analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fedex.com Brute by Plyshka.zip

Full analysis: https://app.any.run/tasks/2c116153-4e02-47a2-abf1-d7225bbdce76
Verdict: Malicious activity
Analysis date: September 19, 2019, 08:24:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9F874EFC402D835BE7D29BCD2A7262C2

SHA1:

2D61EA82BBC757AEF9968BF6BE9E8BF9DD14718D

SHA256:

0CBD55FAE3822CF80720C4CA65F6AE9CA9C05F50443B3B8F795DA962A8811748

SSDEEP:

98304:n8yTBsUqZ784itxYu9h2hKwbI2oG/i4eqiE01Oms97:TGPS4i7b3yKK5i4epE0ls97

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Fedex.com Brute by Plyshka.exe (PID: 3096)
      • SearchProtocolHost.exe (PID: 1728)
    • Application was dropped or rewritten from another process

      • Fedex.com Brute by Plyshka.exe (PID: 3096)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3052)
  • INFO

    • Manual execution by user

      • Fedex.com Brute by Plyshka.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Fedex.com Brute by Plyshka/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:09:19 11:23:25
ZipCompression: None
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs fedex.com brute by plyshka.exe

Process information

PID
CMD
Path
Indicators
Parent process
3052"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Fedex.com Brute by Plyshka.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1728"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3096"C:\Users\admin\Desktop\Fedex.com Brute by Plyshka\Fedex.com Brute by Plyshka.exe" C:\Users\admin\Desktop\Fedex.com Brute by Plyshka\Fedex.com Brute by Plyshka.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Total events
1 279
Read events
1 191
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3052.48854\Fedex.com Brute by Plyshka\10000.txtbinary
MD5:17386329C8ECC7C0FAB3B318C7A67BF3
SHA256:31CAA6F1512FED254C4583D37662CF2268C2D5D022AD625E189E5E3FB14E6FFD
3096Fedex.com Brute by Plyshka.exeC:\Users\admin\Desktop\Fedex.com Brute by Plyshka\Rezult\Rezult(9.25.15 AM)\Remains Accounts.txttext
MD5:B3DDE0065E2D8D7CA76C061081639EC3
SHA256:EA7CF7E80C687909B888E9EF3B9E01140FBC747826A343AC2A2D5229177C981F
3052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3052.48854\Fedex.com Brute by Plyshka\Fedex.com Brute by Plyshka.exeexecutable
MD5:C63A30854A88D6F1CF3F18795221C79E
SHA256:35765E370F93BC0750EA8E0EA024FAB21C35DA10FAFCACEBE50EC21050837010
3052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3052.48854\Fedex.com Brute by Plyshka\p.txttext
MD5:1AB58AC0D5FB38EF3120475CDC4D2C26
SHA256:20D28E8394F0346AA7F30BAB45AA73AF69AE387435EC90E0240C9047D624B683
3052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3052.48854\Fedex.com Brute by Plyshka\ssleay32.dllexecutable
MD5:9B3921B65E656FCD9D27423F8283033C
SHA256:89DCCAC92BC457B9180C0389B824AACEBF4A934EE2F0B37F4A6E3865799ECC6A
3052WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3052.48854\Fedex.com Brute by Plyshka\libeay32.dllexecutable
MD5:ABEF7052E350DB0C7882CFED969066E1
SHA256:5B4E6E7FF551A2A48F1BAB0AC27421930A6215A9F5E52E95297C8BA31484D1F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
594
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3096
Fedex.com Brute by Plyshka.exe
202.137.10.179:57338
Linknet ASN
ID
suspicious
3096
Fedex.com Brute by Plyshka.exe
193.117.138.126:46875
Telstra Europe Ltd
GB
suspicious
3096
Fedex.com Brute by Plyshka.exe
31.193.124.70:53281
Elitel Ltd.
RU
unknown
3096
Fedex.com Brute by Plyshka.exe
131.196.192.31:36213
GUARANICARD S.A.
PY
unknown
3096
Fedex.com Brute by Plyshka.exe
103.212.93.241:48818
SOFT CALL CUST-O-CARE PRIVATE LIMITED
IN
unknown
3096
Fedex.com Brute by Plyshka.exe
43.228.222.114:59804
Gigantic Internet Services Pvt. Ltd.
IN
suspicious
3096
Fedex.com Brute by Plyshka.exe
43.231.76.129:4145
Gateway Online Access Limited
BD
suspicious
3096
Fedex.com Brute by Plyshka.exe
103.86.192.238:4145
SPEED LINK
BD
unknown
3096
Fedex.com Brute by Plyshka.exe
144.76.163.25:29812
Hetzner Online GmbH
DE
unknown
3096
Fedex.com Brute by Plyshka.exe
187.102.16.70:51327
Guanhaes Internet LTDA-ME
BR
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3096
Fedex.com Brute by Plyshka.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3096
Fedex.com Brute by Plyshka.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3096
Fedex.com Brute by Plyshka.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3096
Fedex.com Brute by Plyshka.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info