File name: | Doc_00998899.xls.z |
Full analysis: | https://app.any.run/tasks/76fe2eb4-74e0-4c77-82a6-6be197c64030 |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | February 19, 2019, 09:07:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B5A5186FA2C6E1E59DA22EF323C7EEE7 |
SHA1: | E7A888A549B2F2E5C28021D5299A37134AE2F703 |
SHA256: | 3EC56E67DE6D46A9411DA9F3412CA56102D444C50E7B1A865499B3BFF57C17E9 |
SSDEEP: | 6144:A545OYcuXJ69BumsbMQtadg2F1Mr/kprkipuUqJoVGeJsEknu:7bcvaMQt0g2FE/QXVqJoVJJstu |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3068 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Doc_00998899.xls.z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
764 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 | ||||
1684 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | Doc_00998899.exe | |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Version: 1.05.0009 | ||||
2444 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe /stext "C:\Users\admin\AppData\Local\Temp\owimiybvioqandcoseyvusseamfvgo" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | Doc_00998899.exe | |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 | ||||
3760 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe /stext "C:\Users\admin\AppData\Local\Temp\yqvxjqmpwwifxrysbpkwxfnnbaoezzksx" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | — | Doc_00998899.exe |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 | ||||
2652 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe /stext "C:\Users\admin\AppData\Local\Temp\isaqkj" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | Doc_00998899.exe | |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 | ||||
1204 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe /stext "C:\Users\admin\AppData\Local\Temp\jbvralpqwvnpsi" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | Doc_00998899.exe | |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 | ||||
3028 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe /stext "C:\Users\admin\AppData\Local\Temp\tvbkbdarkdfuuolpk" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | — | Doc_00998899.exe |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 | ||||
3200 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe /stext "C:\Users\admin\AppData\Local\Temp\eyoccwllglxhechttztd" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | Doc_00998899.exe | |
User: admin Integrity Level: MEDIUM Description: INTERDICTING5 Exit code: 0 Version: 1.05.0009 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2444 | Doc_00998899.exe | C:\Users\admin\AppData\Local\Temp\owimiybvioqandcoseyvusseamfvgo | text | |
MD5:C48992AAE0E8FD5463A7B1617B2E0B88 | SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE | |||
3068 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3068.30126\Doc_00998899.exe | executable | |
MD5:D14D76A39981618738B438F8E3403915 | SHA256:4AB8825BA6F545CE5136CF21674E69003009F6237963759D6F36B99EBB137FFC | |||
1204 | Doc_00998899.exe | C:\Users\admin\AppData\Local\Temp\jbvralpqwvnpsi | text | |
MD5:C48992AAE0E8FD5463A7B1617B2E0B88 | SHA256:04802C51A3EE5E9F7D48462C50B17ABC0E84D54F5525D70E4C904BCC0634C3CE | |||
764 | Doc_00998899.exe | C:\Users\admin\AppData\Local\Temp\~DFC62D9D79C09C3D68.TMP | binary | |
MD5:1C4FA97D7208445C73653F2F372083EC | SHA256:68D7B261CC7DA6211ADFAD45EE419155E6983158E666378E724D3148EBA5B9F2 | |||
1684 | Doc_00998899.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:F615D8956B183ADFAE54400A655EF623 | SHA256:6486E0906B59DAE2B497A0131FC67A51961891188F2D4978415546FDCEE72504 | |||
2652 | Doc_00998899.exe | C:\Users\admin\AppData\Local\Temp\isaqkj | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 | |||
3200 | Doc_00998899.exe | C:\Users\admin\AppData\Local\Temp\eyoccwllglxhechttztd | text | |
MD5:7FB9A9AD0FD9B1E0108ED71FBB276048 | SHA256:7D63C301317E144B0133A72250AE2D8E09AF65A92E6A807EC58A71939FE530A9 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1684 | Doc_00998899.exe | 185.244.31.116:2409 | — | — | — | malicious |
PID | Process | Class | Message |
---|---|---|---|
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
1684 | Doc_00998899.exe | A Network Trojan was detected | ET TROJAN Remcos RAT Checkin 23 |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Remcos RAT |
1684 | Doc_00998899.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Remcos RAT Checkin |