analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

aaa.zip

Full analysis: https://app.any.run/tasks/74e7b8d1-793a-4dbc-a365-78063dc7531d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 11:17:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
gozi
ursnif
dreambot
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E16D9EB4995EBAE0373357102DE45A69

SHA1:

CB81BCC493B46EFAC240D4F668C9ED42AB144EB3

SHA256:

3545D7EABA3A27468B30ED1FB477E63EB634D9C8A29B972C4FCABEA1D6E4AEE5

SSDEEP:

6144:bS9AOLfJ30sS1hTYIYj1xb6RBdR14WKZHWEcAVEOFzM/EKlPlGqAQK6+Z:bSbJkJKFjz6fJFKZHDFEiAEQK6W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2916)
      • regsvr32.exe (PID: 2896)

    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 2312)

    • URSNIF was detected

      • iexplore.exe (PID: 1676)
      • iexplore.exe (PID: 2860)
      • iexplore.exe (PID: 2140)
      • explorer.exe (PID: 372)

    • DREAMBOT was detected

      • iexplore.exe (PID: 1676)
      • iexplore.exe (PID: 2860)
      • iexplore.exe (PID: 2140)

    • Connects to CnC server

      • iexplore.exe (PID: 1676)
      • iexplore.exe (PID: 2860)
      • iexplore.exe (PID: 2140)

    • URSNIF Shellcode was detected

      • explorer.exe (PID: 372)

    • Runs injected code in another process

      • regsvr32.exe (PID: 2896)

    • Application was injected by another process

      • explorer.exe (PID: 372)

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 3716)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2192)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 372)

    • Checks for external IP

      • nslookup.exe (PID: 2092)

    • Creates files in the user directory

      • explorer.exe (PID: 372)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2312)
      • notepad.exe (PID: 2644)

    • Changes internet zones settings

      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 3716)

    • Application launched itself

      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 3716)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 1676)
      • iexplore.exe (PID: 3716)
      • iexplore.exe (PID: 2140)
      • iexplore.exe (PID: 2860)

    • Creates files in the user directory

      • iexplore.exe (PID: 1676)
      • iexplore.exe (PID: 2860)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1676)
      • iexplore.exe (PID: 2860)
      • iexplore.exe (PID: 2140)

    • Reads settings of System Certificates

      • explorer.exe (PID: 372)
      • iexplore.exe (PID: 2756)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2756)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:31 11:53:15
ZipCRC: 0x281a9a6e
ZipCompressedSize: 312342
ZipUncompressedSize: 566784
ZipFileName: aaa.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
15
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject winrar.exe searchprotocolhost.exe no specs cmd.exe no specs regsvr32.exe no specs iexplore.exe #URSNIF iexplore.exe iexplore.exe #URSNIF iexplore.exe notepad.exe no specs #URSNIF iexplore.exe #URSNIF explorer.exe cmd.exe no specs nslookup.exe cmd.exe no specs makecab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\aaa.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2916"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2312cmd /c ""C:\Users\admin\Desktop\run.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896regsvr32.exe /s aaa.dllC:\Windows\system32\regsvr32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2756"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1676"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2756 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3716"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2860"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3716 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2644"C:\Windows\system32\notepad.exe" C:\Windows\system32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2140"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3716 CREDAT:529680 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
9 803
Read events
2 800
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
28
Text files
20
Unknown types
11

