URL:	https://raw.githubusercontent.com/bowker-bulger/Vruntes/master/masksim.exe
Full analysis:	https://app.any.run/tasks/e4015721-f94b-4517-90c4-e8bb842b86d9
Verdict:	Malicious activity
Threats:	Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	November 13, 2019, 07:01:22
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan stealer predator
Indicators:
MD5:	1833D0E6F5F3A4A88294DE370EA6427B
SHA1:	39983CE45EED15FF6B442BC1407BB8D5341541D6
SHA256:	32EE469666385E371BBA292B0C0763DC4BCE7598BCFD9764C11B827335D26110
SSDEEP:	3:N8SGfALtGTJbHzyKqT+D62N:2FMGlbHzyKO+bN


(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:	write	Name:	{6F33F4D7-05E3-11EA-AB41-5254004A04AF}
Value: 0
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Type
Value: 4
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Count
Value: 2
(PID) Process:	(2132) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Time
Value: E3070B0003000D00070001002600C300

PID	Process	Filename		Type
2132	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico		—
		MD5:—	SHA256:—
2132	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
2132	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF19E77856DCCBC5DA.TMP		—
		MD5:—	SHA256:—
2132	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DFCD54511AFF5EE17A.TMP		—
		MD5:—	SHA256:—
2132	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{6F33F4D7-05E3-11EA-AB41-5254004A04AF}.dat		—
		MD5:—	SHA256:—
3376	masksim[1].exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\masksim.ocx		—
		MD5:—	SHA256:—
3268	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:FD16548062266DBBE9D65F57AB1B6919	SHA256:3D5D6AB2F01C01425660E49FC6880AC9E005FDFEA99043A9A1A87AEB7AF90ACE
3268	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\F5HKWCE2\masksim[1].exe		executable
		MD5:D72BC8620563590F8C4B9A62529560C1	SHA256:EB08B2267061CDC576D9364014D6106C8C4E8780989EB8175051E7152164981E
3268	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019111320191114\index.dat		dat
		MD5:D0AECAD0B683D2CF858130E1DEB04DD3	SHA256:F61D36B1FB1C86631083F4BDF8F75610809EBBABAC7CDD624C8F16B9375CA71C
3268	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:A8E3F8C0428ACA370DDA1ED76F9173F2	SHA256:C1E0686F5550D5570D667D30253EB85E5359582E88E8CA9DD69A54391448BD51

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1044	TapiUnattend.exe	POST	200	92.63.197.238:80	http://color34.site/api/check.get	RU	text	132 b	malicious
1044	TapiUnattend.exe	POST	200	92.63.197.238:80	http://color34.site/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0&p10=m43nG8oW/3bnJ00YMs5hJU4fg9WX2jb7vjC0	RU	text	132 b	malicious
2132	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
3268	iexplore.exe	151.101.0.133:443	raw.githubusercontent.com	Fastly	US	malicious
2132	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
1044	TapiUnattend.exe	92.63.197.238:80	color34.site	—	RU	malicious

Domain	IP	Reputation
raw.githubusercontent.com	151.101.0.133 151.101.64.133 151.101.128.133 151.101.192.133	shared
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
color34.site	92.63.197.238	malicious

General Info

https://raw.githubusercontent.com/bowker-bulger/Vruntes/master/masksim.exe

1833D0E6F5F3A4A88294DE370EA6427B

39983CE45EED15FF6B442BC1407BB8D5341541D6

32EE469666385E371BBA292B0C0763DC4BCE7598BCFD9764C11B827335D26110

3:N8SGfALtGTJbHzyKqT+D62N:2FMGlbHzyKO+bN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

PREDATOR was detected

Connects to CnC server

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Starts CMD.EXE for self-deleting

Reads the cookies of Google Chrome

Starts CMD.EXE for commands execution

Reads the cookies of Mozilla Firefox

INFO

Application launched itself

Changes internet zones settings

Reads Internet Cache Settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings