analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

читы танки онлайн by Владленка Маршал.zip

Full analysis: https://app.any.run/tasks/02f68899-c56a-492e-8623-dc049635f8cb
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: May 30, 2020, 17:27:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

39CC8B5C0CC1CCA2DDBE61382DD56DCC

SHA1:

CA5712B2F527EDD2B9C757411CB1C76357DF8FBB

SHA256:

1AEA8C7E2C49CF21DE7E3F52BDA7EE8DB5DA5095753326AD74CFFDE3A01E35F0

SSDEEP:

393216:3MRZBAuYwIIYiIMJq1Q1pxGBNJi8880h7+IBxwx:3MRRTu2q+1pUB27lQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ChOrg'er v4.6.EXE (PID: 3404)
      • ChOrg'er v4.6.EXE (PID: 3964)
      • ChOrg'er v4.6.EXE (PID: 2412)
      • ChOrg'er v4.6.EXE (PID: 2724)
      • ibto-trainer-v-1.0.exe (PID: 2864)
      • ViRuS.exe (PID: 2352)
      • ibto-trainer-v-1.0.exe (PID: 2548)
      • ibto-trainer-v-1.0Srv.exe (PID: 2240)
      • RMS.exe (PID: 3300)
      • DesktopLayer.exe (PID: 3492)
      • RMS.exe (PID: 3208)
      • ibto-trainer-v-1.0.exe (PID: 3848)
      • ibto-trainer-v-1.0.exe (PID: 2404)
    • Loads dropped or rewritten executable

      • ChOrg'er v4.6.EXE (PID: 2724)
      • ibto-trainer-v-1.0.exe (PID: 2460)
    • Changes the login/logoff helper path in the registry

      • iexplore.exe (PID: 2284)
    • RAMNIT was detected

      • iexplore.exe (PID: 2284)
    • Connects to CnC server

      • iexplore.exe (PID: 2284)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2996)
      • ChOrg'er v4.6.EXE (PID: 3964)
      • ChOrg'er v4.6.EXE (PID: 2412)
      • ibto-trainer-v-1.0.exe (PID: 2864)
      • ibto-trainer-v-1.0.exe (PID: 3848)
      • ibto-trainer-v-1.0Srv.exe (PID: 2240)
      • cmd.exe (PID: 3512)
    • Executed via COM

      • iexplore.exe (PID: 3876)
      • iexplore.exe (PID: 3788)
    • Changes the started page of IE

      • ViRuS.exe (PID: 2352)
    • Creates files in the program directory

      • iexplore.exe (PID: 2284)
      • ibto-trainer-v-1.0Srv.exe (PID: 2240)
      • cmd.exe (PID: 3512)
    • Starts Internet Explorer

      • DesktopLayer.exe (PID: 3492)
    • Uses TASKKILL.EXE to kill process

      • ViRuS.exe (PID: 2352)
    • Starts CMD.EXE for commands execution

      • RMS.exe (PID: 3300)
    • Creates files in the Windows directory

      • cmd.exe (PID: 3512)
  • INFO

    • Manual execution by user

      • ChOrg'er v4.6.EXE (PID: 3404)
      • ChOrg'er v4.6.EXE (PID: 3964)
      • WinRAR.exe (PID: 2996)
      • ibto-trainer-v-1.0.exe (PID: 2864)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3876)
      • iexplore.exe (PID: 3660)
      • iexplore.exe (PID: 3788)
      • iexplore.exe (PID: 2912)
    • Changes internet zones settings

      • iexplore.exe (PID: 3876)
      • iexplore.exe (PID: 3788)
    • Creates files in the user directory

      • iexplore.exe (PID: 3660)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3660)
    • Application launched itself

