analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-930007207-10162020.zip

Full analysis: https://app.any.run/tasks/18449f8b-a3bb-4538-9a98-e4d5a4e568b0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 19, 2020, 23:58:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6378E6D8FE78F122BAA6302F44FF583B

SHA1:

2FABA93B6044BF37DD40C0EAA7BD9177DE37F2D9

SHA256:

234C737BC6F23E80282694F143B51D0343223E4F963A6CC2E8A6E95A1059D0A5

SSDEEP:

384:H2qHoRRI8LOxXWutyG6Qh6KdfaxvNagDEHrFlmfEhNMs0b+DlcU:H2tR0xXgsh6ufaV4syeS0iv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 2596)
      • nosto.exe (PID: 3968)
      • ytfovlym.exe (PID: 3872)
      • ytfovlym.exe (PID: 2868)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 1652)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 1652)

    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 1652)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 1652)

    • QBOT was detected

      • nosto.exe (PID: 2596)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2284)

  • SUSPICIOUS

    • Application launched itself

      • nosto.exe (PID: 2596)
      • ytfovlym.exe (PID: 3872)

    • Creates files in the user directory

      • nosto.exe (PID: 2596)

    • Starts itself from another location

      • nosto.exe (PID: 2596)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 2596)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 2596)
      • cmd.exe (PID: 2284)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1652)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1652)

    • Manual execution by user

      • EXCEL.EXE (PID: 1652)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 1652)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:19 16:24:20
ZipCRC: 0x93c05b81
ZipCompressedSize: 21408
ZipUncompressedSize: 26674
ZipFileName: Calculation-930007207-10162020.xlsb
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2452"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-930007207-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1652"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2596"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3968C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3872C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2284"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1496ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2868C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2136C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 016
Read events
935
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
1652EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC170.tmp.cvr
MD5:
SHA256:
1652EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:253C95F2F4D29B2299BD42D0A5009B58
SHA256:82C81F37B79EE9A1B6F7A428F0E24DF2BF05ECA399E568E3174805D14782F8C1
1652EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:253C95F2F4D29B2299BD42D0A5009B58
SHA256:82C81F37B79EE9A1B6F7A428F0E24DF2BF05ECA399E568E3174805D14782F8C1
2596nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:253C95F2F4D29B2299BD42D0A5009B58
SHA256:82C81F37B79EE9A1B6F7A428F0E24DF2BF05ECA399E568E3174805D14782F8C1
2452WinRAR.exeC:\Users\admin\Desktop\Calculation-930007207-10162020.xlsbdocument
MD5:8755107161DFEC54F589FA51B9A8CBE1
SHA256:0A3A27F792E14FF7425A162FEE95C53CBF61A2F4F8C2575B146E2D4C3E1A1A9E
2136explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:1BB3CD59D03AA14433F9D857085F2370
SHA256:BB918AD05620AF49C79E8E95232AB6283218D26F2FD68AAE465BA9F387E5FF05
1652EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:5C8108C06CBCEFE91EEE9CE8C164D8CD
SHA256:66E8906202C7CB3E1A2DC58040F9D670B4047F683E519FAD7F53C59DAFEF647A
2596nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:A3BD824784B75A08739797D429D97832
SHA256:19D9167185B0A67D4FE17C4DE057039FA2311E0BE08C7965FC950ED74A113CF7
1652EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Calculation-930007207-10162020.xlsb.LNKlnk
MD5:EA1AE2CB2FCF7DC9E60713C97DA90B73
SHA256:6FFA7EEBED723366B01F39A85DAC899EB003DC333DAA843CDAB5C092FEB765A9
2284cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1652
EXCEL.EXE
GET
200
162.241.75.141:80
http://mpsync.com.br/tcgicbzy/3415201.png
US
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1652
EXCEL.EXE
162.241.75.141:80
mpsync.com.br
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
mpsync.com.br
  • 162.241.75.141
malicious

Threats

PID
Process
Class
Message
1652
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1652
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1652
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
1652
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
1652
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
1652
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-930007207-10162020.zip