| URL: | https://drop.me/MRqYQb |
| Full analysis: | https://app.any.run/tasks/60d92ca6-42c0-4928-8535-aaa9240f932c |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | October 13, 2018, 11:53:52 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | A4540418292199D1490F9BDF2FFF1972 |
| SHA1: | 9433F8429102DC1AFE8D66F63BE245BBBCC15F31 |
| SHA256: | 25A4EB5D0FA5ED305CD165F8DFBD9CE2677FEFFB8B43FC27F505C02260079CA0 |
| SSDEEP: | 3:N8PKV+n:2jn |
MALICIOUS
Application was dropped or rewritten from another process
- iView Fur U v3!.exe (PID: 116)
- dengine.exe (PID: 940)
- Tube Traffic.exe (PID: 3256)
- AppUpdater.exe (PID: 3824)
- Video Bot.exe (PID: 564)
- YouBooster PRO Edition cracked by DarkCoderz.exe (PID: 1480)
- YouTube View Increaser v3.exe (PID: 3776)
- YouBot 2.0.exe (PID: 2284)
- RoyalViewer.exe (PID: 3568)
Loads dropped or rewritten executable
- dengine.exe (PID: 940)
- SearchProtocolHost.exe (PID: 1616)
- Tube Traffic.exe (PID: 3256)
- WerFault.exe (PID: 1112)
- YouBot 2.0.exe (PID: 2284)
SUSPICIOUS
Executable content was dropped or overwritten
- Tube Traffic.exe (PID: 3256)
- WinRAR.exe (PID: 2192)
Reads internet explorer settings
- Tube Traffic.exe (PID: 3256)
Creates files in the user directory
- Tube Traffic.exe (PID: 3256)
INFO
Application launched itself
- iexplore.exe (PID: 3284)
Creates files in the user directory
- iexplore.exe (PID: 2632)
- iexplore.exe (PID: 3284)
Reads settings of System Certificates
- iexplore.exe (PID: 3284)
Reads internet explorer settings
- iexplore.exe (PID: 2632)
Changes internet zones settings
- iexplore.exe (PID: 3284)
Dropped object may contain Bitcoin addresses
- WinRAR.exe (PID: 2192)
- Tube Traffic.exe (PID: 3256)
Reads Internet Cache Settings
- iexplore.exe (PID: 2632)
- iexplore.exe (PID: 3284)
Application was crashed
- Tube Traffic.exe (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
52
Monitored processes
15
Malicious processes
9
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Users\admin\Desktop\iView\iView Fur U v3!.exe" | C:\Users\admin\Desktop\iView\iView Fur U v3!.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 3, 3, 0, 0 Modules
| |||||||||||||||
| 564 | "C:\Users\admin\Desktop\VideoBot\Video Bot.exe" | C:\Users\admin\Desktop\VideoBot\Video Bot.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Yotube Video Bot Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 940 | "C:\Users\admin\Desktop\Traffic Bot Full Edition\dengine.exe" | C:\Users\admin\Desktop\Traffic Bot Full Edition\dengine.exe | explorer.exe | ||||||||||||
User: admin Company: Diabolic Labs Integrity Level: MEDIUM Description: Diabolic Engine Exit code: 0 Version: 45.01 Modules
| |||||||||||||||
| 1112 | C:\Windows\system32\WerFault.exe -u -p 3256 -s 708 | C:\Windows\system32\WerFault.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1480 | "C:\Users\admin\Desktop\YouBoosterPro\YouBooster PRO Edition cracked by DarkCoderz.exe" | C:\Users\admin\Desktop\YouBoosterPro\YouBooster PRO Edition cracked by DarkCoderz.exe | explorer.exe | ||||||||||||
User: admin Company: YouBooster.eu Integrity Level: MEDIUM Description: YouBooster PRO Edition Exit code: 0 Version: 2.1.0.0 Modules
| |||||||||||||||
| 1616 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2192 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Youtube_View_Bots_Pack_-_GrandeAriana.rar" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2284 | "C:\Users\admin\Desktop\YouBot\YouBot 2.0.exe" | C:\Users\admin\Desktop\YouBot\YouBot 2.0.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: YouBot Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2632 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3284 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3000 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\YouBoosterPro\proxy.txt.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 204
Read events
2 012
Write events
188
Delete events
4
Modification events
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {B3B22701-CEDE-11E8-BFAB-5254004AAD11} |
Value: 0 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 3 | |||
| (PID) Process: | (3284) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E2070A0006000D000B0036000E000F00 | |||
Executable files
95
Suspicious files
19
Text files
356
Unknown types
46
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3284 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3284 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\MRqYQb[1].txt | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\en[1].js | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\application.min[1].js | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\all[1].css | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@yadro[1].txt | — | |
MD5:— | SHA256:— | |||
