analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

rfq.7z

Full analysis: https://app.any.run/tasks/a931b25e-dce2-4fff-9047-d2e74e691979
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: May 20, 2019, 11:34:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
rat
remcos
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.3
MD5:

E2566B05B171F1CA32398ABE724F5C36

SHA1:

1D7707E11A5985A02F624C3B22F57B22D5E6CB74

SHA256:

2D9305F547329A8EDDD60ADD6E4EC72B82C9E184FD33BFB584966CCF5AA48958

SSDEEP:

3072:DkDn+Xb/52+qo60+T1FCoJVT5r8e8hOwaiuNMGKIiPY/NigKZwMacupKAYYorwVT:DkL+Xb/g+qgozx8ThOx32FwFK3MGzC7B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3332)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3332)
    • Application was dropped or rewritten from another process

      • KsScL.exe (PID: 2064)
      • KsScL.exe (PID: 2852)
      • server.exe (PID: 1876)
      • server.exe (PID: 3516)
    • Changes the autorun value in the registry

      • KsScL.exe (PID: 2064)
      • server.exe (PID: 1876)
    • Uses SVCHOST.EXE for hidden code execution

      • server.exe (PID: 1876)
    • REMCOS RAT was detected

      • server.exe (PID: 1876)
    • Detected logs from REMCOS RAT

      • server.exe (PID: 1876)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 3332)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3380)
    • Executes scripts

      • KsScL.exe (PID: 2064)
    • Application launched itself

      • KsScL.exe (PID: 2852)
      • server.exe (PID: 3516)
    • Executable content was dropped or overwritten

      • KsScL.exe (PID: 2064)
    • Creates files in the user directory

      • KsScL.exe (PID: 2064)
      • server.exe (PID: 1876)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 964)
    • Writes files like Keylogger logs

      • server.exe (PID: 1876)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3332)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3332)
    • Application was crashed

      • svchost.exe (PID: 3504)
      • svchost.exe (PID: 896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (gen) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs excel.exe ksscl.exe no specs ksscl.exe wscript.exe no specs cmd.exe no specs server.exe no specs #REMCOS server.exe svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\rfq.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3332"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2852C:\Users\admin\AppData\Local\Temp\KsScL.exeC:\Users\admin\AppData\Local\Temp\KsScL.exeEXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2064"C:\Users\admin\AppData\Local\Temp\KsScL.exe"C:\Users\admin\AppData\Local\Temp\KsScL.exe
KsScL.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
964"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" C:\Windows\System32\WScript.exeKsScL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3180"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Roaming\server\server.exe"C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3516C:\Users\admin\AppData\Roaming\server\server.exeC:\Users\admin\AppData\Roaming\server\server.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1876"C:\Users\admin\AppData\Roaming\server\server.exe"C:\Users\admin\AppData\Roaming\server\server.exe
server.exe
User:
admin
Integrity Level:
MEDIUM
3504C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225725
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
896C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe
server.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 509
Read events
1 443
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3332EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRA282.tmp.cvr
MD5:
SHA256:
3380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3380.8858\Rfq.xlsmdocument
MD5:D4A8B8C744B41948ECA6E2AF85B87B90
SHA256:26CBE2CACCAEADA07A66F2077B556359D94A404D643453400FC0AEED1CBA8510
1876server.exeC:\Users\admin\AppData\Roaming\Screenshots\time_20190520_123506.pngimage
MD5:5D464792E681BA980286A3E1D0FEB273
SHA256:12625EECE7450190A3F94F66DCC8D70E1AFDB5C4FDC79E46D342F9E977EC8C7E
2064KsScL.exeC:\Users\admin\AppData\Local\Temp\install.vbsbinary
MD5:9EC6FEDFA7473C89F4BE85FA4FFC1B57
SHA256:0C70303B09A733232019EC43FAF1BBDF724105CC26BCB4646EC5157F5A60C25C
1876server.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:400320FD216BCFE14924CC7508ACB122
SHA256:1FF1E8EB52F61A8572BD3291C3BB7DB4059E0A548B449131EE0731F4E6C54453
3332EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\RFFQ[1].exeexecutable
MD5:F15E448B76331EC8D1C2CF3A7BD4289A
SHA256:197738FB685E9A5A083E17D70DD269BDCBC32956810A02220A10449E5EE83A57
3332EXCEL.EXEC:\Users\admin\AppData\Local\Temp\KsScL.exeexecutable
MD5:F15E448B76331EC8D1C2CF3A7BD4289A
SHA256:197738FB685E9A5A083E17D70DD269BDCBC32956810A02220A10449E5EE83A57
2064KsScL.exeC:\Users\admin\AppData\Roaming\server\server.exeexecutable
MD5:F15E448B76331EC8D1C2CF3A7BD4289A
SHA256:197738FB685E9A5A083E17D70DD269BDCBC32956810A02220A10449E5EE83A57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3332
EXCEL.EXE
31.31.196.162:443
master-peredelkino.ru
Domain names registrar REG.RU, Ltd
RU
suspicious
1876
server.exe
160.116.15.144:1337
dmurrray.warzonedns.com
ZA
malicious

DNS requests

Domain
IP
Reputation
master-peredelkino.ru
  • 31.31.196.162
suspicious
dmurrray.warzonedns.com
  • 160.116.15.144
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info