File name:

USBStealer-3.zip

Full analysis: https://app.any.run/tasks/62056621-8b6a-4351-887f-fa3ce2bdb7d0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 11, 2019, 10:23:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

0CE53A50C6A7B911A314753060A7CE29

SHA1:

B476CEDA68211E8A2D5D40658E7FF58FBB5A4FE4

SHA256:

27CED3753F3BD95D84E020337DF4025AB681BA94B4531D9A2A60F77B57CA4B76

SSDEEP:

196608:vCYQAyppQ5MgQO9Df+U2IZOA4/rCXqkPgANInPMSJIDZJLvSnExrzc9Og21sD3uV:HQAQQ5KAdZHQCoASPWJLvG2D1onr2g8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • lasagna.exe (PID: 2820)
      • bitch.exe (PID: 2592)
      • lasagna.exe (PID: 2528)
      • lasagna.exe (PID: 2816)
      • bitch_lasagna.exe (PID: 2828)
      • bitch.exe (PID: 2040)
      • lasagna.exe (PID: 2588)

    • Loads dropped or rewritten executable

      • lasagna.exe (PID: 2820)
      • lasagna.exe (PID: 2816)

    • Stealing of credential data

      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 2452)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2744)
      • lasagna.exe (PID: 2528)
      • lasagna.exe (PID: 2588)
      • bitch_lasagna.exe (PID: 2828)

    • Reads Environment values

      • lasagna.exe (PID: 2820)
      • lasagna.exe (PID: 2816)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2744)
      • powershell.exe (PID: 2652)
      • powershell.exe (PID: 1056)

    • Executes PowerShell scripts

      • lasagna.exe (PID: 2820)
      • lasagna.exe (PID: 2816)

    • Starts CMD.EXE for commands execution

      • bitch.exe (PID: 2592)
      • bitch.exe (PID: 2040)

    • Loads Python modules

      • lasagna.exe (PID: 2820)
      • lasagna.exe (PID: 2816)

    • Creates files in the user directory

      • lasagna.exe (PID: 2820)
      • powershell.exe (PID: 2652)
      • powershell.exe (PID: 1056)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 2328)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 1704)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 1704)
      • NOTEPAD.EXE (PID: 2656)
      • bitch_lasagna.exe (PID: 2828)
      • bitch.exe (PID: 2592)
      • NOTEPAD.EXE (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:01:03 06:31:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: USBStealer-3/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe notepad.exe no specs cmd.exe attrib.exe no specs lasagna.exe lasagna.exe no specs powershell.exe no specs bitch.exe no specs cmd.exe no specs attrib.exe no specs bitch_lasagna.exe bitch.exe no specs cmd.exe attrib.exe no specs lasagna.exe lasagna.exe no specs powershell.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
620attrib +h lootC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1056powershell.exe /c " function get-iehistory { [CmdletBinding()] param () $shell = New-Object -ComObject Shell.Application $hist = $shell.NameSpace(34) $folder = $hist.Self $hist.Items() | foreach { if ($_.IsFolder) { $siteFolder = $_.GetFolder $siteFolder.Items() | foreach { $site = $_ if ($site.IsFolder) { $pageFolder = $site.GetFolder $pageFolder.Items() | foreach { $visit = New-Object -TypeName PSObject -Property @{ URL = $($pageFolder.GetDetailsOf($_,0)) } $visit } } } } } } get-iehistory "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exelasagna.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1448"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\USBStealer-3\loot\admin\logs.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1704C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\USBStealer-3\bitch.bat" "C:\Windows\system32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2040"C:\Users\admin\Desktop\USBStealer-3\bitch.exe" C:\Users\admin\Desktop\USBStealer-3\bitch.exebitch_lasagna.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\usbstealer-3\bitch.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2172attrib +h lootC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2328"C:\Windows\sysnative\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\6000.tmp\6001.tmp\6002.bat C:\Users\admin\Desktop\USBStealer-3\bitch.exe"C:\Windows\system32\cmd.exebitch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2452"C:\Windows\sysnative\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\7732.tmp\7733.tmp\7734.bat C:\Users\admin\Desktop\USBStealer-3\bitch.exe"C:\Windows\system32\cmd.exe
bitch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2528lasagna.exe all -vvv C:\Users\admin\Desktop\USBStealer-3\lasagna.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\usbstealer-3\lasagna.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
2588lasagna.exe all -vvv C:\Users\admin\Desktop\USBStealer-3\lasagna.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\usbstealer-3\lasagna.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll
Total events
1 174
Read events
1 009
Write events
165
Delete events
0

Modification events

(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2744) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2744) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\71\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\USBStealer-3.zip
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
39
Suspicious files
6
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2528lasagna.exeC:\Users\admin\AppData\Local\Temp\_MEI25282\laZagne.exe.manifestxml
MD5:
SHA256:
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2744.13260\USBStealer-3\LICENSEtext
MD5:911690F51AF322440237A253D695D19F
SHA256:88D9B4EB60579C191EC391CA04C16130572D7EEDC4A86DAA58BF28C6E14C9BCD
2528lasagna.exeC:\Users\admin\AppData\Local\Temp\_MEI25282\Microsoft.VC90.CRT.manifestxml
MD5:1F28C9322A8F582C85268D6F025EFB95
SHA256:1391BD476EA603AA58860904F1AAF1A6F5EF196488D5A5AC8BA307333AC6E217
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2744.13260\USBStealer-3\bitch.battext
MD5:15C383D5080EB1643BECC229FFE9FE94
SHA256:DC327493D684E5682851013923FEF8A37C5AC7A6ACA79162DB390289D6290BCF
2528lasagna.exeC:\Users\admin\AppData\Local\Temp\_MEI25282\_elementtree.pydexecutable
MD5:979EB7F2744B6E91F1F8E0785559C28E
SHA256:FDC1AA67BEAC479A81ADD79336B1D674FB43C5FA53603033E62D05D2978AAE17
2528lasagna.exeC:\Users\admin\AppData\Local\Temp\_MEI25282\_hashlib.pydexecutable
MD5:D256D9116EAEDE4DBF39A90CC90D594B
SHA256:456376DA077B6ABF0A7533607EF31B658D02AFFF2F7BCC25A3E454966B6FFA51
2820lasagna.exeC:\users\admin\appdata\local\temp\irmtmx
MD5:
SHA256:
2820lasagna.exeC:\users\admin\appdata\local\temp\kivquposr
MD5:
SHA256:
2652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ITZJ1LOWTSFC0UVSI8QJ.temp
MD5:
SHA256:
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2744.13260\USBStealer-3\bitch_lasagna.exeexecutable
MD5:8E29093353B59E20BD83BC36152CD6AB
SHA256:45EE6DD206DFE435F21336A8107E5B17D2DB9605FDC83FB03E89D7ECCE8C2BAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
USBStealer-3.zip