File name: | читы танки онлайн by Владленка Маршал.zip |
Full analysis: | https://app.any.run/tasks/02f68899-c56a-492e-8623-dc049635f8cb |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | May 30, 2020, 17:27:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 39CC8B5C0CC1CCA2DDBE61382DD56DCC |
SHA1: | CA5712B2F527EDD2B9C757411CB1C76357DF8FBB |
SHA256: | 1AEA8C7E2C49CF21DE7E3F52BDA7EE8DB5DA5095753326AD74CFFDE3A01E35F0 |
SSDEEP: | 393216:3MRZBAuYwIIYiIMJq1Q1pxGBNJi8880h7+IBxwx:3MRRTu2q+1pUB27lQ |
.xpi | | | Mozilla Firefox browser extension (66.6) |
---|---|---|
.zip | | | ZIP compressed archive (33.3) |
ZipRequiredVersion: | 10 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2014:06:01 12:05:20 |
ZipCRC: | 0x557c413c |
ZipCompressedSize: | 3563008 |
ZipUncompressedSize: | 3563008 |
ZipFileName: | ChOrg'er v4.6.EXE |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3952 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал.zip.xpi | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2996 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал.zip" "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3404 | "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE" | C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3964 | "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE" | C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2412 | "C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\ChOrg'er v4.6.EXE" -ORIGIN:"C:\Users\admin\Desktop\???? ????? ?????? by ????????? ??????\" | C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\ChOrg'er v4.6.EXE | ChOrg'er v4.6.EXE | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2724 | "C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\ChOrg'er v4.6.EXE" "C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\admin\Desktop\???? ????? ?????? by ????????? ??????\" | C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\ChOrg'er v4.6.EXE | ChOrg'er v4.6.EXE | |
User: admin Company: Cheat Engine Integrity Level: HIGH Description: Cheat Engine Exit code: 0 Version: 6.2.0.2635 | ||||
3876 | "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding | C:\Program Files\Internet Explorer\iexplore.exe | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3660 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:275457 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2864 | "C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ibto-trainer-v-1.0.exe" | C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ibto-trainer-v-1.0.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2352 | "C:\Users\admin\AppData\Local\Temp\ViRuS.exe" | C:\Users\admin\AppData\Local\Temp\ViRuS.exe | — | ibto-trainer-v-1.0.exe |
User: admin Integrity Level: MEDIUM Exit code: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3660 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GUYAW6OX.txt | — | |
MD5:— | SHA256:— | |||
3876 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2412 | ChOrg'er v4.6.EXE | C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\CET_TRAINER.CETRAINER | binary | |
MD5:5618B877BF27A6FD1F4E61F20834F7AE | SHA256:3148051184300340A9F64592D6B61D11CB80B121D96737786175B68CE07FACFC | |||
2412 | ChOrg'er v4.6.EXE | C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\extracted\ChOrg'er v4.6.EXE | executable | |
MD5:566ABF9C4C139FD55957F83001C70DBE | SHA256:D62F9BB29214D7230DEB16F9E28095DA46F4C3588AB980FDBD11542ABA8BA693 | |||
3848 | ibto-trainer-v-1.0.exe | C:\Users\admin\AppData\Local\Temp\ibto-trainer-v-1.0Srv.exe | executable | |
MD5:17EFB7E40D4CADAF3A4369435A8772EC | SHA256:F515564B67EFD06FA42F57532FEAFC49D40B0FC36C5D4935300DD55416F0A386 | |||
2996 | WinRAR.exe | C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ChOrg'er v4.6.EXE | executable | |
MD5:C5D4F0E7459AA34D00C7BDCFEC04A956 | SHA256:322A2556EC4663C396CEBB2A863824F06B785BBBCB0CFC65B11984C9A842B1FD | |||
2864 | ibto-trainer-v-1.0.exe | C:\Users\admin\AppData\Local\Temp\ViRuS.exe | executable | |
MD5:EE7DF801BE3F56CF3324544669D3E964 | SHA256:045FC696B0D201C381C881068D66BE008E9885AF713A1933B5F5260FAFB844FD | |||
2996 | WinRAR.exe | C:\Users\admin\Desktop\читы танки онлайн by Владленка Маршал\ibto-trainer-v-1.0.exe | executable | |
MD5:763D9BA8E601BC96BCEE6605DA9B7BC4 | SHA256:E519550F4EDA717679E111B383CB4905D5BC8C497A399D9BD3290F12DE9C3054 | |||
3660 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\reklama160-600[1].htm | html | |
MD5:7E16288E61098DED8C66D111D5B755F7 | SHA256:E8DA2C2334B65699B1BE89A39ACAA5F20681A5F44534C8567AC8AC83620704EA | |||
3964 | ChOrg'er v4.6.EXE | C:\Users\admin\AppData\Local\Temp\cetrainers\CET3A72.tmp\CET_Archive.dat | binary | |
MD5:E9BC7FB5E5F32E65D68966C9D1097E4E | SHA256:1EEC9FDD67876B931889F43C6B3E8F9C3FA5052F141655D84044E013AE03860D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3660 | iexplore.exe | GET | 200 | 91.196.136.5:80 | http://www.9steps.ru/reklama160-600.php?cewidth=160&ceheight=600&fn=ChOrg'er%20v4.6&counter=1 | GB | html | 1.04 Kb | unknown |
3660 | iexplore.exe | GET | 404 | 91.196.136.5:80 | http://www.9steps.ru/favicon.ico | GB | html | 313 b | unknown |
3660 | iexplore.exe | GET | 200 | 88.212.201.198:80 | http://counter.yadro.ru/hit?q;t45.1;r;s1280*720*24;uhttp%3A//www.9steps.ru/reklama160-600.php%3Fcewidth%3D160%26ceheight%3D600%26fn%3DChOrg%27er%20v4.6%26counter%3D1;0.40709800343969254 | RU | image | 112 b | whitelisted |
3876 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2912 | iexplore.exe | GET | 301 | 87.240.190.67:80 | http://vk.com/id231958707 | RU | html | 159 b | whitelisted |
3660 | iexplore.exe | GET | 302 | 88.212.201.198:80 | http://counter.yadro.ru/hit?t45.1;r;s1280*720*24;uhttp%3A//www.9steps.ru/reklama160-600.php%3Fcewidth%3D160%26ceheight%3D600%26fn%3DChOrg%27er%20v4.6%26counter%3D1;0.40709800343969254 | RU | html | 32 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2284 | iexplore.exe | 172.217.23.174:80 | google.com | Google Inc. | US | whitelisted |
3876 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3660 | iexplore.exe | 91.196.136.5:80 | www.9steps.ru | Transit Telecom LLC | GB | unknown |
2912 | iexplore.exe | 87.240.190.67:80 | vk.com | VKontakte Ltd | RU | suspicious |
3876 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3660 | iexplore.exe | 88.212.201.198:80 | counter.yadro.ru | United Network LLC | RU | suspicious |
2912 | iexplore.exe | 87.240.190.67:443 | vk.com | VKontakte Ltd | RU | suspicious |
2284 | iexplore.exe | 35.224.11.86:443 | zahlung.name | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.9steps.ru |
| unknown |
counter.yadro.ru |
| whitelisted |
www.bing.com |
| whitelisted |
api.bing.com |
| whitelisted |
vk.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
zahlung.name |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2284 | iexplore.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2284 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
2284 | iexplore.exe | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
2284 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
Process | Message |
---|---|
ChOrg'er v4.6.EXE | Offset of LBR_Count=760 |
ChOrg'er v4.6.EXE | sizeof fxstate = 512 |
ibto-trainer-v-1.0.exe | Offset of LBR_Count=760 |
ibto-trainer-v-1.0.exe | sizeof fxstate = 512 |
ibto-trainer-v-1.0.exe | openProcessEpilogue called |
ibto-trainer-v-1.0.exe | Retrieved the module list |
ibto-trainer-v-1.0.exe | processhandle is 0, so disabling gui |
ibto-trainer-v-1.0.exe | processhandle is 0, so disabling gui |