analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

صور حبيبتي.zip

Full analysis: https://app.any.run/tasks/02422d40-0e7c-48d4-b595-7caff899b04d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: February 18, 2019, 20:20:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E90EEB6E5F0F44C3B35ADBBC3EE606A6

SHA1:

FE7DCC379A60D91DE063BE6121D887EF609E73B2

SHA256:

207C629D09AED659BA05D5A1D51180CBA08760859D29F78BB5B6251C3F564695

SSDEEP:

3072:RLHOU5dZ3hjguj3MHh6o6h+fcZV+2Rzl/A:lRXKe3MHko6hdZV+cx/A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TaskManiger.exe (PID: 2700)
      • صور حبيبتي.exe (PID: 2768)
    • Writes to a start menu file

      • صور حبيبتي.exe (PID: 2768)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2996)
      • صور حبيبتي.exe (PID: 2768)
    • Starts itself from another location

      • صور حبيبتي.exe (PID: 2768)
    • Creates files in the user directory

      • صور حبيبتي.exe (PID: 2768)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe صور حبيبتي.exe taskmaniger.exe

Process information

PID
CMD
Path
Indicators
Parent process
2996"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\صور حبيبتي.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2768"C:\Users\admin\AppData\Local\Temp\Rar$EXa2996.24992\صور حبيبتي.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2996.24992\صور حبيبتي.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
folder
Exit code:
0
Version:
1.0.0.0
2700"C:\Users\admin\AppData\Local\TaskManiger.exe" C:\Users\admin\AppData\Local\TaskManiger.exe
صور حبيبتي.exe
User:
admin
Integrity Level:
MEDIUM
Description:
folder
Version:
1.0.0.0
Total events
882
Read events
854
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
17
Unknown types
1

Dropped files

PID
Process
Filename
Type
2700TaskManiger.exeC:\Users\admin\AppData\Local\Framework.txt
MD5:
SHA256:
2700TaskManiger.exeC:\Users\admin\AppData\Local\vrd.temptext
MD5:E6BC56E2DB260CE748A30B7E2F82421F
SHA256:28C13AE60195BABAB6193C52AB9017430442551411FED9A1AA855CBFFABEF9E0
2996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2996.24992\صور حبيبتي.exeexecutable
MD5:69130BFB29C02674886370AB62328C42
SHA256:130F037CD6493822832EB13AF66D8C796380054391F900E6C3C4EDB62B07FE53
2768صور حبيبتي.exeC:\Users\admin\AppData\Local\file.icoimage
MD5:D56468B29575D9CCE7ED51C9A6D95DDF
SHA256:9C294335FB20A3C280AD169A4E08862041391C4806ECA41B7C87E885E6A8ED21
2768صور حبيبتي.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Manger Folder.lnklnk
MD5:BBEABA6046A89EE66D3B9CF9F945868B
SHA256:A5DF6F466EFBA9F7A0ADECB456BF4DD93392DE2E2A6093DBF015FC1CCDE76BB2
2700TaskManiger.exeC:\Users\admin\AppData\Local\vfe.temptext
MD5:E1E3377176E46A741A47099A8A991BCE
SHA256:EABE4A21F9B19DDD04570354128F243768C57449332FC18F082B1AABD98050BD
2768صور حبيبتي.exeC:\Users\admin\AppData\Local\TaskManiger.exeexecutable
MD5:69130BFB29C02674886370AB62328C42
SHA256:130F037CD6493822832EB13AF66D8C796380054391F900E6C3C4EDB62B07FE53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/cache_update.php
unknown
text
3 b
malicious
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/submit_ticket.php
unknown
text
12 b
malicious
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/cache_update.php
unknown
text
3 b
malicious
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/cache_update.php
unknown
text
3 b
malicious
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/cache_update.php
unknown
text
3 b
malicious
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/cache_update.php
unknown
text
3 b
malicious
2700
TaskManiger.exe
POST
200
185.244.129.237:80
http://ballgames.website/cache_update.php
unknown
text
3 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2700
TaskManiger.exe
185.244.129.237:80
ballgames.website
malicious

DNS requests

Domain
IP
Reputation
ballgames.website
  • 185.244.129.237
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info