analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Archive.zip.exe

Full analysis: https://app.any.run/tasks/cf74cd9e-6b0c-4937-9f1d-03351e560909
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 13:01:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
evasion
loader
adware
pup
linkury
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FD614D74219A9CBE43A0276EC3F70A1E

SHA1:

2607E78072CEDF2B420CB0B312567BC6983068C3

SHA256:

2A165697A6509BEDC9E9E9264FD01CA602266DE0B3A9A99C82A8B55C089DE9E7

SSDEEP:

6144:Xi3cXXfCPHXWrQnygJn467SHHHaCchptgVM8idyZRAOtjB4BRPyxUT:Xi3cXXfYHXWrQnygJn4603ktMRR7+RPr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Disables Windows Defender Real-time monitoring

      • Archive.zip.exe (PID: 3504)
    • Loads the Task Scheduler COM API

      • Archive.zip.exe (PID: 3504)
      • 479B.tmp.exe (PID: 2692)
    • Connects to CnC server

      • Archive.zip.exe (PID: 3504)
      • fish.exe (PID: 2784)
      • CloudPrinter.exe (PID: 2592)
      • Hotsonlex.exe (PID: 2460)
    • Application was dropped or rewritten from another process

      • 479B.tmp.exe (PID: 2692)
      • B078.tmp.exe (PID: 3600)
      • fish.exe (PID: 2784)
      • Hotsonlex.exe (PID: 2460)
      • CloudPrinter.exe (PID: 2592)
      • Apstrong.exe (PID: 3444)
    • Downloads executable files from the Internet

      • Archive.zip.exe (PID: 3504)
      • B078.tmp.exe (PID: 3600)
    • LINKURY was detected

      • fish.exe (PID: 2784)
      • Hotsonlex.exe (PID: 2460)
      • CloudPrinter.exe (PID: 2592)
    • Changes settings of System certificates

      • CloudPrinter.exe (PID: 2592)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Archive.zip.exe (PID: 3504)
      • 479B.tmp.exe (PID: 2692)
      • B078.tmp.exe (PID: 3600)
      • fish.exe (PID: 2784)
      • Hotsonlex.exe (PID: 2460)
    • Checks for external IP

      • Archive.zip.exe (PID: 3504)
    • Creates files in the user directory

      • Archive.zip.exe (PID: 3504)
      • 479B.tmp.exe (PID: 2692)
    • Starts Internet Explorer

      • 479B.tmp.exe (PID: 2692)
    • Starts itself from another location

      • fish.exe (PID: 2784)
    • Creates files in the program directory

      • Hotsonlex.exe (PID: 2460)
    • Starts SC.EXE for service management

      • Hotsonlex.exe (PID: 2460)
    • Executed as Windows Service

      • CloudPrinter.exe (PID: 2592)
    • Adds / modifies Windows certificates

      • CloudPrinter.exe (PID: 2592)
    • Creates files in the Windows directory

      • CloudPrinter.exe (PID: 2592)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2104)
    • Changes internet zones settings

      • iexplore.exe (PID: 2104)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3048)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3048)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3048)
    • Creates files in the user directory

      • iexplore.exe (PID: 3048)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:23 21:44:53+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 215040
InitializedDataSize: 112640
UninitializedDataSize: -
EntryPoint: 0x1a157
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-May-2019 19:44:53
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Work\installer\Release\installer_.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 23-May-2019 19:44:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000347FC
0x00034800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57685
.rdata
0x00036000
0x00016670
0x00016800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.11325
.data
0x0004D000
0x00001E78
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.47168
.rsrc
0x0004F000
0x000001E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.76813
.reloc
0x00050000
0x00002DDC
0x00002E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.58706

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.89623
392
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
KERNEL32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
WININET.dll
ole32.dll
urlmon.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
12
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start archive.zip.exe no specs archive.zip.exe 479b.tmp.exe iexplore.exe iexplore.exe no specs iexplore.exe b078.tmp.exe #LINKURY fish.exe #LINKURY hotsonlex.exe sc.exe no specs #LINKURY cloudprinter.exe apstrong.exe

