File name: | G9996757243586095_5678.zip |
Full analysis: | https://app.any.run/tasks/dc6f942a-b3b8-48e0-84d9-dc038ae09084 |
Verdict: | Malicious activity |
Threats: | Hancitor was created in 2014 to drop other malware on infected machines. It is also known as Tordal and Chanitor. This malware is available as a service which makes it accessible tools to criminals and contributes to the popularity of this virus. |
Analysis date: | December 02, 2019, 20:08:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | AB8C2A1C3CEB5D3674C055CF7D644B8F |
SHA1: | 909AB631E9303D805C5F28C19BA0BBBF77F6880B |
SHA256: | 0A87EB9834F49DE095DF87CE3BE314772D34C95C7DA1A1846A313D58B430FB71 |
SSDEEP: | 3072:hbqGgI895rrRpgCpRSWeOp2wLw5B6+Rsb/UekJxCZ6Eeby7vI:hbqi8/rrRpvTeOp2w6B6c0/UdJxCgtUQ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | GAM_9996757243586095.vbs |
---|---|
ZipUncompressedSize: | 696209 |
ZipCompressedSize: | 180747 |
ZipCRC: | 0x9750ebde |
ZipModifyDate: | 2019:12:02 22:09:28 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2104 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\G9996757243586095_5678.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1860 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\GAM_9996757243586095.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2412 | regsvr32.exe -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt | C:\Windows\system32\regsvr32.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
988 | -s C:\Users\admin\AppData\Local\Temp\PbzVeQP.txt | C:\Windows\SysWOW64\regsvr32.exe | — | regsvr32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2304 | C:\Windows\System32\svchost.exe | C:\Windows\SysWOW64\svchost.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2376 | C:\Users\admin\AppData\Local\Temp\BNBA83.tmp | C:\Users\admin\AppData\Local\Temp\BNBA83.tmp | svchost.exe | |
User: admin Integrity Level: MEDIUM | ||||
328 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2924 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:267521 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1928 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1084 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:267521 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2104 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2104.31507\GAM_9996757243586095.vbs | — | |
MD5:— | SHA256:— | |||
1860 | WScript.exe | C:\Users\admin\AppData\Local\Temp\FEN.txt | — | |
MD5:— | SHA256:— | |||
328 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF1B3CEA71E2E7D8B5.TMP | — | |
MD5:— | SHA256:— | |||
328 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFCF39638071B2824C.TMP | — | |
MD5:— | SHA256:— | |||
328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{97CAF642-153F-11EA-9C27-5254004AAD21}.dat | — | |
MD5:— | SHA256:— | |||
