analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

output.zip

Full analysis: https://app.any.run/tasks/898740f6-b992-491f-9fd4-a998ddab25d7
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: July 12, 2020, 17:55:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

4B4A6BDD5384285E2454AF09F0F294E1

SHA1:

AAB7A56D388A11D616A807C9DF0AAE82AD209893

SHA256:

15877C129B2B0D7248AEF7CD634784A07549BE966151B2EA87D60F1818859382

SSDEEP:

196608:zRClh6oj5B6xMv/aO8mCCCCNgSQfR7riLIAKTV8acR7:zsb6sqevyO7CSiR7OL8T6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • Avira.exe (PID: 3840)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2300)
    • Reads Environment values

      • Avira.exe (PID: 3840)
    • Reads Internet Cache Settings

      • Avira.exe (PID: 3840)
    • Creates files in the user directory

      • Avira.exe (PID: 3840)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 664)
      • explorer.exe (PID: 916)
      • WinRAR.exe (PID: 1716)
      • Avira.exe (PID: 3840)
    • Reads settings of System Certificates

      • Avira.exe (PID: 3840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:06:23 02:13:28
ZipCRC: 0x85ef640c
ZipCompressedSize: 8974218
ZipUncompressedSize: 616950192
ZipFileName: Avira.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs explorer.exe no specs winrar.exe no specs avira.exe

Process information

PID
CMD
Path
Indicators
Parent process
2300"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\output.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
664"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
916"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1716"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\output.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3840"C:\Users\admin\AppData\Local\Temp\output\Avira.exe" C:\Users\admin\AppData\Local\Temp\output\Avira.exe
explorer.exe
User:
admin
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
MEDIUM
Description:
Avira
Version:
1.2.144.30330
Total events
1 287
Read events
1 220
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
7
Text files
9
Unknown types
4

Dropped files

PID
Process
Filename
Type
2300WinRAR.exeC:\Users\admin\AppData\Local\Temp\output\Avira.exe
MD5:
SHA256:
3840Avira.exeC:\Users\admin\AppData\Local\Temp\output\Avira.OE.NativeCore.dll.cfg
MD5:
SHA256:
3840Avira.exeC:\Users\admin\AppData\Local\Temp\Cab5C98.tmp
MD5:
SHA256:
3840Avira.exeC:\Users\admin\AppData\Local\Temp\Tar5C99.tmp
MD5:
SHA256:
3840Avira.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1MNX6L4G.txt
MD5:
SHA256:
3840Avira.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:516BCBA0E9F7BB9ACCC09EE3A7DCC774
SHA256:0F18332F795D69BFBC1A6BF3DE8BF54B397E32FC61BB9380046C364F37CDC338
3840Avira.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\OETBX1M2.txttext
MD5:B7724FEE687E7466F174BF41414935B2
SHA256:09654C54DC369742613E085FC5730D2B036D182F919362F128FFDAB102420E72
3840Avira.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_96CC490FC85792EAB20DD5F9AF554683binary
MD5:0064A69C43AACEAE2C2BCC34795B4B4A
SHA256:DE5E4AA844F4720BB56217020B029DD841F97E08717D9D6A2348771B6A713BEC
3840Avira.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\XHRQFF2S.txttext
MD5:728C13C2CE3C6D69A23F62FFB471CC3B
SHA256:C09F90F538C32AA3191CE94B271631E9F357240D7CA936585A9969CE9DDBC46E
3840Avira.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\P9K207BQ.txttext
MD5:F250661A20EB348BBB1400F7CD83842C
SHA256:BFA542356A4A79CB7C667C0FE6C380C5EFDBC838F15C4E9752ED7294B3BF11FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3840
Avira.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH4Q2QH3rAPNCAAAAABH744%3D
US
der
471 b
whitelisted
3840
Avira.exe
GET
200
172.217.18.3:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3840
Avira.exe
GET
200
52.149.212.203:80
http://52.149.212.203/cont/index.php
US
malicious
3840
Avira.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3840
Avira.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH4Q2QH3rAPNCAAAAABH744%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3840
Avira.exe
172.217.18.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3840
Avira.exe
172.217.16.206:443
docs.google.com
Google Inc.
US
whitelisted
3840
Avira.exe
52.149.212.203:80
Microsoft Corporation
US
malicious
3840
Avira.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
docs.google.com
  • 172.217.16.206
shared
ocsp.pki.goog
  • 172.217.18.3
  • 172.217.16.131
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info