analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-1615967001-10162020.zip

Full analysis: https://app.any.run/tasks/56966e54-35d8-4b23-ad96-ee70b817b176
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:45:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

ADF7F5690D2910654EEC68232494EF55

SHA1:

F92D1CD098017791B60D5AA2A01958FDA87DC288

SHA256:

0D8C2587AC3C7D3F9DAF48ABCE05229CF17DE620C07D22BFFEADE71E3EA0A330

SSDEEP:

384:lSli/1oWSGmjtyxVptN7KU0eJQXPyGYhKsrNwX:lhOCPxVDFFkltX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 772)
      • nosto.exe (PID: 4032)
      • ytfovlym.exe (PID: 4008)
      • ytfovlym.exe (PID: 1784)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 980)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 980)

    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 980)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 980)

    • QBOT was detected

      • nosto.exe (PID: 772)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 4060)

  • SUSPICIOUS

    • Application launched itself

      • nosto.exe (PID: 772)
      • ytfovlym.exe (PID: 4008)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2244)

    • Starts itself from another location

      • nosto.exe (PID: 772)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 772)
      • cmd.exe (PID: 4060)

    • Creates files in the user directory

      • nosto.exe (PID: 772)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 772)

  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 980)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 980)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 980)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 4060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Calculation-1615967001-10162020.xlsb
ZipUncompressedSize: 26682
ZipCompressedSize: 21412
ZipCRC: 0xcf3fa181
ZipModifyDate: 2020:10:19 16:21:23
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2244"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-1615967001-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
980"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
772"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
4032C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
4008C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
4060"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3540ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1784C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2812C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 161
Read events
1 094
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
980EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR7AA6.tmp.cvr
MD5:
SHA256:
980EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:7FE68EA4B9A560B0A75DEC16F88E15C6
SHA256:1EA355CDD4574702623527AC4D86E8F9DEF61A13AA8945521FF509453CC3DCE1
980EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\RLXITSGZ.txttext
MD5:7369DD77FDE8E9C32E4BE8ED92D98366
SHA256:368C9A22F18C71CC2E03312D874AE9A85EA45DC2D62F84E06F5AF3E579F5C840
2244WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2244.18959\Calculation-1615967001-10162020.xlsbdocument
MD5:B36DCD5C4A0AA9FF913DA45545D61150
SHA256:1FC855C9FE30C63A94DC58EE45D58B0B4A24D8777B06DAEDC7E4B975156E7AA7
980EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:7FE68EA4B9A560B0A75DEC16F88E15C6
SHA256:1EA355CDD4574702623527AC4D86E8F9DEF61A13AA8945521FF509453CC3DCE1
772nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:36C06D6FD4497F8D73907040E6CF703C
SHA256:6611D4510FCEF298EE7C83C1AF55A43CD2CEDD7E3EB4E1EEA1B1985556C61BEE
772nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:7FE68EA4B9A560B0A75DEC16F88E15C6
SHA256:1EA355CDD4574702623527AC4D86E8F9DEF61A13AA8945521FF509453CC3DCE1
2812explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:E0343E107C74D622BCE9153A024209E3
SHA256:1CF24EF1F18A9A0055FAE164C5A5E8AF40035EC62BE711B34DF2FA95B39F7334
4060cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
980
EXCEL.EXE
GET
200
172.67.182.215:80
http://cinefreak.info/dzvkbppmkym/3415201.png
US
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
980
EXCEL.EXE
104.27.183.167:80
cinefreak.info
Cloudflare Inc
US
shared
980
EXCEL.EXE
172.67.182.215:80
cinefreak.info
US
malicious

DNS requests

Domain
IP
Reputation
cinefreak.info
  • 104.27.183.167
  • 172.67.182.215
  • 104.27.182.167
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
980
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
980
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
980
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
980
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
980
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
980
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-1615967001-10162020.zip