1928 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5490426F5ABB25B4.TMP | — | |
MD5:— | SHA256:— | |||
1928 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B13EF116-153F-11EA-9C27-5254004AAD21}.dat | — | |
MD5:— | SHA256:— | |||
1928 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF05657AA6B6FED584.TMP | — | |
MD5:— | SHA256:— | |||
1928 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B13EF114-153F-11EA-9C27-5254004AAD21}.dat | — | |
MD5:— | SHA256:— | |||
2936 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF2B8850A5B23021AF.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1928 | iexplore.exe | GET | — | 8.208.24.139:80 | http://8.208.24.139/favicon.ico | US | — | — | malicious |
1084 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://foo.fulldin.at/webstore/qpd_2B_2FnCiKEaRvUhB/FY_2BWrXmeb_2Fn5xa4/zKrPjkIcReyLfgsux99_2B/C1hv5MAs6sLjf/SKz7aLdl/s4DMW65KDd8OCpA2l9uEOHi/AGHKY6qxtK/Yckn0w9TiRAu4cPqD/CM1Pqe_2BU_2/FLw2dTI8ZEd/ZXOT0unmJCYzHJ/kV59Z23NzpbCRpz4E7WeS/PZHRzjGzmFcT88y0/TwFp2ERv0nM8ziX/1VFkEtdtmpkInuOIZJ/tfvlzq9Rd/scDgeT9EBKIMfApdYX_0/A_0DshcSOA9DQrvAK6n/Gw4TeGSC3V/y | US | — | — | malicious |
328 | iexplore.exe | GET | — | 8.208.24.139:80 | http://8.208.24.139/favicon.ico | US | — | — | malicious |
2924 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://foo.fulldin.at/webstore/67nNBcPTc3bXzbkl_2Boi/7UmI4I4aidZLNNv3/yb2dMm0PgnuOCVy/3wmE0PLjh_2FhZ29_2/B8i58Stfx/5fHhoaxu_2FqvLK_2Fm3/7K6KB3HIh_2Faf01_2B/i3Uie511957PeWM_2FFr6v/5uvyyLKXyW4tf/pA2asl5n/Y0qz9o_2BkDYCNHD6IhHDiA/AyIZou7al_/2F_2ByCEiUY78_2Bo/FjRcMEFYN_2F/cSXbU9fs2yQ/wVuxmJy9aW76UU/_2BFrh0gzr7q01fLfsOza/VJhMwxTnd5U_0A_0/DAcMyoD_2BKgDIr/J_2FnjipUn/yKT_2F_2B/a | US | — | — | malicious |
2844 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://foo.fulldin.at/webstore/keABF0EMOyLxt/EunGnqhC/bOJQ_2BSuuzEM3_2BFuH9e3/4cQp26j4tj/d3sYAW8HPL2_2FXJa/lymxZ2v74_2B/q_2BuEdi0p7/rZrBUnyifTox_2/FGYCuJN6BBz7WMeLJGr9k/kv36W8DS2PBUGK3Q/h1eawE_2F78jj9l/etKZXHHVQhtbDibGMw/c1urIJBnL/6xw5cFg_2B9Y8QX3_2Fl/WcHRrq1427bFqxv12KR/o_2BniX5mOLB2YjZSVtE23/7CID4xGjGvIWh/dqx8UD9a/gLn_0A_0DWBG1oYhRwy7Lhp/xnvzsbFei6/Xu | US | — | — | malicious |
2448 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://foo.fulldin.at/webstore/O8Q2OaQY1peh_2Bufy0/yJGkXQg_2FR6TR7mk9cF08/rCL_2F6I8vr_2/FS_2FNHs/bvDLtOXEGdcRJas9dwjE_2F/ttd_2BTMOr/W3v1EPm8tatLGBuYB/2lBRct9vZjp9/AF6vuakrO_2/BeA8b8iAw_2F_2/BN81iBg0RgdhmV2Xct_2B/uds5rSGQjgsMCNRy/JEp_2BcNuEj0pyY/Y1tExxE2BQNYbtqOXg/_2Fs6rgoR/CKorw7J_2FblJehEFnVz/xRuzi2zKj7zaueC1wDF/bYVJZ_2F29XVl11_0A_0Dl/biNGu3dL2EnTX/RhfM6b9c/jp4c | US | — | — | malicious |
2584 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://foo.fulldin.at/webstore/ZwTUp3FmAgu6uT/XvU0qAlV_2Ff9ERgYTjxZ/hYIUY145wUzLk0s9/bhzOUkYtmgxYDUQ/wVaw6ev8RTzZM_2FWj/IKP2kLJT6/UPOs0FmgyD5vwBSsz1mY/j0x8naGBPQmj1eayfDe/3lTZn6MPJcFknpfpYKDioW/IellS4rCAkZZn/uYPRroJX/6R53gT_2BYKtNq7rO0IHIu1/jKjx_2F8Mi/4WbSUCSM8YxjK898S/Rwei7i73PJot/20zlEc5X8lL/runRrzcdm5Bz_0/A_0DeUUZGKMDaqbJlnq8g/6QfG_2BD/TVe | US | — | — | malicious |
3064 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://bat.fulldin.at/webstore/079daTeWWh3UPB/l5a_2FD6WKtx4f8cPUcXn/WG9xWEtVctefS9Vi/iwvjQ1R5ohiHM_2/Fxbjxov8lMepP_2FuW/k9PdVmmpi/syzod_2BTK7OR4SuENvN/mFiqgtF1MYkr_2FPvLb/ky8zvi0eCpNF0vfiXaWm0Z/H_2FI72Q0FLsD/ovHNuRwr/GWjQ9snx0H5xOCNYNxsdN2K/cCJ74gRWgg/f8Rx8BZCvwo3IURR4/m4XYSY6WzKTP/mUSTucXTFnS/_2FphIfjMTiDYk/_2BBAE_0A_0DHpUB5F5g6/bu0niu1ubF4/iIt0To | US | — | — | malicious |
1748 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://bat.fulldin.at/webstore/PEOn_2Bbpe/bye5ImGoRVobd7S1D/MoKmNdEf_2Fx/jxmmqVWTlPt/hX15ugakog2pCP/OjVZ6dEpC6Y1O9PEWzNrU/K5buxYZN7q5TPhmF/oph1PH4oaVb0ktt/IIc5o0CD1j1CotcCWr/g9j4gddtp/9zzpOt_2Bbf4oFqr44Ms/uCEgR_2Bvb2mm6_2Bei/w9E03_2FrMqKrKXohC_2B1/kc3EXLy81rOfz/zAAJ9QVF/sUfe2jj_2Fw1FwuQs8EgA_2/FhE5FYwBL4/tYUWg71bo_2FH4_0A/_0DST6sw0RML/3o9LDxBLYbZIxAzT/h | US | — | — | malicious |
592 | IEXPLORE.EXE | GET | — | 8.208.24.139:80 | http://bat.fulldin.at/webstore/sOX8yawm1J_2FVZ3/2VS2i9yTVsEOylX/dp8ayZ_2FwiO_2BYQc/_2FUqRL2h/D8wN5Tdm_2Fy6Z0BvlgQ/GkRsGgEVh_2BL2nYvET/x_2B6eYILEoRIKg_2Fvrsl/AePypvQcsQuhZ/893Vbhed/ao9c6C_2F57HtDvCkRFpNAb/6L2wZXn8Z4/MiWewpsZ8lk_2BUQI/sr5D8X6kL9jD/Q0Ns0TuhW2D/RZMk7T_2BELHP0/VNeWnAszzc0e8NbYCD52S/_2BLdMzEvz9IYjls/hyi3KrRz_2FV7w_/0A_0DE4Y4dWi01p128/sxaFUgoBD/bnfD | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2304 | svchost.exe | 23.23.83.153:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
2304 | svchost.exe | 178.170.248.82:80 | laticivue.com | Electrics Ltd | RU | malicious |
2304 | svchost.exe | 2.57.89.115:80 | www.laadlifashionworld.com | — | — | malicious |
— | — | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
328 | iexplore.exe | 8.208.24.139:80 | foo.fulldin.at | Level 3 Communications, Inc. | US | malicious |
2924 | IEXPLORE.EXE | 8.208.24.139:80 | foo.fulldin.at | Level 3 Communications, Inc. | US | malicious |
2376 | BNBA83.tmp | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
1084 | IEXPLORE.EXE | 8.208.24.139:80 | foo.fulldin.at | Level 3 Communications, Inc. | US | malicious |
1748 | IEXPLORE.EXE | 8.208.24.139:80 | foo.fulldin.at | Level 3 Communications, Inc. | US | malicious |
328 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
api.ipify.org |
| shared |
laticivue.com |
| malicious |
www.laadlifashionworld.com |
| malicious |
foo.fulldin.at |
| malicious |
bat.fulldin.at |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2304 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Fareit/Pony/Hancitor Payload (Zeus) |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |
2304 | svchost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Hancitor POST Data send |