analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

393d0f74-db9c-4deb-ae03-2cd46e69df09.zip

Full analysis: https://app.any.run/tasks/e7d3898d-eb67-479f-9121-b389da050f6c
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 20:00:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
adware
installcore
pup
addrop
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7015FE14A18975F60D190E49E845650E

SHA1:

B1483CFEC2EF42BFF74D1DBB41ABAF8900CA6BA5

SHA256:

24002EEA615E09078E281DFBC269FD28C1F298C4C78AB697279AF6DE893FCA35

SSDEEP:

24576:yx/aFskzgHuMzEnQvi5jdWEpFr2mfuInGwdiVSn6dSTmcbRiL8zAZipe0BOVr2Sm:ypQZnTVdWE3fdGOK9STfiiAiYsSm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • adobe_flash_setup_3366577055.exe (PID: 2284)
      • adobe_flash_setup_3366577055.exe (PID: 2784)
      • adobe_flash_setup_3366577055.exe (PID: 2888)

    • INSTALLCORE was detected

      • adobe_flash_setup_3366577055.exe (PID: 2784)

    • Connects to CnC server

      • adobe_flash_setup_3366577055.exe (PID: 2784)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2968)

    • Reads the machine GUID from the registry

      • adobe_flash_setup_3366577055.exe (PID: 2784)

    • Application launched itself

      • adobe_flash_setup_3366577055.exe (PID: 2284)
      • adobe_flash_setup_3366577055.exe (PID: 2784)

    • Reads internet explorer settings

      • adobe_flash_setup_3366577055.exe (PID: 2784)

    • Reads Windows Product ID

      • adobe_flash_setup_3366577055.exe (PID: 2784)

    • Reads Environment values

      • adobe_flash_setup_3366577055.exe (PID: 2784)

    • Reads CPU info

      • adobe_flash_setup_3366577055.exe (PID: 2784)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2017:10:14 22:51:10
ZipCRC: 0x91b98f3c
ZipCompressedSize: 1543528
ZipUncompressedSize: 1569483
ZipFileName: Users/legag/Desktop/adobe_flash_setup_3366577055.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe adobe_flash_setup_3366577055.exe no specs #INSTALLCORE adobe_flash_setup_3366577055.exe adobe_flash_setup_3366577055.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\393d0f74-db9c-4deb-ae03-2cd46e69df09.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2284"C:\Users\admin\Desktop\adobe_flash_setup_3366577055.exe" C:\Users\admin\Desktop\adobe_flash_setup_3366577055.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Nonaranelu Setup
Exit code:
0
Version:
2784"C:\Users\admin\Desktop\adobe_flash_setup_3366577055.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnlC:\Users\admin\Desktop\adobe_flash_setup_3366577055.exe
adobe_flash_setup_3366577055.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Nonaranelu Setup
Exit code:
4294967206
Version:
2888"C:\Users\admin\Desktop\adobe_flash_setup_3366577055.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg== /mnlC:\Users\admin\Desktop\adobe_flash_setup_3366577055.exeadobe_flash_setup_3366577055.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Nonaranelu Setup
Exit code:
259
Version:
Total events
622
Read events
577
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
97
Unknown types
0

Dropped files

PID
Process
Filename
Type
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\0013B24C.log
MD5:
SHA256:
2968WinRAR.exeC:\Users\admin\Desktop\adobe_flash_setup_3366577055.exeexecutable
MD5:E9C02D7E635CA05B3F698B20239355EC
SHA256:CC973A058030F30DC8F555F4367757C05A8167A4378169518D9B20BA0408581A
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\browse.csstext
MD5:6009D6E864F60AEA980A9DF94C1F7E1C
SHA256:5EF48A8C8C3771B4F233314D50DD3B5AFDCD99DD4B74A9745C8FE7B22207056D
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\images\button-bg.pngimage
MD5:98B1DE48DFA64DC2AA1E52FACFBEE3B0
SHA256:2693930C474FE640E2FE8D6EF98ABE2ECD303D2392C3D8B2E006E8942BA8F534
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\images\progress-bg2.pngimage
MD5:B582D9A67BFE77D523BA825FD0B9DAE3
SHA256:AB4EEB3EA1EEF4E84CB61ECCB0BA0998B32108D70B3902DF3619F4D9393F74C3
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\checkbox.csstext
MD5:64773C6B0E3413C81AEBC46CCE8C9318
SHA256:B09504C1BF0486D3EC46500592B178A3A6C39284672AF8815C3687CC3D29560D
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\progress-bar.csstext
MD5:5335F1C12201B5F7CF5F8B4F5692E3D1
SHA256:974CD89E64BDAA85BF36ED2A50AF266D245D781A8139F5B45D7C55A0B0841DDA
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\images\progress-bg-corner.pngimage
MD5:608F1F20CD6CA9936EAA7E8C14F366BE
SHA256:86B6E6826BCDE2955D64D4600A4E01693522C1FDDF156CE31C4BA45B3653A7BD
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\csshover3.htchtml
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
2284adobe_flash_setup_3366577055.exeC:\Users\admin\AppData\Local\Temp\inH129082857122\css\sdk-ui\button.csstext
MD5:37E1FF96E084EC201F0D95FEEF4D5E94
SHA256:8E806F5B94FC294E918503C8053EF1284E4F4B1E02C7DA4F4635E33EC33E0534
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2784
adobe_flash_setup_3366577055.exe
POST
200
54.194.149.175:80
http://rp.notatolol2.com/
IE
malicious
2784
adobe_flash_setup_3366577055.exe
POST
200
54.194.149.175:80
http://rp.notatolol2.com/
IE
malicious
2784
adobe_flash_setup_3366577055.exe
POST
200
54.194.149.175:80
http://rp.notatolol2.com/
IE
malicious
2784
adobe_flash_setup_3366577055.exe
POST
200
54.194.149.175:80
http://rp.notatolol2.com/
IE
malicious
2784
adobe_flash_setup_3366577055.exe
POST
500
18.203.190.76:80
http://info.notatolol2.com/?wewudeh=2
US
text
21 b
malicious
2784
adobe_flash_setup_3366577055.exe
POST
500
18.203.190.76:80
http://info.notatolol2.com/?quepeg=1
US
text
21 b
malicious
2784
adobe_flash_setup_3366577055.exe
POST
500
18.203.190.76:80
http://info.notatolol2.com/?vuv=0
US
text
21 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2784
adobe_flash_setup_3366577055.exe
18.203.190.76:80
info.notatolol2.com
US
malicious
2784
adobe_flash_setup_3366577055.exe
54.194.149.175:80
rp.notatolol2.com
Amazon.com, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
rp.notatolol2.com
  • 54.194.149.175
  • 52.214.73.247
malicious
info.notatolol2.com
  • 18.203.190.76
  • 52.209.116.64
  • 52.212.157.66
malicious

Threats

PID
Process
Class
Message
2784
adobe_flash_setup_3366577055.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
2784
adobe_flash_setup_3366577055.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
2784
adobe_flash_setup_3366577055.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
2784
adobe_flash_setup_3366577055.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
2784
adobe_flash_setup_3366577055.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
2784
adobe_flash_setup_3366577055.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
393d0f74-db9c-4deb-ae03-2cd46e69df09.zip