Process information

PID
CMD
Path
Indicators
Parent process
3960"C:\Users\admin\AppData\Local\Temp\Archive.zip.exe" C:\Users\admin\AppData\Local\Temp\Archive.zip.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3504"C:\Users\admin\AppData\Local\Temp\Archive.zip.exe" C:\Users\admin\AppData\Local\Temp\Archive.zip.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
2692C:\Users\admin\AppData\Local\Temp\479B.tmp.exe 1C:\Users\admin\AppData\Local\Temp\479B.tmp.exe
Archive.zip.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2104"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
479B.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
4294967295
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1932"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2104 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
4294967295
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3048"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2104 CREDAT:79874C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
4294967295
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3600C:\Users\admin\AppData\Local\Temp\B078.tmp.exeC:\Users\admin\AppData\Local\Temp\B078.tmp.exe
Archive.zip.exe
User:
admin
Integrity Level:
HIGH
2784C:\Users\admin\AppData\Local\Temp\fish.exe {"packer":{"DistributerName":"APSFPango","ChannelId":"3"},"Agent":{"SetAll":"true"}}C:\Users\admin\AppData\Local\Temp\fish.exe
B078.tmp.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
HIGH
Description:
TODO: <File description>
Version:
1.0.0.1
2460"C:\Users\admin\AppData\Local\Hotsonlex.exe" shuz -f "lobby.dat" -l -a DeviceId=a6985883-ace4-b706-fafa-0ee4efb037e4 Distributer=APSFPango ChannelId=3 BarcodeId=54565003 ApName=PangocC:\Users\admin\AppData\Local\Hotsonlex.exe
fish.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
HIGH
Description:
TODO: <File description>
Exit code:
0
Version:
1.0.0.1
272"C:\Windows\system32\sc.exe" create CloudPrinter binpath= "C:\ProgramData\\CloudPrinter\\CloudPrinter.exe shuz -f \"C:\ProgramData\\CloudPrinter\\CloudPrinter.dat\" -l -a" DisplayName= CloudPrinter start= autoC:\Windows\system32\sc.exeHotsonlex.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
740
Read events
546
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
9
Text files
16
Unknown types
5

