File name:

SMS-Bomber [0.2.1] by Artem Zolotarevskiy.zip

Full analysis: https://app.any.run/tasks/7aafda70-a37c-4fff-8eb0-a22cf77840ce
Verdict: Malicious activity
Analysis date: May 13, 2019, 12:59:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F79ED2C9885F4FA20787F1DDCE521926

SHA1:

2B5A508F49F440D9BBA606FDD95FECE07F10EF8D

SHA256:

2D06FFEABB34E54EECC8E41A119D6E543C8E7360FC9141C964DB45AC8158B5AC

SSDEEP:

49152:X/g9S3+SLpujL5Mn9AoceCDG1TwTr0MdXWdPM9/1Vgj6gHvvxU+D0KCVU:XxOSLwHaAeCDKw/gqZs6WxUhK8U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe (PID: 2248)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1944)
      • SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe (PID: 2248)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2832)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2004:01:11 23:00:00
ZipCRC: 0x35563170
ZipCompressedSize: 181126
ZipUncompressedSize: 348160
ZipFileName: msvcr71.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs sms-bomber [0.2.1] by artem zolotarevskiy.exe

Process information

PID
CMD
Path
Indicators
Parent process
1944"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2248"C:\Users\admin\Desktop\SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe" C:\Users\admin\Desktop\SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
explorer.exe
User:
admin
Company:
ScripTop Company
Integrity Level:
MEDIUM
Description:
SMS-Bomber [0.2.1] by Artem Zolotarevskiy
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\sms-bomber [0.2.1] by artem zolotarevskiy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2832"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SMS-Bomber [0.2.1] by Artem Zolotarevskiy.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
818
Read events
784
Write events
34
Delete events
0

Modification events

(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2832) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SMS-Bomber [0.2.1] by Artem Zolotarevskiy.zip
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
4
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2832.36935\libeay32.dllexecutable
MD5:177BDA0C92482DFA2C162A3750932B9C
SHA256:17A4B75EF43A4FDEEDAEF86C39BEAD6719144E3E368B55898B79ECB371012854
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2832.36935\Skins\default.aszbinary
MD5:58D2975CCB969D5C8AC1D13103139159
SHA256:8968820FD2780710E90B861DAC7ED5870B46EED95E94011374679A659DC15BED
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2832.36935\SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exeexecutable
MD5:83F6419032487A8D15DDDC566970A8BF
SHA256:CF2D9D354909FE3C4642C104B0F6E7566713BAF466BC4FDE1208A7202CF2417E
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2832.36935\ssleay32.dllexecutable
MD5:5023F4C4AAAA1B6E9D992D6BBDCD340B
SHA256:59B1BE1072DD4ACA5DDCF9B66D5DF8BEC327B4891925BA2339FE6AC6A1BF6D19
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2832.36935\msvcr71.dllexecutable
MD5:86F1895AE8C5E8B17D99ECE768A70732
SHA256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
POST
200
87.236.16.99:80
http://www.theyeru.ru/api/sms-bomber/method/description.get.php
RU
text
1.20 Kb
malicious
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
POST
104.25.105.23:80
http://www.777taxi.ru/swift-online/ValidateViaSms.php
US
suspicious
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
POST
104.25.105.23:80
http://www.777taxi.ru/swift-online/ValidateViaSms.php
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
87.236.16.99:80
www.theyeru.ru
Beget Ltd
RU
malicious
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
104.25.105.23:80
www.777taxi.ru
Cloudflare Inc
US
shared
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
185.71.188.52:443
beepcar.ru
Comuto SAS
FR
unknown
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
178.248.237.53:443
taximaxim.ru
HLL LLC
RU
unknown
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
81.19.78.87:443
id.rambler.ru
Rambler Internet Holding LLC
RU
unknown
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
104.20.29.45:443
ru.gett.com
Cloudflare Inc
US
shared
104.25.105.23:80
www.777taxi.ru
Cloudflare Inc
US
shared
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
213.180.204.24:443
passport.yandex.ru
YANDEX LLC
RU
whitelisted
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
5.45.217.7:443
m.taxi.yandex.ru
YANDEX LLC
RU
whitelisted
2248
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.exe
87.240.129.134:443
api.vk.com
VKontakte Ltd
RU
unknown

DNS requests

Domain
IP
Reputation
www.theyeru.ru
  • 87.236.16.99
malicious
www.777taxi.ru
  • 104.25.105.23
  • 104.25.104.23
suspicious
beepcar.ru
  • 185.71.188.52
  • 185.71.188.56
  • 185.71.188.54
  • 185.71.188.53
  • 185.71.188.55
  • 185.71.188.51
whitelisted
taximaxim.ru
  • 178.248.237.53
whitelisted
id.rambler.ru
  • 81.19.78.87
  • 81.19.78.88
  • 81.19.78.90
  • 81.19.78.89
whitelisted
ru.gett.com
  • 104.20.29.45
  • 104.20.28.45
suspicious
passport.yandex.ru
  • 213.180.204.24
whitelisted
api.vk.com
  • 87.240.129.134
  • 87.240.129.177
  • 87.240.129.178
  • 87.240.129.179
  • 95.213.11.163
  • 95.213.11.164
  • 93.186.225.192
  • 93.186.225.196
  • 87.240.129.130
  • 87.240.129.132
whitelisted
e.mail.ru
  • 217.69.139.215
  • 94.100.180.216
  • 217.69.139.216
  • 94.100.180.215
suspicious
m.taxi.yandex.ru
  • 5.45.217.7
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SMS-Bomber [0.2.1] by Artem Zolotarevskiy.zip