| 2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Youtube_View_Bots_Pack_-_GrandeAriana[1].rar | — | |
MD5:— | SHA256:— | |||
| 3284 | iexplore.exe | C:\Users\admin\Downloads\Youtube_View_Bots_Pack_-_GrandeAriana.rar | — | |
MD5:— | SHA256:— | |||
| 3284 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFF7ED33A8B1B30640.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
16
DNS requests
10
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3568 | RoyalViewer.exe | GET | 302 | 104.20.208.21:80 | http://pastebin.com/raw.php?i=SAGkspRZ | US | — | — | malicious |
2284 | YouBot 2.0.exe | GET | 301 | 172.217.17.46:80 | http://www.youtube.com/v?asd298jdn | US | — | — | whitelisted |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | GET | 200 | 162.210.195.123:80 | http://survey-smiles.com/ | US | html | 295 b | whitelisted |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | GET | 200 | 162.210.195.123:80 | http://survey-smiles.com/ | US | html | 295 b | whitelisted |
2284 | YouBot 2.0.exe | GET | 301 | 172.217.17.46:80 | http://www.youtube.com/v?asd298jdn | US | — | — | whitelisted |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | GET | 200 | 188.165.238.79:80 | http://marro.nserwer.pl/ybpro/newsy.txt | FR | text | 84 b | malicious |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | POST | 302 | 64.32.8.69:80 | http://api.elitevs.net/check2.php | US | text | 11 b | malicious |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | GET | 302 | 162.210.195.123:80 | http://survey-smiles.com/ | US | text | 11 b | whitelisted |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | GET | 200 | 188.165.238.79:80 | http://marro.nserwer.pl/ybpro/youboosterversion.txt | FR | text | 7 b | malicious |
2284 | YouBot 2.0.exe | POST | 200 | 216.58.211.110:80 | http://ocsp.pki.goog/gsr2 | US | der | 468 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3284 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2632 | iexplore.exe | 62.76.114.200:443 | drop.me | Start LLC | RU | unknown |
2632 | iexplore.exe | 88.212.196.105:443 | counter.yadro.ru | United Network LLC | RU | unknown |
3284 | iexplore.exe | 62.76.114.200:443 | drop.me | Start LLC | RU | unknown |
2632 | iexplore.exe | 62.76.114.199:443 | dl.drop.me | Start LLC | RU | unknown |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | 64.32.8.69:80 | api.elitevs.net | Sharktech | US | malicious |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | 162.210.195.123:80 | survey-smiles.com | Leaseweb USA, Inc. | US | malicious |
1480 | YouBooster PRO Edition cracked by DarkCoderz.exe | 188.165.238.79:80 | marro.nserwer.pl | OVH SAS | FR | unknown |
2284 | YouBot 2.0.exe | 172.217.17.46:80 | www.youtube.com | Google Inc. | US | whitelisted |
2284 | YouBot 2.0.exe | 172.217.17.46:443 | www.youtube.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
drop.me |
| suspicious |
counter.yadro.ru |
| whitelisted |
dl.drop.me |
| unknown |
api.elitevs.net |
| malicious |
survey-smiles.com |
| whitelisted |
marro.nserwer.pl |
| malicious |
www.youtube.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
pastebin.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3568 | RoyalViewer.exe | Misc activity | SUSPICIOUS [PTsecurity] Minimal HTTP Header for Request to Pastebin |
2 ETPRO signatures available at the full report
Process | Message |
|---|---|
dengine.exe | Gecko.Xpcom.DirectoryServiceProvider.GetFile: not implemented: permissionDBPDir
|
dengine.exe | ****** Missing Dispose() call for Gecko.ChromeContext. *******
|
Tube Traffic.exe | System.Transactions Critical: 0 : |
Tube Traffic.exe | <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Critical"><TraceIdentifier>http://msdn.microsoft.com/TraceCodes/System/ActivityTracing/2004/07/Reliability/Exception/Unhandled</TraceIdentifier><Description>Unhandled exception</Description><AppDomain>Tube Traffic.exe</AppDomain><Exception><ExceptionType>System.ArgumentOutOfRangeException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>'minValue' cannot be greater than maxValue.
Parameter name: minValue</Message><StackTrace> at System.Random.Next(Int32 minValue, Int32 maxValue)
at (Task )
at TubeTraffic.Model.TaskManager.GetTaskWait(Task task)
at (Worker , Int32 )
at TubeTraffic.Work.Worker.DoTask(Int32 taskinde)
at (Worker )
at TubeTraffic.Work.Worker.DoTasks()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()</StackTrace><ExceptionString>System.ArgumentOutOfRangeException: 'minValue' cannot be greater than maxValue.
Parameter name: minValue
at System.Random.Next(Int32 minValue, Int32 maxValue)
at (Task )
at TubeTraffic.Model.TaskManager.GetTaskWait(Task task)
at (Worker , Int32 )
at TubeTraffic.Work.Worker.DoTask(Int32 taskinde)
at (Worker )
at TubeTraffic.Work.Worker.DoTasks()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()</ExceptionString></Exception></TraceRecord>
|