Dropped files

PID
Process
Filename
Type
2104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2104iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
3048iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\izrknsamlj[1].txt
MD5:
SHA256:
3048iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].gif
MD5:
SHA256:
3504Archive.zip.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\things[1].xmltext
MD5:759940CB70765E8F625819AB72D84B4B
SHA256:2C920CD57FB46B8C5D78EE629FF92E78F0D434D5E5F99FCA0B91E8C95ABBA0CD
2784fish.exeC:\Users\admin\AppData\Local\sha.dbsqlite
MD5:C95B351AB7B05D0B5FF82E1332688CF8
SHA256:7E7867E750DBB9DE1B642FDB104186FDCCCF2372943ED53B357C0583A332B87A
3504Archive.zip.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\4C384435-9E82-4011-ACF3-78489BB98229[1].exeexecutable
MD5:9DC487176719FC91813B56BADD0ECA2F
SHA256:97FDD9719283A3853F517A2DCD3C1858AD2BFAC0B1B5362F2C846018C6462181
3504Archive.zip.exeC:\Users\admin\AppData\Local\Temp\B078.tmp.exeexecutable
MD5:9DC487176719FC91813B56BADD0ECA2F
SHA256:97FDD9719283A3853F517A2DCD3C1858AD2BFAC0B1B5362F2C846018C6462181
3600B078.tmp.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\doggie[1].exeexecutable
MD5:BBF676E79C112B842BA1A32EE375B4B0
SHA256:A5F0C503E3ACF19C165CB155CAD3EE13671F2D05A77E0EA7338404DA74164521
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
69
TCP/UDP connections
23
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3504
Archive.zip.exe
GET
200
40.117.62.142:80
http://hostas.ml/click.php?cnv_id=d6652ghtlxrwje02
US
malicious
3048
iexplore.exe
GET
302
23.96.102.65:80
http://hostpp.ml/bb/tds.php
US
malicious
3504
Archive.zip.exe
GET
200
23.96.102.65:80
http://www.hostpp.ml/20190118/4C384435-9E82-4011-ACF3-78489BB98229.exe
US
executable
148 Kb
malicious
2784
fish.exe
GET
200
65.52.32.169:80
http://madmax.utyuytjn.com/MaxMind.asmx/GetGeoInfo
US
xml
173 b
whitelisted
3504
Archive.zip.exe
GET
200
23.96.102.65:80
http://hostpp.ml/20190118/things.xml
US
text
4.33 Kb
malicious
3504
Archive.zip.exe
GET
200
23.96.102.65:80
http://www.hostpp.ml/20190118/multishare.exe
US
executable
126 Kb
malicious
2784
fish.exe
GET
200
13.66.51.223:80
http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?distributorName=APSFPango
US
text
13 b
shared
3504
Archive.zip.exe
GET
200
185.194.141.58:80
http://ip-api.com/xml
DE
xml
599 b
shared
3048
iexplore.exe
GET
302
104.18.56.101:80
http://minimal.beneficiary.shop/gor?param1=c&param2=2&visitor_id=3
US
html
132 b
shared
2784
fish.exe
GET
200
52.174.148.190:80
http://updates.utyuytjn.com/Update/CheckInstallConfig?deviceid=a6985883-ace4-b706-fafa-0ee4efb037e4&distributer=APSFPango&channelid=3&barcodeid=54565003&country=IT&encrypt=True
NL
text
498 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3504
Archive.zip.exe
23.96.102.65:80
hostpp.ml
Microsoft Corporation
US
malicious
3504
Archive.zip.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
3504
Archive.zip.exe
40.117.62.142:80
hostas.ml
Microsoft Corporation
US
suspicious
3048
iexplore.exe
23.96.102.65:80
hostpp.ml
Microsoft Corporation
US
malicious
3504
Archive.zip.exe
172.217.21.228:80
google-analytics.com
Google Inc.
US
whitelisted
2784
fish.exe
65.52.32.169:80
madmax.utyuytjn.com
Microsoft Corporation
US
whitelisted
3048
iexplore.exe
138.68.113.179:443
click.dailynews.support
Digital Ocean, Inc.
DE
unknown
13.66.51.223:80
svc-stats.linkury.com
Microsoft Corporation
US
whitelisted
2784
fish.exe
13.66.51.223:80
svc-stats.linkury.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
hostas.ml
  • 40.117.62.142
malicious
ip-api.com
  • 185.194.141.58
shared
google-analytics.com
  • 172.217.21.228
whitelisted
hostpp.ml
  • 23.96.102.65
malicious
www.hostpp.ml
  • 23.96.102.65
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
minimal.beneficiary.shop
  • 104.18.56.101
  • 104.18.57.101
unknown
click.dailynews.support
  • 138.68.113.179
unknown
install.portmdfmoon.com
  • 52.174.148.190
unknown
cds.g6f3t2z8.hwcdn.net
  • 69.16.175.10
  • 69.16.175.42
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504
Archive.zip.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
3504
Archive.zip.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3504
Archive.zip.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/QwertMiner CoinMiner UA
99 ETPRO signatures available at the full report
Process
Message
Archive.zip.exe
[24/05/2019 13:01:39:0521] 3.0
Archive.zip.exe
[24/05/2019 13:01:39:0521] CommandLine: i
Archive.zip.exe
[24/05/2019 13:01:39:0943] Country: IT
Archive.zip.exe
[24/05/2019 13:01:39:0943] Start count: 0
Archive.zip.exe
[24/05/2019 13:01:39:0943] Start count: 0
Archive.zip.exe
[24/05/2019 13:01:39:0943] Date: 2017/10/5
Archive.zip.exe
[24/05/2019 13:01:40:0006] AV:
Archive.zip.exe
[24/05/2019 13:01:40:0037] Browser:
Archive.zip.exe
[24/05/2019 13:01:40:0287]
Archive.zip.exe
[24/05/2019 13:01:40:0287] multishare