analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

JK9VEvkA098t.zip

Full analysis: https://app.any.run/tasks/654cb04c-db6b-436c-bb0c-939a55082b01
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 06:04:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
dreambot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F934E4C737BF1B966E6E33290B61C161

SHA1:

30F01B73EE5B9C0683A1360DFFD6C510F9C082D9

SHA256:

134F9A38F0976A3372529020D4A22DF2BF2DC1AB3062006A5583A6A0D9C3CE71

SSDEEP:

12288:aYLp/e/4VoMronj4REkCSXEBMDJJaImw3TRkp+UoDfo4yiwN:aQ/e/K8jGElSXlDJJaImw3TRhDwL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2456)
      • rundll32.exe (PID: 1988)

    • URSNIF was detected

      • iexplore.exe (PID: 2840)

    • Connects to CnC server

      • iexplore.exe (PID: 2840)

  • SUSPICIOUS

    • Executed via WMI

      • rundll32.exe (PID: 1988)
      • rundll32.exe (PID: 2456)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2976)

    • Executed via COM

      • iexplore.exe (PID: 3384)

    • Executes scripts

      • WinRAR.exe (PID: 2148)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3384)
      • iexplore.exe (PID: 2840)

    • Application launched itself

      • iexplore.exe (PID: 3384)

    • Changes internet zones settings

      • iexplore.exe (PID: 3384)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3384)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3384)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2840)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: JK9VEvkA098t.vbs
ZipUncompressedSize: 1392613
ZipCompressedSize: 612392
ZipCRC: 0x031b2f48
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe rundll32.exe no specs wscript.exe no specs rundll32.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\JK9VEvkA098t.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2976"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2148.24135\JK9VEvkA098t.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1988rundll32 C:\Users\admin\AppData\Local\Temp\future.pl,DllRegisterServerC:\Windows\system32\rundll32.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
440"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2148.27828\JK9VEvkA098t.vbs" C:\Windows\System32\WScript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2456rundll32 C:\Users\admin\AppData\Local\Temp\future.pl,DllRegisterServerC:\Windows\system32\rundll32.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3384"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2840"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3384 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 131
Read events
2 024
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
9
Text files
20
Unknown types
4

Dropped files

PID
Process
Filename
Type
2976WScript.exeC:\Users\admin\AppData\Local\Temp\bryophyta.ttftext
MD5:1B902A4991B0F55104A10C9D14D5C5A4
SHA256:D1D9BFA0BEBE39872FF8DB4CD0C87D935279A46E6253CBDC0CEC74CB41A344AB
440WScript.exeC:\Users\admin\AppData\Local\Temp\ant (2).s3mtext
MD5:79FB5F7B74147C0246C5F2C3E2C335CB
SHA256:A9733A8BB247302DCA90E6DBCFDF6A9F8CA21C593BD2152E3F0BDB2C37CAAA46
440WScript.exeC:\Users\admin\AppData\Local\Temp\bryophyta (2).ttftext
MD5:1B902A4991B0F55104A10C9D14D5C5A4
SHA256:D1D9BFA0BEBE39872FF8DB4CD0C87D935279A46E6253CBDC0CEC74CB41A344AB
2976WScript.exeC:\Users\admin\AppData\Local\Temp\arcsine.zipcompressed
MD5:1815748998B3271408DD8FF486EF87C7
SHA256:CB6296149F904BCCEC4D3F2667C74C9887068241D1035CE935EF4D00ACF9073D
3384iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4E2B6E3B357A3A86.TMP
MD5:
SHA256:
2976WScript.exeC:\Users\admin\AppData\Local\Temp\enormity.dxftext
MD5:3EF5123CF1AF5E334CF8CFF07AF8C4A9
SHA256:E3C056A0F311975A956A5DD2299F8A6E1DDA7637C27987064404A26A6AB724EE
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[2]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
2976WScript.exeC:\Users\admin\AppData\Local\Temp\culpable.artext
MD5:CC9797EAF901EF6BF5D4955F5B6B6D84
SHA256:979E910C898FD93A46D78FD604450E39FFF893624BC81EC55BE9E2E5082F41E5
2976WScript.exeC:\Users\admin\AppData\Local\Temp\adobe.urltext
MD5:685EC51875CADACC2B845A289C5E8D6D
SHA256:B29099A54F1D5071DD700C24A448F4C16479AADF4CCA72E0D6CBF391A847894B
440WScript.exeC:\Users\admin\AppData\Local\Temp\arcsine.zipcompressed
MD5:1815748998B3271408DD8FF486EF87C7
SHA256:CB6296149F904BCCEC4D3F2667C74C9887068241D1035CE935EF4D00ACF9073D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3384
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3384
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3384
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2840
iexplore.exe
GET
404
8.208.101.13:80
http://api10.laptok.at/api1/dilL7ICuXr/T0fw17aXDmPwcSvtM/Lda2DD_2BIcT/aiFC585s618/hw67ol4zt_2FJo/yhkZBVsl7q_2FcFneoFQ4/3QbHbcY2x2VYUXEd/GWioxOkEDLJEw_2/F0_2BFRo1VRN3bZqol/5vIgdigQ8/Lue3fAOjjikNpviqfp4I/2J9dfo0IiyOgLRIQ48Y/3RhQ4GJL1pLXLlr0ExSOvH/3mvi08GVbohHO/4PXv1XXd/K69VI_2F88GuwEOaVrQFsHw/wMpPkkNJKR/chIPhd_0A_0DYIVk_/2FLHXSqq4Y5g/aJQMYCm_2B9/zvBVKQpCvijFAH4uovZJRC/1
US
html
106 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3384
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2840
iexplore.exe
8.208.101.13:80
api10.laptok.at
Level 3 Communications, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
api10.laptok.at
  • 8.208.101.13
malicious
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
2840
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
JK9VEvkA098t.zip