\admin\Desktop\2018-10-04_19-37-40.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: UAC Exit code: 0 Version: 1.0.0.0 | ||||
308 | dllhost.exe | svchost.exe | ||
Integrity Level: UNKNOWN Exit code: 0 | ||||
308 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | 2018-10-04_19-37-40.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3356 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | 2018-10-04_19-37-40.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2316 | "C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe" | C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe | eventvwr.exe | |
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.1.7.9 | ||||
2356 | "tasklist" /V /FO CSV | C:\Windows\system32\tasklist.exe | — | krakentemp0000.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3820 | "C:\Windows\System32\cmd.exe" /C cd C:\ProgramData\ && release.bat | C:\Windows\System32\cmd.exe | — | krakentemp0000.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4000 | "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\admin\AppData\Local\Temp\krakentemp0000.exe" | C:\Windows\System32\cmd.exe | — | krakentemp0000.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3268 | ping 127.0.0.1 -n 3 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2800 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2800.35988\2018-10-04_19-37-40.bin | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Contacts\admin.contact | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\becities.rtf | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\capitalour.png | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\entermedia.jpg | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\financeny.rtf | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\modifiedoct.png | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\orobert.rtf | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\placesboth.jpg | — | |
MD5:— | SHA256:— | |||
2316 | krakentemp0000.exe | C:\Users\admin\Desktop\sundayinsurance.jpg | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2316 | krakentemp0000.exe | GET | — | 104.28.13.103:80 | http://blasze.tk/CN18R3 | US | — | — | malicious |
2316 | krakentemp0000.exe | GET | 200 | 108.177.127.103:80 | http://www.google.com/ | US | html | 12.1 Kb | whitelisted |
2316 | krakentemp0000.exe | GET | 302 | 104.28.13.103:80 | http://blasze.tk/CN18R3 | US | text | 51 b | malicious |
2104 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2316 | krakentemp0000.exe | GET | 301 | 172.217.22.46:80 | http://google.com/ | US | html | 219 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2316 | krakentemp0000.exe | 216.239.32.21:443 | ipinfo.io | Google Inc. | US | whitelisted |
2316 | krakentemp0000.exe | 152.199.19.160:443 | download.sysinternals.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2316 | krakentemp0000.exe | 172.217.22.46:80 | — | Google Inc. | US | whitelisted |
2104 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2316 | krakentemp0000.exe | 108.177.127.103:80 | www.google.com | Google Inc. | US | whitelisted |
2316 | krakentemp0000.exe | 104.28.13.103:80 | blasze.tk | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
ipinfo.io |
| shared |
blasze.tk |
| malicious |
www.google.com |
| whitelisted |
download.sysinternals.com |
| whitelisted |
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2316 | krakentemp0000.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
2316 | krakentemp0000.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
2316 | krakentemp0000.exe | A Network Trojan was detected | ET TROJAN [PTsecurity] Kraken Ransomware Start Activity 2 |
2316 | krakentemp0000.exe | A Network Trojan was detected | SC RANSOMWARE Ransomware Kraken Win32 |
2316 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Kraken Cryptor |
2316 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Ransomware.Kraken_Cryptor UA |
2316 | krakentemp0000.exe | A Network Trojan was detected | MALWARE [PTsecurity] Ransomware.Kraken_Cryptor URL |
2316 | krakentemp0000.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2316 | krakentemp0000.exe | A Network Trojan was detected | ET TROJAN Kraken Ransomware End Activity |
2316 | krakentemp0000.exe | A Network Trojan was detected | SC RANSOMWARE Ransomware Kraken Win32 |