analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

123321.zip

Full analysis: https://app.any.run/tasks/1fc67c9e-8fe0-45ec-bbe8-ffe069258bca
Verdict: Malicious activity
Analysis date: February 19, 2019, 02:17:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

BF6D4D944A5F82EA6D93F6340F2A7E2E

SHA1:

09DC25FA2309C553C0420AD6539F6FD2778A80FE

SHA256:

37C4D575931B89F43E388765DC5FC1554E9D8C8A03E1EA07A0A574973D5F900E

SSDEEP:

3072:6dUxGMwiXfvgk8EJ2tsJWj5uwVxQXC7xFiXBguj+S7PVeKsVJ+j/jZ7y:LfYHEf4jxxQXOzEBhf7VexJ+TNm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 4004)
      • rundll32.exe (PID: 3300)
    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 2512)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • regsvr32.exe (PID: 4004)
    • Executes scripts

      • WinRAR.exe (PID: 2824)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2512)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:02:11 21:08:07
ZipCRC: 0x6dada621
ZipCompressedSize: 205330
ZipUncompressedSize: 1189967
ZipFileName: 123321.js
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe regsvr32.exe no specs rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\123321.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2512"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2824.18497\123321.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4004"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\\IdkVEIfkVWId.dllC:\Windows\System32\regsvr32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
4
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3300C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\IdkVEIfkVWId.dll,f0C:\Windows\system32\rundll32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
526
Read events
508
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2512WScript.exeC:\Users\admin\AppData\Local\Temp\IdkVEIfkVWId.dllexecutable
MD5:7F73B06D9A8810E735BAFAAB1C5CC7A5
SHA256:7A218D6EA68CAEE18AD95C861D057BAF0B44D593FE59E2231ED1F0916DF5F1D6
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2824.18497\123321.jstext
MD5:FE9946E628607B7D1F5B975BDD863000
SHA256:95ABEE4D159F541D81C84F6EB33A9BBA7B5D1D7293E89857390B15498E138E51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3300
rundll32.exe
89.144.25.104:443
GHOSTnet GmbH
DE
malicious
3300
rundll32.exe
37.96.21.198:443
Telenor A/S
DK
malicious
3300
rundll32.exe
91.121.17.109:443
OVH SAS
FR
malicious
3300
rundll32.exe
106.9.214.152:443
No.31,Jin-rong Street
CN
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3300
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3300
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3300
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
3300
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Danabot.I
No debug info