analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

2.eml

Full analysis: https://app.any.run/tasks/8e8b09f9-cb2a-4752-bba3-c21e141f90c2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 11, 2019, 08:25:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
Indicators:
MIME: text/plain
File info: MIME entity, ASCII text, with CRLF line terminators
MD5:

775E007F92588EF8B46D7593F53939F4

SHA1:

463348698939EC89EE5CFD0955DB99461081F656

SHA256:

30AE463054321F7C17C27B215A34A1F030953730EACE640AC959B98955A4D771

SSDEEP:

384:yKMekURwoIpLad4VorwljkwIeRhZc2ZW+L0z2fW5qvrz5cQq:yKPkURwooad4uwpphZE+L/bVnq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad2FEFC.tmp (PID: 3008)
      • rad2FEFC.tmp (PID: 3268)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 4048)
    • Changes the autorun value in the registry

      • rad2FEFC.tmp (PID: 3268)
    • TROLDESH was detected

      • rad2FEFC.tmp (PID: 3268)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3412)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 4048)
      • rad2FEFC.tmp (PID: 3268)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2188)
      • rad2FEFC.tmp (PID: 3008)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 4048)
    • Executes scripts

      • WinRAR.exe (PID: 3608)
    • Creates files in the user directory

      • WScript.exe (PID: 4048)
      • OUTLOOK.EXE (PID: 3412)
    • Creates files in the program directory

      • rad2FEFC.tmp (PID: 3268)
    • Application launched itself

      • rad2FEFC.tmp (PID: 3008)
  • INFO

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe winrar.exe no specs winrar.exe no specs wscript.exe cmd.exe no specs rad2fefc.tmp no specs #TROLDESH rad2fefc.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3412"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\2.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3388"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KMEQOAZ\Колобов.rar"C:\Program Files\WinRAR\WinRAR.exeOUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3608"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KMEQOAZ\Колобов.rar"C:\Program Files\WinRAR\WinRAR.exeOUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
4048"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3608.37691\Информация о заказе.2019-09.10.docx.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2188"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad2FEFC.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3008C:\Users\admin\AppData\Local\Temp\rad2FEFC.tmpC:\Users\admin\AppData\Local\Temp\rad2FEFC.tmpcmd.exe
User:
admin
Company:
forest
Integrity Level:
MEDIUM
Description:
Iis Factory Unreal Interactivity
Exit code:
0
3268C:\Users\admin\AppData\Local\Temp\rad2FEFC.tmpC:\Users\admin\AppData\Local\Temp\rad2FEFC.tmp
rad2FEFC.tmp
User:
admin
Company:
forest
Integrity Level:
MEDIUM
Description:
Iis Factory Unreal Interactivity
Total events
2 963
Read events
2 490
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
27
Unknown types
2

Dropped files

PID
Process
Filename
Type
3412OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR9BB8.tmp.cvr
MD5:
SHA256:
3412OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KMEQOAZ\Колобов (2).rar\:Zone.Identifier:$DATA
MD5:
SHA256:
3268rad2FEFC.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3412OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:254F7DAD0DE5AF0F0F1DCBEF33D3CB96
SHA256:AB9E0AA7511C21071C88D7E9A9E41557F5CE183ADD3E0A6BCC06FDF2E1C81686
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3608.37691\Информация о заказе.2019-09.10.docx.jstext
MD5:5A3953903E90332613C6F99EAFE6812F
SHA256:BA7C1D99D1AC5EF9F1D928FE862FA7E412A27EEF8F9A0A4F2DFCDC67701A6D1C
3412OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KMEQOAZ\Колобов.rarcompressed
MD5:5377C445EB451CA1A7702495A260D487
SHA256:4DBA410FC2E854CD36F4CFA003F64905E7B9483D7937247BD7ACD090BDB3EE01
3268rad2FEFC.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:F148900C917E058CBAF155E4AB61BF67
SHA256:F48824D00A5E0D8E4A45D007997B7F2B6B6665990FB0BD71B275A9765C73FD12
3008rad2FEFC.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cliptext
MD5:5A56715E780164D29CD74E79CB4C326C
SHA256:CD0B438B27CCD4136445DD655AB8BDEC9BC27D727A8A55691528140EEA70DE2E
4048WScript.exeC:\Users\admin\AppData\Local\Temp\rad2FEFC.tmpexecutable
MD5:F148900C917E058CBAF155E4AB61BF67
SHA256:F48824D00A5E0D8E4A45D007997B7F2B6B6665990FB0BD71B275A9765C73FD12
3412OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\3KMEQOAZ\Колобов (2).rarcompressed
MD5:5377C445EB451CA1A7702495A260D487
SHA256:4DBA410FC2E854CD36F4CFA003F64905E7B9483D7937247BD7ACD090BDB3EE01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4048
WScript.exe
GET
200
81.169.145.148:80
http://mtbplus.de/wp-content/themes/treville/languages/1c.jpg
DE
executable
1.88 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3412
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3268
rad2FEFC.tmp
76.73.17.194:9090
Cogent Communications
US
malicious
3268
rad2FEFC.tmp
208.83.223.34:80
Applied Operations, LLC
US
malicious
4048
WScript.exe
81.169.145.148:80
mtbplus.de
Strato AG
DE
malicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
mtbplus.de
  • 81.169.145.148
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
4048
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
4048
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
4048
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2 ETPRO signatures available at the full report
No debug info