analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

malware.zip

Full analysis: https://app.any.run/tasks/c2d9a629-9567-4ed0-9add-b5b623908421
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 15, 2018, 11:08:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
betabot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FF6FB247E60FCEDFB7B5B79E69B3AE3E

SHA1:

609BB7D0899AFC7090B426BFEBEB3BBA0805F95C

SHA256:

0B2784E2C1E373B6ADA7F0C74C76238F4E0371EEB291C869B6534C94A69C4783

SSDEEP:

6144:+JeR6xLNIQOVyAFTFPs6FyzoZ/BR8Iw+ABFOszWpBxCUsa3:ehIZDtFPseyzq8IgOsoCY3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3788)
    • Runs app for hidden code execution

      • cmd.exe (PID: 3028)
      • cmd.exe (PID: 3756)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3788)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 3148)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3228)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3028)
      • cmd.exe (PID: 3756)
      • cmd.exe (PID: 3472)
      • cmd.exe (PID: 3720)
    • Executes scripts

      • cmd.exe (PID: 3720)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 4024)
      • cmd.exe (PID: 3308)
      • cmd.exe (PID: 2888)
      • cmd.exe (PID: 3080)
      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 3880)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 3720)
    • Application launched itself

      • cmd.exe (PID: 3720)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 2968)
      • saver.scr (PID: 3148)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3720)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3788)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2018:11:12 13:17:17
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: malware/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
30
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs cscript.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs saver.scr cscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3228"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\malware.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3788"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3228.11200\CCMA Case NC985-18.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3028"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3720C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
348TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2968cscript //nologo "C:\Users\admin\AppData\Local\Temp\_.vbs"C:\Windows\system32\cscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3756"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2696CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3640TASkKILL /F /IM winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 895
Read events
1 854
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
5
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
3788WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRD268.tmp.cvr
MD5:
SHA256:
3788WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itnqknf5.cmdtext
MD5:A3B2EC295AD5A65C83A52892A2ABE0FE
SHA256:5A8956E665402C41F00377A5F5F2900B1A3DBC8B04099D8293207D3C65CAA238
3788WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Rar$DIb3228.11200\~$MA Case NC985-18.docpgc
MD5:E8497F53A754C0163E735793BA6FE66D
SHA256:F7AE292F6AD46F7F0019E612B1C109F1B9F7E29F998A148F135690261E25ECFB
3788WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:93522467EA6A1B96B85DDC1AEC79DA43
SHA256:FAB6F1444B9550EF2EF06B651EFAE615C358F5DA51F267C94B78DD115240E9A1
2968cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.docdocument
MD5:9B5662F43ADBAE343CBCFE9C8C9A12DB
SHA256:280F431FB3050075956D5CBD5C691B35EBDB3C95245A21F1A63209BC71943885
3228WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3228.11200\CCMA Case NC985-18.doctext
MD5:358E8926C0B29A0DAC271E1042E0C814
SHA256:66CB0EA87448DE3BE1E257D557137A97E076D240D8E3BEA0A5096EE151D96C0A
3720cmd.exeC:\Users\admin\AppData\Local\Temp\_.vbstext
MD5:C528053C4B7CCAAEC518BF6C9E4639C9
SHA256:F4972539FBC83EF1768EA8390B0411726D8D116818D9B3C9D964EADBE80B33D0
3148saver.scrC:\Users\admin\AppData\Local\Temp\Maraboubinary
MD5:851AED89C5F86565FAEA4A2547B8BC9E
SHA256:3D8FF51B61ED9C26958E90A93BD9A9AA4BE3FB65ED3F8989641BFB501402C0C1
3788WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:7E3DAFA25F7A05789528EB0A3FDE9043
SHA256:655238AF5855A2856412FEEA4337457F56A9E5D4CD01894E506F82A575E7E24F
2968cscript.exeC:\Users\admin\AppData\Local\Temp\saver.screxecutable
MD5:7723283807A9C8176E741F489CD3CFCF
SHA256:78B095CB056A5A8F91FDA1062B62E08C8575416D3F79321F9C1A287738447E80
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
91.243.80.52:80
http://radburgsoft.com/bet/nite/logout.php
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.76.4.15:80
microsoft.com
Microsoft Corporation
US
whitelisted
91.243.80.52:80
radburgsoft.com
Sinarohost LTD
NL
malicious

DNS requests

Domain
IP
Reputation
microsoft.com
  • 40.76.4.15
  • 40.112.72.205
  • 40.113.200.201
  • 104.215.148.63
  • 13.77.161.179
whitelisted
radburgsoft.com
  • 91.243.80.52
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN Win32/Neurevt.A/Betabot Check-in 4
1 ETPRO signatures available at the full report
No debug info