      • iexplore.exe (PID: 3788)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3876)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2014:06:01 12:05:20
ZipCRC: 0x557c413c
ZipCompressedSize: 3563008
ZipUncompressedSize: 3563008
ZipFileName: ChOrg'er v4.6.EXE
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
26
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start rundll32.exe no specs winrar.exe chorg'er v4.6.exe no specs chorg'er v4.6.exe chorg'er v4.6.exe chorg'er v4.6.exe iexplore.exe iexplore.exe ibto-trainer-v-1.0.exe virus.exe no specs rms.exe no specs iexplore.exe no specs iexplore.exe rms.exe ibto-trainer-v-1.0.exe no specs ibto-trainer-v-1.0.exe ibto-trainer-v-1.0srv.exe ibto-trainer-v-1.0.exe no specs desktoplayer.exe no specs #RAMNIT iexplore.exe ibto-trainer-v-1.0.exe taskkill.exe no specs cmd.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3952"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал.zip.xpiC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2996"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал.zip" "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3404"C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE" C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXEexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3964"C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE" C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2412"C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\ChOrg'er v4.6.EXE" -ORIGIN:"C:\Users\admin\Desktop\???? ????? ?????? by ????????? ??????\"C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\ChOrg'er v4.6.EXE
ChOrg'er v4.6.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
2724"C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\ChOrg'er v4.6.EXE" "C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\admin\Desktop\???? ????? ?????? by ????????? ??????\"C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\ChOrg'er v4.6.EXE
ChOrg'er v4.6.EXE
User:
admin
Company:
Cheat Engine
Integrity Level:
HIGH
Description:
Cheat Engine
Exit code:
0
Version:
6.2.0.2635
3876"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3660"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2864"C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ibto-trainer-v-1.0.exe" C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ibto-trainer-v-1.0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2352"C:\Users\admin\AppData\Local\Temp\ViRuS.exe" C:\Users\admin\AppData\Local\Temp\ViRuS.exeibto-trainer-v-1.0.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Total events
1 624
Read events
1 146
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
4
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
3660iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GUYAW6OX.txt
MD5:
SHA256:
3876iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2412ChOrg'er v4.6.EXEC:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\CET_TRAINER.CETRAINERbinary
MD5:5618B877BF27A6FD1F4E61F20834F7AE
SHA256:3148051184300340A9F64592D6B61D11CB80B121D96737786175B68CE07FACFC
2412ChOrg'er v4.6.EXEC:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\ChOrg'er v4.6.EXEexecutable
MD5:566ABF9C4C139FD55957F83001C70DBE
SHA256:D62F9BB29214D7230DEB16F9E28095DA46F4C3588AB980FDBD11542ABA8BA693
3848ibto-trainer-v-1.0.exeC:\Users\admin\AppData\Local\Temp\ibto-trainer-v-1.0Srv.exeexecutable
MD5:17EFB7E40D4CADAF3A4369435A8772EC
SHA256:F515564B67EFD06FA42F57532FEAFC49D40B0FC36C5D4935300DD55416F0A386
2996WinRAR.exeC:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXEexecutable
MD5:C5D4F0E7459AA34D00C7BDCFEC04A956
SHA256:322A2556EC4663C396CEBB2A863824F06B785BBBCB0CFC65B11984C9A842B1FD
2864ibto-trainer-v-1.0.exeC:\Users\admin\AppData\Local\Temp\ViRuS.exeexecutable
MD5:EE7DF801BE3F56CF3324544669D3E964
SHA256:045FC696B0D201C381C881068D66BE008E9885AF713A1933B5F5260FAFB844FD
2996WinRAR.exeC:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ibto-trainer-v-1.0.exeexecutable
MD5:763D9BA8E601BC96BCEE6605DA9B7BC4
SHA256:E519550F4EDA717679E111B383CB4905D5BC8C497A399D9BD3290F12DE9C3054
3660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\reklama160-600[1].htmhtml
MD5:7E16288E61098DED8C66D111D5B755F7
SHA256:E8DA2C2334B65699B1BE89A39ACAA5F20681A5F44534C8567AC8AC83620704EA
3964ChOrg'er v4.6.EXEC:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\CET_Archive.datbinary
MD5:E9BC7FB5E5F32E65D68966C9D1097E4E
SHA256:1EEC9FDD67876B931889F43C6B3E8F9C3FA5052F141655D84044E013AE03860D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
13
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3660
iexplore.exe
GET
200
91.196.136.5:80
http://www.9steps.ru/reklama160-600.php?cewidth=160&ceheight=600&fn=ChOrg'er%20v4.6&counter=1
GB
html
1.04 Kb
unknown
3660
iexplore.exe
GET
404
91.196.136.5:80
http://www.9steps.ru/favicon.ico
GB
html
313 b
unknown
3660
iexplore.exe
GET
200
88.212.201.198:80
http://counter.yadro.ru/hit?q;t45.1;r;s1280*720*24;uhttp%3A//www.9steps.ru/reklama160-600.php%3Fcewidth%3D160%26ceheight%3D600%26fn%3DChOrg%27er%20v4.6%26counter%3D1;0.40709800343969254
RU
image
112 b
whitelisted
3876
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2912
iexplore.exe
GET
301
87.240.190.67:80
http://vk.com/id231958707
RU
html
159 b
whitelisted
3660
iexplore.exe
GET
302
88.212.201.198:80
http://counter.yadro.ru/hit?t45.1;r;s1280*720*24;uhttp%3A//www.9steps.ru/reklama160-600.php%3Fcewidth%3D160%26ceheight%3D600%26fn%3DChOrg%27er%20v4.6%26counter%3D1;0.40709800343969254
RU
html
32 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2284
iexplore.exe
172.217.23.174:80
google.com
Google Inc.
US
whitelisted
3876
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3660
iexplore.exe
91.196.136.5:80
www.9steps.ru
Transit Telecom LLC
GB
unknown
2912
iexplore.exe
87.240.190.67:80
vk.com
VKontakte Ltd
RU
suspicious
3876
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3660
iexplore.exe
88.212.201.198:80
counter.yadro.ru
United Network LLC
RU
suspicious
2912
iexplore.exe
87.240.190.67:443
vk.com
VKontakte Ltd
RU
suspicious
2284
iexplore.exe
35.224.11.86:443
zahlung.name
US
malicious

DNS requests

Domain
IP
Reputation
www.9steps.ru
  • 91.196.136.5
unknown
counter.yadro.ru
  • 88.212.201.198
  • 88.212.201.216
  • 88.212.201.204
  • 88.212.201.210
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
vk.com
  • 87.240.190.67
  • 87.240.190.72
  • 87.240.190.78
  • 93.186.225.208
  • 87.240.139.194
  • 87.240.137.158
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
google.com
  • 172.217.23.174
whitelisted
zahlung.name
  • 35.224.11.86
malicious

Threats

PID
Process
Class
Message
2284
iexplore.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
2284
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
2284
iexplore.exe
A Network Trojan was detected
ET TROJAN Win32/Ramnit Checkin
2284
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Ramnit Checkin
Process
Message
ChOrg'er v4.6.EXE
Offset of LBR_Count=760
ChOrg'er v4.6.EXE
sizeof fxstate = 512
ibto-trainer-v-1.0.exe
Offset of LBR_Count=760
ibto-trainer-v-1.0.exe
sizeof fxstate = 512
ibto-trainer-v-1.0.exe
openProcessEpilogue called
ibto-trainer-v-1.0.exe
Retrieved the module list
ibto-trainer-v-1.0.exe
processhandle is 0, so disabling gui
ibto-trainer-v-1.0.exe
processhandle is 0, so disabling gui