Malware analysis /photo.zip Malicious activity | ANY.RUN

Add for printing

download:	/photo.zip
Full analysis:	https://app.any.run/tasks/9b636bf1-5752-4000-91dd-edc8c67334b8
Verdict:	Malicious activity
Threats:	Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 08, 2024, 11:08:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer stealc
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	B8B46BFDDBCC278FD97EBDA1780D9C92
SHA1:	36F7ADFBF1F0D76064C7A9A3A5C97BAC0975E0AF
SHA256:	2D427BC288585259AD26F06AF9F1106232EEB54706C16D32F86747DCCDEE1BE4
SSDEEP:	98304:Zsq4CaScknBGQK8Z7ggd9msCUDvOIQH37JjKeseTK6S1u265lj5Ae7Bt+uQiZQiK:+QSXDr+anf33dYKj9L5iDx/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 6528)
- Connects to the CnC server
  - BitLockerToGo.exe (PID: 6472)
- Stealers network behavior
  - BitLockerToGo.exe (PID: 6472)
- STEALC has been detected (SURICATA)
  - BitLockerToGo.exe (PID: 6472)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - BitLockerToGo.exe (PID: 6472)
  - WinRAR.exe (PID: 6528)
- Connects to the server without a host name
  - BitLockerToGo.exe (PID: 6472)
- Contacting a server suspected of hosting an CnC
  - BitLockerToGo.exe (PID: 6472)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6528)
- Drops 7-zip archiver for unpacking
  - WinRAR.exe (PID: 6528)
- Starts a Microsoft application from unusual location
  - 0Photography.exe (PID: 3140)
- Windows Defender mutex has been found
  - BitLockerToGo.exe (PID: 6472)
INFO
- Checks supported languages
  - 0Photography.exe (PID: 3140)
  - BitLockerToGo.exe (PID: 6472)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6528)
- Reads the computer name
  - BitLockerToGo.exe (PID: 6472)
- Checks proxy server information
  - BitLockerToGo.exe (PID: 6472)
- Creates files or folders in the user directory
  - BitLockerToGo.exe (PID: 6472)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:08:06 15:51:34
ZipCRC:	0x49a6fa02
ZipCompressedSize:	6992185
ZipUncompressedSize:	18706432
ZipFileName:	0Photography.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3140

"C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\0Photography.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\0Photography.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Store Installer

Exit code:

666

Version:

22406.625.4.0

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa6528.16942\0photography.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\powrprof.dll

6472

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

0Photography.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

BitLocker To Go Reader

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

6528

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\photo.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

7 092

Read events

6 818

Write events

274

Delete events

Modification events


(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\photo.zip
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3140	0Photography.exe	C:\Users\Public\Libraries\ldbad.scif		—
		MD5:—	SHA256:—
3140	0Photography.exe	C:\Users\Public\Libraries\pbaoc.scif		—
		MD5:—	SHA256:—
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\7z.dll		executable
		MD5:4E35A902CA8ED1C3D4551B1A470C4655	SHA256:77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\RarExt.dll		executable
		MD5:9EA95C0A09B40FDD8F51A892C4B6AA10	SHA256:94B0B503A87C0B9F4B4E14666C9771D939867634FD4832B041E5E0F54B080E1B
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\RarLng.dll		executable
		MD5:98BBEBE35280DD5E20AE4FE4DA3524E1	SHA256:A3666B7F714EB663374982837A117B44329A4861623F313272D825EF90257D23
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\VBoxHeadless.dll		executable
		MD5:9E165368876F944383F52C7D213563E6	SHA256:0AA2E1BC3221796328E6C83FC061A679FF266DB74A7FD79F5E87F8EC54AA1E23
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\VBoxHostChannel.dll		executable
		MD5:BF8CF948740F9DBEBED169AB8FA4CBE6	SHA256:B2723D1B22A498A7BD59A807A1B97E6B03C00FBDA53D3A9715C95B224A2BDB3F
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\UnityEngine.SubsystemsModule.dll		executable
		MD5:6AA4142D4F9D57D519898DD37535790D	SHA256:A56FE737306BE73AE70F96D6A560ECD7D77F9BA8C2168F1205AB1F4D22E10DFB
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\UnityEngine.SubstanceModule.dll		executable
		MD5:7E46D09EC1D86ED8063E8452BD53CEB3	SHA256:83BDE716CA0F4D93751913C7AD58A91B750B0A14D46D379FCEF91EEDE0EB5296
6528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6528.16942\0Photography.exe		executable
		MD5:71A7FAD1908E4109FAFD551D4C840086	SHA256:5D53CBBEAA975A9EF41F8F2F5201A3F30ADF2120FA12495920940771395CDFB6

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5484	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5484	svchost.exe	GET	304	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6848	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6896	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6472	BitLockerToGo.exe	GET	200	193.176.153.234:80	http://193.176.153.234/	unknown	—	—	unknown
6472	BitLockerToGo.exe	POST	200	193.176.153.234:80	http://193.176.153.234/587ec30955d49a9c.php	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3028	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5244	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3028	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	92.123.104.56:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5484	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.142	whitelisted
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
www.bing.com	92.123.104.56 92.123.104.64 92.123.104.52 92.123.104.62 92.123.104.66 92.123.104.59 92.123.104.58 92.123.104.65 92.123.104.67	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.134 20.190.160.20 40.126.32.136 20.190.160.17 40.126.32.76 40.126.32.138 40.126.32.72 40.126.32.74	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
th.bing.com	92.123.104.26 92.123.104.38 92.123.104.34 92.123.104.35 92.123.104.36 92.123.104.30 92.123.104.33 92.123.104.32 92.123.104.28	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted

Threats

PID	Process	Class	Message
6472	BitLockerToGo.exe	Malware Command and Control Activity Detected	STEALER [ANY.RUN] Stealc HTTP POST Request
6472	BitLockerToGo.exe	Malware Command and Control Activity Detected	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Add for printing

No debug info

General Info

/photo.zip

B8B46BFDDBCC278FD97EBDA1780D9C92

36F7ADFBF1F0D76064C7A9A3A5C97BAC0975E0AF

2D427BC288585259AD26F06AF9F1106232EEB54706C16D32F86747DCCDEE1BE4

98304:Zsq4CaScknBGQK8Z7ggd9msCUDvOIQH37JjKeseTK6S1u265lj5Ae7Bt+uQiZQiK:+QSXDr+anf33dYKj9L5iDx/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Connects to the CnC server

Stealers network behavior

STEALC has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Connects to the server without a host name

Contacting a server suspected of hosting an CnC

Process drops legitimate windows executable

Drops 7-zip archiver for unpacking

Starts a Microsoft application from unusual location

Windows Defender mutex has been found

INFO

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings