analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://winhost.xyz/update/update.rar

Full analysis: https://app.any.run/tasks/cdf7d65d-a79d-4fa9-ad0d-7a6b86aa1d19
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 29, 2021, 11:16:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MD5:

BBD4CC33F3791A391CCC9290194E2B05

SHA1:

FA3AA902A97BC25677F4F283911121F5E67301D4

SHA256:

3AC59A8BDECE5EC9D4523F32C22039E2308866A9A7D22D5D67D7F4AA003EEB19

SSDEEP:

3:N1KJMPRyfNUma:CCPvb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1248)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1976)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1976)

    • Changes internet zones settings

      • iexplore.exe (PID: 1976)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1976)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1248)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1976)

    • Application launched itself

      • iexplore.exe (PID: 1976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1976"C:\Program Files\Internet Explorer\iexplore.exe" "http://winhost.xyz/update/update.rar"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1248"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1976 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
509
Read events
417
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
1976iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA14D33B158EFB0FF.TMP
MD5:
SHA256:
1976iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab9926.tmp
MD5:
SHA256:
1976iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar9927.tmp
MD5:
SHA256:
1976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA35A.tmp
MD5:
SHA256:
1976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:B43455FB10E4B47033ED1211E5B8AEFD
SHA256:B536F11DBB641DB07C99DF0970660F57529ADD40C5F751F54BE88D280E67D4C7
1976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:2B368A2F357E385917820462BE80808E
SHA256:8CC928EA072B8AE568BE6D366AB81D9DDA972E999C4F0432875D6F6401F1FA0E
1976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
1976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{6A5FCF6C-A8DC-11EB-9017-1203334A04AF}.datbinary
MD5:F9E25F6DA9AF9F4D6557F86BB066D3A0
SHA256:F61115C91C43087C5504B0A757F2E60200659F3E722ADF82F304BBEF8B3AD97A
1976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
1976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
9
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1976
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1976
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1976
iexplore.exe
GET
200
131.253.33.200:80
http://www.bing.com/favicon.ico
US
image
4.19 Kb
whitelisted
1248
iexplore.exe
GET
200
185.244.43.165:80
http://winhost.xyz/update/update.rar
unknown
executable
10.6 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1248
iexplore.exe
185.244.43.165:80
winhost.xyz
malicious
1976
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
185.244.43.165:80
winhost.xyz
malicious
1976
iexplore.exe
131.253.33.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1976
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
winhost.xyz
  • 185.244.43.165
malicious
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
1248
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1248
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1248
iexplore.exe
A Network Trojan was detected
ET TROJAN Windows Executable Sent When Remote Host Claims to Send a RAR Archive
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://winhost.xyz/update/update.rar