File name: | 1.zip |
Full analysis: | https://app.any.run/tasks/e8150f58-e95a-47db-adb0-a1e6f1812b4a |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 31, 2020, 08:09:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | E3F9C417C058B15D963D2400813554FA |
SHA1: | A8C7F3B51DAD387A110A07D9D046EF969AD81212 |
SHA256: | 2E95B77D0C6656423AD9B1C3FADFD37E8AB18098D8B6C34C3D5CF9081E65BDE4 |
SSDEEP: | 98304:EwFRR1hLEs974t5hJLNryG6bj3bCEHloKfPXgwXz1HvyzapAshWNIY7VUfc:Eqs7hf+G6bj39znXgwXVyqAX2YSc |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2015:06:13 02:48:09 |
ZipCRC: | 0xb1c54cbb |
ZipCompressedSize: | 653953 |
ZipUncompressedSize: | 1362432 |
ZipFileName: | libeay32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1832 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3548 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2168 | "C:\Users\admin\Desktop\[NEW] Netflix Premium Account Generator (2020).exe" | C:\Users\admin\Desktop\[NEW] Netflix Premium Account Generator (2020).exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2804 | "C:\Users\admin\AppData\Local\Temp\Oski.exe" | C:\Users\admin\AppData\Local\Temp\Oski.exe | [NEW] Netflix Premium Account Generator (2020).exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3316 | "C:\Users\admin\AppData\Local\Temp\ThePhone(32bit).exe" | C:\Users\admin\AppData\Local\Temp\ThePhone(32bit).exe | [NEW] Netflix Premium Account Generator (2020).exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
680 | "C:\Users\admin\Desktop\[NEW] Netflix Premium Account Generator (2020).exe" | C:\Users\admin\Desktop\[NEW] Netflix Premium Account Generator (2020).exe | [NEW] Netflix Premium Account Generator (2020).exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3036 | --scrypt -o stratum+tcp://us.litecoinpool.org:3333 -u hackore55.4 -p 4 | C:\Users\admin\AppData\Roaming\MyPhone\MyPhone(32bit).exe | ThePhone(32bit).exe | |
User: admin Integrity Level: MEDIUM | ||||
3732 | --scrypt -o stratum+tcp://us.litecoinpool.org:3333 -u hackore55.4 -p 4 | C:\Users\admin\AppData\Roaming\MyPhone\MyPhone(32bit).exe | ThePhone(32bit).exe | |
User: admin Integrity Level: MEDIUM | ||||
3376 | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-time-tool.resources\mfc100fra.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-time-tool.resources\mfc100fra.exe | — | [NEW] Netflix Premium Account Generator (2020).exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3760 | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-time-tool.resources\mfc100fra.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-time-tool.resources\mfc100fra.exe | mfc100fra.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1832 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1832.2115\[NEW] Netflix Premium Account Generator (2020).exe | executable | |
MD5:D4D6D5704BC81449CAFA1619351C8DA9 | SHA256:E6B3FB186D8C44BDBFE6F767900A7FDCAAD8AF1F6D2552AAAA1B0409A03F3203 | |||
2168 | [NEW] Netflix Premium Account Generator (2020).exe | C:\Users\admin\AppData\Local\Temp\Oski.exe | executable | |
MD5:5EA936F671D360BBE5F29472DDC99681 | SHA256:4229A147CEC8C2ED7C31E0A069086D0394A11F8F2C58C33A8BAD3F782161A028 | |||
2168 | [NEW] Netflix Premium Account Generator (2020).exe | C:\Users\admin\AppData\Local\Temp\ThePhone(32bit).exe | executable | |
MD5:B7E182E3E54F95F8AD87AAB4B9EE9EAA | SHA256:F6C0362A222C8F3572C10E1F5FBF8389AF734A0DFFC081EB45B12EB040754983 | |||
3316 | ThePhone(32bit).exe | C:\Users\admin\AppData\Roaming\MyPhone\libwinpthread-1.dll | executable | |
MD5:7A2008C80F306EED0B8152B584E8153C | SHA256:DD04524DD4220A868C6E35183F6284BBF7CD1FA9273D85636239E0FC3AC245E4 | |||
680 | [NEW] Netflix Premium Account Generator (2020).exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-time-tool.resources\ENU_6887FE9730D2535E9D41 | — | |
MD5:— | SHA256:— | |||
3316 | ThePhone(32bit).exe | C:\Users\admin\AppData\Roaming\MyPhone\OpenCL.dll | executable | |
MD5:C4F271897205DB916F46CE88F910EB5B | SHA256:9AE4BE443B4C1BCA28F3F5722756EF12A8C480C73D55020B253264DCE801B772 | |||
3316 | ThePhone(32bit).exe | C:\Users\admin\AppData\Roaming\MyPhone\ssleay32.dll | executable | |
MD5:5935940918FA77C777FCD0475149A217 | SHA256:ED0B0F0D40C902703E212279F99C6DCF403EB75EBA4ABB058CB39129D09A6467 | |||
1832 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1832.2115\ssleay32.dll | executable | |
MD5:CF2C57DDA3766C204C398430DA23693D | SHA256:492F045643354C8B9FA11673B6C32CDBB33779826A729CE55DE5901279C1F6D5 | |||
3316 | ThePhone(32bit).exe | C:\Users\admin\AppData\Roaming\MyPhone\libssh2.dll | executable | |
MD5:8F0FC353DC7716A75272C002F17E367B | SHA256:7714F81F04FDBACC8CD226C70A0F7E0A903B12E163A05B1AB1D3C6BC6B9AE466 | |||
3316 | ThePhone(32bit).exe | C:\Users\admin\AppData\Roaming\MyPhone\diakgcn121016.cl | text | |
MD5:E316C3C6069AEC5DAF069CAB14D44F1C | SHA256:D1BC7A702C3D0A5D7A1FC34C2432F6E16C67A006F9BF9899BA063098CD533B55 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/ | RU | — | — | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/vcruntime140.dll | RU | executable | 81.8 Kb | malicious |
2804 | Oski.exe | POST | — | 194.87.238.60:80 | http://194.87.238.60/main.php | RU | — | — | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/sqlite3.dll | RU | executable | 630 Kb | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/mozglue.dll | RU | executable | 133 Kb | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/main.php | RU | — | — | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/softokn3.dll | RU | executable | 141 Kb | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/nss3.dll | RU | executable | 1.19 Mb | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/freebl3.dll | RU | executable | 326 Kb | malicious |
2804 | Oski.exe | POST | 200 | 194.87.238.60:80 | http://194.87.238.60/msvcp140.dll | RU | executable | 429 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3732 | MyPhone(32bit).exe | 158.69.196.61:3333 | us.litecoinpool.org | OVH SAS | CA | malicious |
3036 | MyPhone(32bit).exe | 104.236.57.24:3333 | us.litecoinpool.org | Digital Ocean, Inc. | US | malicious |
3760 | mfc100fra.exe | 104.26.9.44:443 | ipapi.co | Cloudflare Inc | US | malicious |
2804 | Oski.exe | 194.87.238.60:80 | — | JSC Mediasoft ekspert | RU | malicious |
3760 | mfc100fra.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger LLP | GB | malicious |
Domain | IP | Reputation |
---|---|---|
us.litecoinpool.org |
| malicious |
api.telegram.org |
| shared |
ipapi.co |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2804 | Oski.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
2804 | Oski.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary |
2804 | Oski.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2804 | Oski.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
2804 | Oski.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary |
2804 | Oski.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
2804 | Oski.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary |
2804 | Oski.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
2804 | Oski.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary |
2804 | Oski.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |