File name: | svchost.zip |
Full analysis: | https://app.any.run/tasks/761d2b1a-5144-4c49-b5a3-7a23c3533d86 |
Verdict: | Malicious activity |
Threats: | Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud. |
Analysis date: | January 11, 2020, 07:24:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | EF1E4C04BF60CACA1DFE0386A4F11D97 |
SHA1: | C6C044EAFC184F275BF1A55DBDD85355C188D9E3 |
SHA256: | 1FF04ED2CADB8BDA5A42EA75052F5346348CC75F14B4B22A841915D881BA1F7A |
SSDEEP: | 1536:muaDO+nKjYRotV3nsPFG+5ODTb7MX6DgDTj:PwEYutj+5O7oH |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:01:11 15:11:07 |
ZipCRC: | 0x40c57347 |
ZipCompressedSize: | 54755 |
ZipUncompressedSize: | 56320 |
ZipFileName: | svchost.exe |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1908 | "C:\Program Files\Internet Explorer\iexplore.exe" | C:\Program Files\Internet Explorer\iexplore.exe | DesktopLayer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2456 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\svchost.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
2572 | "C:\Users\admin\Desktop\svchost.exe" | C:\Users\admin\Desktop\svchost.exe | explorer.exe | ||||||||||||
User: admin Company: SOFTWIN S.R.L. Integrity Level: HIGH Description: BitDefender Management Console Exit code: 0 Version: 106.42.73.61 Modules
| |||||||||||||||
3388 | "C:\Program Files\Microsoft\DesktopLayer.exe" | C:\Program Files\Microsoft\DesktopLayer.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\svchost.zip | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (1908) iexplore.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Operation: | write | Name: | Userinit |
Value: c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Leame.htm | html | |
MD5:5079AFA6A352AFE6D89C9CF78EAF3644 | SHA256:34F530DC85BE9889F4ACC3CD32B7038542EDA595EC82829A32AA1EA4171BB63A | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Lisezmoi.htm | html | |
MD5:785EDFA144F16A7F0FC2933A97919641 | SHA256:D6811444120985ACDBFDC5943183733D8CA3C800B1C6009753A81C2E5EF3253B | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Berime.htm | html | |
MD5:CBADF7509F16BF3620AC5A483E4CBB1C | SHA256:1F58F6F2330711369236A596E37B19F695C2677BB363C9A59E3A70AC220E95FB | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\LueMinut.htm | html | |
MD5:06EE95A60459E8B22EA76F1BE1A619E3 | SHA256:8A17F941DBD591C215422998F8D098742D1BF7D736C927F3E37217F545420416 | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DAN\license.html | xml | |
MD5:4A7294F5F2EF29591C7ADA018783985B | SHA256:9DB7360661300BA7CD9547950860B7D8CD634A655E475A28BBC0EEEB29848333 | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CZE\license.html | xml | |
MD5:68F8164FE10187CF5E5A59231473CEB9 | SHA256:49872CD2B3CD7300D7D321B1EDCB840D5531133FC78984C5AD27CEDD6B5FF933 | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\DEU\license.html | xml | |
MD5:88D23EB81230CF2953891BCDAACF971B | SHA256:0D9765527047FBB6BB515CD10ADD7473999F23A6D3F37E7352CB0A4E5F4039C3 | |||
1908 | iexplore.exe | C:\Program Files\Internet Explorer\dmlconf.dat | binary | |
MD5:702B30E090FDADB0D624B7D27879303D | SHA256:87CF81595B02EED7727F06F1E07129F5225D9D08A74461266154CA51C24CCBEE | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Benioku.htm | html | |
MD5:A491201AB7305E2C71D90CB6CBBEEAA1 | SHA256:826444C3D91CB3694A2256B0D5470553FAAB1B70D0008A3294554875015BF0BC | |||
1908 | iexplore.exe | C:\Program Files\Adobe\Acrobat Reader DC\Reader\Legal\CAT\license.html | xml | |
MD5:EFF1C69346C2497A5AE6EC7FCC2C4477 | SHA256:0605C364DEA456FF09F7F6CEEA18C1FFBE805D2747943D8AA6C94927BD2D8DE8 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1908 | iexplore.exe | 72.26.218.70:443 | fget-career.com | Voxel Dot Net, Inc. | NL | malicious |
1908 | iexplore.exe | 172.217.16.78:80 | google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
google.com |
| malicious |
fget-career.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |
— | — | A Network Trojan was detected | ET TROJAN Win32/Ramnit Checkin |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Ramnit Checkin |