File name: | 5250255863349248.zip |
Full analysis: | https://app.any.run/tasks/0a7652e3-098c-496b-8615-d76753923b59 |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | August 25, 2019, 09:17:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FD5946F2085CD379B53DE567E709E3D6 |
SHA1: | 4C029A72EEBEFF5FA97E682542E3AFD5AB4DD12D |
SHA256: | 18E07E4292B5A0FAAC0DC1CCE366F7744025BF91ADBA3BFDCA99EA770A2B704A |
SSDEEP: | 6144:pi0cK+SfJvrEv6iZip+Le9qkU2cl1X0nadpc9l7c4JZ08UUCgPz+:U0cFwvIvy9Yjl1kazc9hNJZn7+ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 11d59bad3177cbed5577816c93414343c0c745bdb226349b43ba5a9814007feb |
---|---|
ZipUncompressedSize: | 499712 |
ZipCompressedSize: | 291279 |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3408 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5250255863349248.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2840 | "C:\Users\admin\Desktop\123.exe" | C:\Users\admin\Desktop\123.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Win32 API DLL Exit code: 0 Version: 6.1.7601.17887 (win7sp1_gdr.120704-0720) | ||||
3852 | "C:\ProgramData\ПАКсЕыЦолИс.exe" | C:\ProgramData\ПАКсЕыЦолИс.exe | 123.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Win32 API DLL Exit code: 0 Version: 6.1.7601.17887 (win7sp1_gdr.120704-0720) | ||||
2772 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3796 | "C:\Users\admin\AppData\Roaming\speedlink\ПАКсЕыЦолИс.exe" | C:\Users\admin\AppData\Roaming\speedlink\ПАКсЕыЦолИс.exe | — | DllHost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Win32 API DLL Exit code: 0 Version: 6.1.7601.17887 (win7sp1_gdr.120704-0720) | ||||
184 | C:\Users\admin\AppData\Roaming\speedlink\ПАКсЕыЦолИс.exe | C:\Users\admin\AppData\Roaming\speedlink\ПАКсЕыЦолИс.exe | taskeng.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Net Win32 API DLL Version: 6.1.7601.17887 (win7sp1_gdr.120704-0720) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3408 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3408.19244\11d59bad3177cbed5577816c93414343c0c745bdb226349b43ba5a9814007feb | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\TEMP\CabF075.tmp | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\TEMP\TarF076.tmp | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\TEMP\CabF097.tmp | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\TEMP\TarF098.tmp | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\TEMP\Cab569.tmp | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\TEMP\Tar56A.tmp | — | |
MD5:— | SHA256:— | |||
184 | ПАКсЕыЦолИс.exe | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | compressed | |
MD5:58A3BADC25E15583224E2B922F370A4F | SHA256:7E0630E9C468031329CAD1A21BFB37C12153BDA0F4D6298EE1B8682DD0C35F8A | |||
184 | ПАКсЕыЦолИс.exe | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:99CA3074A3E99F2E9DEA93F389BE9C3A | SHA256:990EDB7C2E21FB8FAE3E2C04DED5C31479442EB033499AED752995D8CAA45E5B | |||
3852 | ПАКсЕыЦолИс.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\0f5007522459c86e95ffcc62f32308f1_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:224A25EC632C7991C210657B8A63274F | SHA256:6E51E0D6940D1FC3A1047903631D75562BD332ABF8FF887BDE440C51B6A79596 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
184 | ПАКсЕыЦолИс.exe | GET | 200 | 23.23.243.154:80 | http://api.ipify.org/ | US | text | 12 b | shared |
184 | ПАКсЕыЦолИс.exe | GET | 200 | 13.107.4.50:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.6 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
184 | ПАКсЕыЦолИс.exe | 31.184.253.6:443 | — | — | RU | malicious |
184 | ПАКсЕыЦолИс.exe | 178.157.82.90:443 | — | Nav Communications Srl | RO | suspicious |
184 | ПАКсЕыЦолИс.exe | 13.107.4.50:80 | www.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
184 | ПАКсЕыЦолИс.exe | 23.23.243.154:80 | api.ipify.org | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.download.windowsupdate.com |
| whitelisted |
api.ipify.org |
| shared |
116.82.254.5.zen.spamhaus.org |
| unknown |
116.82.254.5.cbl.abuseat.org |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
184 | ПАКсЕыЦолИс.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot) |
184 | ПАКсЕыЦолИс.exe | A Network Trojan was detected | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) |
184 | ПАКсЕыЦолИс.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot) |
184 | ПАКсЕыЦолИс.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org |
184 | ПАКсЕыЦолИс.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection |