analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

yf

Full analysis: https://app.any.run/tasks/361a7db0-ed1f-4fa3-b5eb-062a7e73f583
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 20:25:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
stealer
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines
MD5:

1C3553B215663EFCCA2C01CB23C3D516

SHA1:

717B00990A9DC3F1B086F673C8C8508AF1482FDF

SHA256:

3F535F0AA1187AA388C6DA77586A5AE8C80286659CFD6C98EC217731B77D21D9

SSDEEP:

96:DG/Jn9TntCg7Sgl1rNXKI8vHxRXrAtVuFVCgakbuzzn:DG/Jn9TnMaSgPVK9vHxRXrwVuFVCgakA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • psgold_31_2018[1].exe (PID: 2900)
      • psgold_31_2018[1].exe (PID: 3164)
      • proshow.exe (PID: 408)
      • proshow.exe (PID: 2856)
      • Adobe CS3 Design Premium Keygen.exe (PID: 2880)
      • psgold_31_2018[1].exe (PID: 3564)
      • Adobe Dreamweaver CS3 Keygen.exe (PID: 3076)
      • psgold_31_2018[1].exe (PID: 948)
      • psgold_31_2018.exe (PID: 2532)
      • proshow.exe (PID: 552)
      • psgold_31_2018.exe (PID: 3680)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3540)

    • Loads dropped or rewritten executable

      • proshow.exe (PID: 408)
      • proshow.exe (PID: 2856)
      • proshow.exe (PID: 552)

    • Stealing of credential data

      • proshow.exe (PID: 408)
      • proshow.exe (PID: 2856)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3540)
      • psgold_31_2018[1].exe (PID: 2900)
      • iexplore.exe (PID: 2716)
      • WinRAR.exe (PID: 3916)
      • psgold_31_2018[1].exe (PID: 948)
      • psgold_31_2018.exe (PID: 2532)
      • WinRAR.exe (PID: 1876)

    • Reads Internet Cache Settings

      • proshow.exe (PID: 408)
      • proshow.exe (PID: 2856)

    • Creates files in the user directory

      • proshow.exe (PID: 408)
      • proshow.exe (PID: 2856)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 2840)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2716)

    • Creates files in the user directory

      • iexplore.exe (PID: 3540)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2872)
      • iexplore.exe (PID: 3540)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2716)
      • iexplore.exe (PID: 3540)
      • iexplore.exe (PID: 2872)

    • Application launched itself

      • iexplore.exe (PID: 2716)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2716)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2716)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2716)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 1876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

Title: Index of /yf
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
19
Malicious processes
6
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe no specs iexplore.exe psgold_31_2018[1].exe no specs psgold_31_2018[1].exe winrar.exe no specs proshow.exe cmd.exe no specs notepad.exe no specs winrar.exe adobe cs3 design premium keygen.exe no specs adobe dreamweaver cs3 keygen.exe no specs psgold_31_2018[1].exe no specs psgold_31_2018[1].exe proshow.exe winrar.exe psgold_31_2018.exe no specs psgold_31_2018.exe proshow.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2716"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\yf.htmC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2872"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2716 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3540"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2716 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3164"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\psgold_31_2018[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\psgold_31_2018[1].exeiexplore.exe
User:
admin
Company:
Photodex Corporation
Integrity Level:
MEDIUM
Description:
Photodex ProShow Setup
Exit code:
3221226540
2900"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\psgold_31_2018[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\psgold_31_2018[1].exe
iexplore.exe
User:
admin
Company:
Photodex Corporation
Integrity Level:
HIGH
Description:
Photodex ProShow Setup
2840"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\CS4 Crack Final.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
408C:\Users\admin\AppData\Local\Temp\mvu17CC.tmp\proshow.exe -stub C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\psgold_31_2018[1].exe,""C:\Users\admin\AppData\Local\Temp\mvu17CC.tmp\proshow.exe
psgold_31_2018[1].exe
User:
admin
Company:
Photodex
Integrity Level:
HIGH
Description:
compupic
Version:
1, 0, 0, 1
3432cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa2840.49032\cs4 complete crack.bat" "C:\Windows\system32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1636"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2840.49351\res.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3916"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\01BLM6RN\Adobe%20CS3%20Keygen%20Collection%20(All%20Porgrams)[1].zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Total events
2 710
Read events
2 410
Write events
0
Delete events
0

Modification events

No data
Executable files
133
Suspicious files
20
Text files
1 337
Unknown types
18

Dropped files

PID
Process
Filename
Type
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2716iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K8XK8917\yf[1].txt
MD5:
SHA256:
2716iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFEC92A48EC8424B25.TMP
MD5:
SHA256:
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{63E609F8-7B3D-11E9-A370-5254004A04AF}.datbinary
MD5:141AC12D43E08BC0B73C722888D10C4A
SHA256:55EA02F61A050454B41FC9AE9099FC3FAB54D76F524E9DF6DECB1D2735ED3235
2872iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019052020190521\index.datdat
MD5:40DD641D7434133BAF2ABE2462AC2733
SHA256:3448D61910E67B39C9CDE9B9484C0BA85407F59566BF099DEF7912B8B4BE0BAA
3540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\K8XK8917\yf[1].htmhtml
MD5:1C3553B215663EFCCA2C01CB23C3D516
SHA256:3F535F0AA1187AA388C6DA77586A5AE8C80286659CFD6C98EC217731B77D21D9
3540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019052020190521\index.datdat
MD5:645362A244F28A9ADF9FE0DF1022109E
SHA256:7B0822A550212D5C9653DD7D20A1F8A8B5E42D3B35B3C5D0281A588F53586606
3540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:C727F6423A6A6EBCBF5C951276F42EE7
SHA256:453C474DE405C2C589E419866779C976E14ADC8614C3CB46A33A10989A3029F6
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
13
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/yf/psgold_31_2018.exe
US
executable
15.7 Mb
malicious
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/yf/
US
html
1.26 Kb
malicious
3540
iexplore.exe
GET
74.208.236.170:80
http://mywegsite.com/yf/ADBEPHSPCS3_WWE.exe
US
malicious
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/yf/CS4%20Crack%20Final.zip
US
compressed
1.19 Mb
malicious
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/yf/ProShow%20Gold%203.1.zip
US
compressed
15.6 Mb
malicious
2716
iexplore.exe
GET
404
74.208.236.170:80
http://mywegsite.com/favicon.ico
US
html
586 b
malicious
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/spicons/binary.gif
US
image
246 b
malicious
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/spicons/back.gif
US
image
216 b
malicious
2716
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3540
iexplore.exe
GET
200
74.208.236.170:80
http://mywegsite.com/spicons/compressed.gif
US
image
1.01 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2716
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2716
iexplore.exe
74.208.236.170:80
mywegsite.com
1&1 Internet SE
US
malicious
3540
iexplore.exe
74.208.236.170:80
mywegsite.com
1&1 Internet SE
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
mywegsite.com
  • 74.208.236.170
malicious

Threats

PID
Process
Class
Message
3540
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3540
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
yf