Dropped files

PID
Process
Filename
Type
1676iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabC96E.tmp
MD5:
SHA256:
1676iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarC96F.tmp
MD5:
SHA256:
1676iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\SKPMAY2F.txt
MD5:
SHA256:
1676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:E781E5AF31D8DA6C1583C8BFD85E8C05
SHA256:078DD6C80BC614503F1FD70F58B94C55E858AD13F1DFEC120593D7349A410A28
1676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A153659244D4657E2973A1765102781B_F942792C1D236B27396E9E96EF4F85EAbinary
MD5:7557E44070CA6FB7EE586C51502A3685
SHA256:9378707B995C1AB059A7273D786EA512512F4640AD82E04CCCBBE7370351BB85
2192WinRAR.exeC:\Users\admin\Desktop\aaa.dllexecutable
MD5:493AFAC86F493505AFA37C01DF227338
SHA256:FD192727AD4FB57B798C373216406FB28FFFD8926E3D6DC6163AD39B4E42CC25
1676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bbinary
MD5:8D3D38673CD947651E9737F63D609A4E
SHA256:E251E6CA200D1CA49D9C4C16C586D55131F3099CC3E40492FDFE6CDD1CD244C7
1676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_27F2F3EAE5ACF629E280F218628D1935binary
MD5:83C4675B7D978EF300B9892B058AE4A8
SHA256:0E9655B4C1D9E3C9F0D3C88ECDEA196D36B0B762456493BA92EE901217ADE0BB
1676iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:BA4F3F81467A3DC2332CC7BF45A0EAEF
SHA256:B4F18425C72D033A765C4780C426223318B19AFA3699EC7880302E7FD24B4230
2192WinRAR.exeC:\Users\admin\Desktop\run.battext
MD5:83F08BA9112B1F4A6396677D6E322B8D
SHA256:439BF821484643AF487E851086CD4411D6106544D90302693F7679E64D6CA65C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
37
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2756
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1676
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS83pEmglYTXfyF78OS%2BRiTRWadkgQULGn%2FgMmHkK404bTnTJOFmUDpp7ICEGuxHjxB572kYDXg9y%2BwKuk%3D
US
der
471 b
whitelisted
2860
iexplore.exe
GET
200
84.247.51.8:80
http://loadkaklokja.xyz/images/2joe4pX5NU/zHPXtO9JIa_2Bvx5e/E_2Fu9ahRgpF/bD6B9kxyDjd/MDXHWPNQPa0EIQ/dbU3mrU6ufk36WRS_2BUv/51UC58c5HU9ufZMZ/5tijp2hyR6_2F75/UocKfTvOSfckse_2Bn/teiv_2B7I/qNlF2QTwUk3Q65bSBUT_/2Fuo0QNIUv5LQ5U86COCL/G.avi
RO
text
218 Kb
malicious
1676
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEChOOcFLOG2InHKZ5YzQWlc%3D
US
der
727 b
whitelisted
1676
iexplore.exe
GET
200
72.247.178.16:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
2140
iexplore.exe
GET
84.247.51.8:80
http://loadkaklokja.xyz/images/TfqW7WXbz/oMpxWu3QceEgs_2FaleP/XFXGgCqnhftgJjZvPg9/l_2BKo65tHs6M_2FcGk9GP/WAHztrog9ZbMf/mBCmdJCX/bztjBagQ5gXB4k0_2BQaYQ8/YQBUyUDU7J/CkKKTWuGvCj40YjoY/Efh94MqT1BykuYxi/O.avi
RO
malicious
1676
iexplore.exe
GET
200
72.247.178.16:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
372
explorer.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQh80WaEMqmyEvaHjlisSfVM4p8SAQUF9nWJSdn%2BTHCSUPZMDZEjGypT%2BsCEFoCVxk0swZM2V6uDa8DREM%3D
US
der
471 b
whitelisted
372
explorer.exe
GET
304
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.0 Kb
whitelisted
1052
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
US
der
781 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3716
iexplore.exe
84.247.51.8:80
loadkaklokja.xyz
Bestnet Service SRL
RO
malicious
1676
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
2860
iexplore.exe
84.247.51.8:80
loadkaklokja.xyz
Bestnet Service SRL
RO
malicious
1676
iexplore.exe
52.58.28.12:80
avira.com
Amazon.com, Inc.
DE
malicious
2756
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1676
iexplore.exe
52.58.28.12:443
avira.com
Amazon.com, Inc.
DE
malicious
2140
iexplore.exe
84.247.51.8:80
loadkaklokja.xyz
Bestnet Service SRL
RO
malicious
2756
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1676
iexplore.exe
72.247.178.16:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted
1676
iexplore.exe
95.101.27.5:443
www.avira.com
Akamai Technologies, Inc.
unknown

DNS requests

Domain
IP
Reputation
avira.com
  • 52.58.28.12
malicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.sectigo.com
  • 151.139.128.14
whitelisted
www.avira.com
  • 95.101.27.5
  • 95.101.27.10
whitelisted
isrg.trustid.ocsp.identrust.com
  • 72.247.178.16
  • 72.247.178.41
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
loadkaklokja.xyz
  • 84.247.51.8
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
1676
iexplore.exe
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
1676
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2860
iexplore.exe
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
2860
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2860
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
2860
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3716
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2140
iexplore.exe
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
2140
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2140
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
aaa.zip