analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://forestandseaclub.racevmarketing.com/wp-content/cache/et/26/1.pdf

Full analysis: https://app.any.run/tasks/2f888f6c-890b-40e6-adb3-2797717ed549
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 16:03:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

B79BB44496171A78810A506FC9BBD524

SHA1:

DDD2A34E80C232BB19D4DCEF10A9F78C5AA9A003

SHA256:

0B41C64A418EB8A10634E60D2D5E105541F4A5F16982387AD4C23185095DE5B2

SSDEEP:

3:N1KYdLBPmnEfwCyFVOlAQTLKzDK2Dn:CYd1PmGCFVOlAILAK2Dn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3072)
      • iexplore.exe (PID: 3628)

    • Downloads executable files with a strange extension

      • iexplore.exe (PID: 3072)
      • iexplore.exe (PID: 3628)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3072)
      • iexplore.exe (PID: 3628)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3072)
      • iexplore.exe (PID: 3676)

    • Creates files in the user directory

      • iexplore.exe (PID: 3072)

    • Application launched itself

      • iexplore.exe (PID: 3676)
      • AcroRd32.exe (PID: 2772)

    • Manual execution by user

      • explorer.exe (PID: 3868)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3628)

    • Changes internet zones settings

      • iexplore.exe (PID: 3676)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs explorer.exe no specs iexplore.exe acrord32.exe no specs acrord32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3676"C:\Program Files\Internet Explorer\iexplore.exe" http://forestandseaclub.racevmarketing.com/wp-content/cache/et/26/1.pdfC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3072"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3676 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
900"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3072C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
2904"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3072C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3228"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3072C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
1
Version:
15.23.20070.215641
3868"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3628"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3676 CREDAT:14337C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2772"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3628C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
4056"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3628C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
Total events
945
Read events
580
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
9
Unknown types
4

Dropped files

PID
Process
Filename
Type
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3228AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R141833s_v5zc1j_2ho.tmp
MD5:
SHA256:
3228AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1jrjbil_v5zc1k_2ho.tmp
MD5:
SHA256:
3228AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rvqlotr_v5zc1l_2ho.tmp
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA24B651BE8A260A2.TMP
MD5:
SHA256:
4056AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R10wd8hd_1mongdv_34o.tmp
MD5:
SHA256:
3072iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A09941B03F8CD3B479D9481B46EF8BDC
SHA256:1249A42C143DF0773A758A0F50CCE974BB64E5CD0C21ECBCB0574069F318F30C
3072iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019052420190525\index.datdat
MD5:0720DD928018EF5EC433E10A843F5F7B
SHA256:7620407A3C9EC79C7E8D5D2467BFFA63A5383B855FA198A31698C09B9D2E128A
3072iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:51D2B9567703ACE5437B9EF6F9D03C68
SHA256:F654A8A9C7C7E536AED42E9D24ABC2305372B61428BA70AFA7417217F9A15C4A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3628
iexplore.exe
GET
200
91.215.216.26:80
http://forestandseaclub.racevmarketing.com/wp-content/cache/et/26/1.pdf
BG
executable
982 Kb
malicious
3072
iexplore.exe
GET
200
91.215.216.26:80
http://forestandseaclub.racevmarketing.com/wp-content/cache/et/26/1.pdf
BG
executable
982 Kb
malicious
3676
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3676
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3628
iexplore.exe
91.215.216.26:80
forestandseaclub.racevmarketing.com
Internet Corporated Networks Ltd.
BG
suspicious
3072
iexplore.exe
91.215.216.26:80
forestandseaclub.racevmarketing.com
Internet Corporated Networks Ltd.
BG
suspicious

DNS requests

Domain
IP
Reputation
forestandseaclub.racevmarketing.com
  • 91.215.216.26
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
3072
iexplore.exe
Misc activity
ET INFO Packed Executable Download
3072
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3072
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] JS/Agent.WL2!Eldorado Executable as PDF
3628
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3628
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] JS/Agent.WL2!Eldorado Executable as PDF
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://forestandseaclub.racevmarketing.com/wp-content/cache/et/26/1.pdf