analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://medicalcorp.ro/royal1/helper/gd/zt/fola.exe

Full analysis: https://app.any.run/tasks/736980dc-344d-49a9-aac1-84e55a98d97a
Verdict: No threats detected
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 01, 2020, 14:58:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

F06F547C62310B8823E741C00BAE8F78

SHA1:

948A5BEE2D4CD24E83BBDE1E5FBC52E171362E36

SHA256:

38732EDA75F5E45DC589F33A783B43BC98F7D653059A592188B91420EFC07AE6

SSDEEP:

3:N1KTF8MVS2JUWJE0Cn:CpguUr0Cn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • fola.exe (PID: 2744)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 948)
      • iexplore.exe (PID: 1764)

    • Drops a file with too old compile date

      • iexplore.exe (PID: 1764)
      • iexplore.exe (PID: 948)

  • INFO

    • Changes settings of System certificates

      • iexplore.exe (PID: 948)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 948)

    • Application launched itself

      • iexplore.exe (PID: 948)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 948)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 948)

    • Changes internet zones settings

      • iexplore.exe (PID: 948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe fola.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
948"C:\Program Files\Internet Explorer\iexplore.exe" http://medicalcorp.ro/royal1/helper/gd/zt/fola.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1764"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:948 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2744"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fola.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fola.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 032
Read events
962
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
8
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
1764iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fola.exe.aqkjsu5.partial
MD5:
SHA256:
948iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF90F0E98E8289D62F.TMP
MD5:
SHA256:
948iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fola.exe.aqkjsu5.partial:Zone.Identifier
MD5:
SHA256:
948iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab4D4B.tmp
MD5:
SHA256:
948iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar4D4C.tmp
MD5:
SHA256:
948iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4DF9.tmp
MD5:
SHA256:
948iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:B0C7467FE33F3B602ADA20C9A6BBAD69
SHA256:4509F73A9FAD9BF73937B4DAB869E0A795ECE76F051C99B1784647430CBD582E
948iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B9D41649-33E5-11EB-A645-12A9866C77DE}.datbinary
MD5:BE946CBE8263A6B03C3DF34EDA126860
SHA256:E0E101528721FEB0D17ED8AC12FE844487FF1AC033AF2516ECF46E2D3DD8D287
1764iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\fola[1].exeexecutable
MD5:E18EA0CF45D53D61E52EA83246BFBC55
SHA256:B7823B23E2EF21045E77A01F2F34F86F387A607F4C1D949571C01C1FCDFD7FA1
948iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\fola.exeexecutable
MD5:E18EA0CF45D53D61E52EA83246BFBC55
SHA256:B7823B23E2EF21045E77A01F2F34F86F387A607F4C1D949571C01C1FCDFD7FA1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
948
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
948
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1764
iexplore.exe
GET
200
176.126.200.6:80
http://medicalcorp.ro/royal1/helper/gd/zt/fola.exe
RO
executable
4.65 Mb
suspicious
948
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
948
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1764
iexplore.exe
176.126.200.6:80
medicalcorp.ro
CHML Web Services SRL
RO
suspicious
948
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
medicalcorp.ro
  • 176.126.200.6
suspicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
1764
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://medicalcorp.ro/royal1/helper/gd/zt/fola.exe