analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CobraInjector (1).zip

Full analysis: https://app.any.run/tasks/a87e80f6-8610-4923-9762-4c1b168d6060
Verdict: Malicious activity
Analysis date: November 16, 2019, 22:09:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

07EE8184F4ABF47CDEB138831CDAB293

SHA1:

D585E934AD0EBB079DBBFB79A02961318A2326B6

SHA256:

34FD553448DFDF8DA971E9B2BBCAEE65CFEEA09054AB3B927EEC37AA9FC2947B

SSDEEP:

24576:v9cJaAwTbYL+7Y0MR2DWOepbmhSXuZpI6FgfZz7GNeLX0HjmIoY7lzJ:FjArPwaOepbmhrZpI3fZ3G9hXD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • CobraInjector.exe (PID: 2776)
      • CobraInjector.exe (PID: 4092)
      • SearchProtocolHost.exe (PID: 3476)
      • CobraInjector.exe (PID: 2956)
    • Application was dropped or rewritten from another process

      • CobraInjector.exe (PID: 2776)
      • CobraInjector.exe (PID: 776)
      • CobraInjector.exe (PID: 3364)
      • CobraInjector.exe (PID: 4092)
      • CobraInjector.exe (PID: 3704)
      • CobraInjector.exe (PID: 2956)
    • Changes settings of System certificates

      • CobraInjector.exe (PID: 2776)
  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • CobraInjector.exe (PID: 2776)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2524)
  • INFO

    • Manual execution by user

      • CobraInjector.exe (PID: 3704)
      • CobraInjector.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:01:15 06:48:19
ZipCRC: 0x82b6b6d7
ZipCompressedSize: 64821
ZipUncompressedSize: 139456
ZipFileName: symsrv.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start winrar.exe cobrainjector.exe no specs cobrainjector.exe cobrainjector.exe no specs cobrainjector.exe searchprotocolhost.exe no specs cobrainjector.exe no specs cobrainjector.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CobraInjector (1).zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
776"C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.19336\CobraInjector.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.19336\CobraInjector.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2776"C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.19336\CobraInjector.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.19336\CobraInjector.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
3364"C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\CobraInjector.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\CobraInjector.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
4092"C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\CobraInjector.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\CobraInjector.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
3476"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3704"C:\Users\admin\Desktop\CobraInjector.exe" C:\Users\admin\Desktop\CobraInjector.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2956"C:\Users\admin\Desktop\CobraInjector.exe" C:\Users\admin\Desktop\CobraInjector.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Total events
540
Read events
484
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2776CobraInjector.exeC:\Users\admin\AppData\Local\Temp\Symbols\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\download.error
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.22551\symsrv.dllexecutable
MD5:54559270B6E12274E07FB547AA415FD4
SHA256:CC36F89B0FD793F1CD189C68F6F430F934AE9C9E23871739DE09C84F67035183
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2524.19336\msdia140.dllexecutable
MD5:DDF227CCEE5FCE7D770F6ED94C39A4F0
SHA256:91BAE9E8E55A95C69DD9300A9DB103EDE5CB37A3659AEE4F22D9418EA61D0062
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\CobraInjector.exeexecutable
MD5:072C8893ABF9477B67FD1ADBDEFF2DD3
SHA256:7A80C7E87F97E288FB7DD90C5DE1928AB45B1AD35B6943A8CFE6B3925D26379F
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.22551\CobraInjector.exeexecutable
MD5:072C8893ABF9477B67FD1ADBDEFF2DD3
SHA256:7A80C7E87F97E288FB7DD90C5DE1928AB45B1AD35B6943A8CFE6B3925D26379F
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\msdia140.dllexecutable
MD5:DDF227CCEE5FCE7D770F6ED94C39A4F0
SHA256:91BAE9E8E55A95C69DD9300A9DB103EDE5CB37A3659AEE4F22D9418EA61D0062
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.22551\msdia140.dllexecutable
MD5:DDF227CCEE5FCE7D770F6ED94C39A4F0
SHA256:91BAE9E8E55A95C69DD9300A9DB103EDE5CB37A3659AEE4F22D9418EA61D0062
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2524.19336\symsrv.dllexecutable
MD5:54559270B6E12274E07FB547AA415FD4
SHA256:CC36F89B0FD793F1CD189C68F6F430F934AE9C9E23871739DE09C84F67035183
2776CobraInjector.exeC:\Users\admin\AppData\Local\Temp\Symbols\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdbpdb
MD5:7FC56E5C620B88B4F88B144F6D04BFDC
SHA256:6A8E7A9893682420766BA21D1FB351CA7F78DB3EBAD51AC962582A1D97F0972B
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2524.21804\symsrv.dllexecutable
MD5:54559270B6E12274E07FB547AA415FD4
SHA256:CC36F89B0FD793F1CD189C68F6F430F934AE9C9E23871739DE09C84F67035183
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2776
CobraInjector.exe
GET
302
204.79.197.219:80
http://msdl.microsoft.com/download/symbols/ntdll.pdb/120028FA453F4CD5A6A404EC37396A582/ntdll.pdb
US
whitelisted
2776
CobraInjector.exe
GET
400
204.79.197.219:80
http://msdl.microsoft.com/download/symbols/index2.txt
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2776
CobraInjector.exe
204.79.197.219:80
msdl.microsoft.com
Microsoft Corporation
US
whitelisted
2776
CobraInjector.exe
104.214.40.16:443
vsblobprodscussu5shard71.blob.core.windows.net
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
msdl.microsoft.com
  • 204.79.197.219
whitelisted
vsblobprodscussu5shard71.blob.core.windows.net
  • 104.214.40.16
unknown

Threats

No threats detected
No debug info