File name: | 34c9f32c54d87c42ba9c93881a7e5c5f.zip |
Full analysis: | https://app.any.run/tasks/966e83f6-b6ad-4ac7-8f33-42cbd3c85c90 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | May 20, 2019, 19:06:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 9EA05944984C004E276FB8973E67140F |
SHA1: | 30AFE087FBCA51A0C64CA22CC5A1B2CFB5118BDF |
SHA256: | 4053D2B6D2C553B091F42D90D6750BAD3265EA28824AAE523B4CC252EBBF334F |
SSDEEP: | 6144:rgaVIL797aZksoyKB1CygPu7ExmUULSr7jVEpa/IU+fzjcp4nIo:rgaVIL7t6ksoL1C3P8ExmUULk5EEknnJ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 34c9f32c54d87c42ba9c93881a7e5c5f |
---|---|
ZipUncompressedSize: | 317910 |
ZipCompressedSize: | 317807 |
ZipCRC: | 0xd2db937e |
ZipModifyDate: | 2019:05:20 21:03:11 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2796 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\34c9f32c54d87c42ba9c93881a7e5c5f.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3648 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\34c9f32c54d87c42ba9c93881a7e5c5f.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3292 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\Invoice_ref052019.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1480 | C:\Users\Public\wprgxyeqd79.exe | C:\Users\Public\wprgxyeqd79.exe | WINWORD.EXE | |
User: admin Company: AMS Software Integrity Level: MEDIUM Description: Hackers Reach Activestate Left | ||||
3492 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3024 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
964 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3396 | "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2788 | C:\Users\Public\rher.exe | C:\Users\Public\rher.exe | WINWORD.EXE | |
User: admin Company: x264 project Integrity Level: MEDIUM Description: Nkcreatestaticmapping Aboriginal Year Version: 5.7.3.790 | ||||
3040 | "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | — | services.exe |
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Software Protection Platform Service Version: 14.0.0370.400 (longhorn(wmbla).090811-1833) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA83E.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2788 | rher.exe | C:\Users\admin\AppData\Local\Temp\{B5DA22E1-24B2-46CC-A05B-7745B8B22357}\365187467.dll | — | |
MD5:— | SHA256:— | |||
2788 | rher.exe | C:\Users\admin\AppData\Local\Temp\{B5DA22E1-24B2-46CC-A05B-7745B8B22357}\CJIxD.exe | — | |
MD5:— | SHA256:— | |||
2796 | WinRAR.exe | C:\Users\admin\Desktop\34c9f32c54d87c42ba9c93881a7e5c5f | compressed | |
MD5:34C9F32C54D87C42BA9C93881A7E5C5F | SHA256:CF9F7BFA247D0F59DF5E130042EE9F613EBE46ADB48CEA1F32C8D46885290FC0 | |||
3292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ananas[1].exe | executable | |
MD5:7E77BB853D227E06B635E6EB3E0B31F0 | SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165 | |||
2788 | rher.exe | C:\Users\admin\AppData\Local\Temp\{B5DA22E1-24B2-46CC-A05B-7745B8B22357}\log | text | |
MD5:C207C48CE0523756EDA06A5A0DF23830 | SHA256:844D64FC9E5BD606130C6A751F293DE2DEF0F0A4553F3BF814ED0818CD7221BF | |||
3292 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\pasmmm[1].exe | executable | |
MD5:A8C805792A954CA0664221ACDE199F48 | SHA256:2B5EEFC4BC2D34CBE5093332C47B5405CF5C32E8156767FC8BC9DDD9CDCF3018 | |||
3292 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Invoice_ref052019.doc.LNK | lnk | |
MD5:B2D2DED402401D75A3AF2561FAFDD9B3 | SHA256:95E4699392C46BADB49278E87475E23B5DD5C41BC23C81E80A763AF36C096E8D | |||
3292 | WINWORD.EXE | C:\Users\Public\wprgxyeqd79.exe | executable | |
MD5:A8C805792A954CA0664221ACDE199F48 | SHA256:2B5EEFC4BC2D34CBE5093332C47B5405CF5C32E8156767FC8BC9DDD9CDCF3018 | |||
3292 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:1C84C4307BE669F436E572698182E2BC | SHA256:0FFB6297143BA9575FE94976E209131C146055F17DBDA605ED328AE183262F8D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2788 | rher.exe | GET | — | 131.188.40.189:80 | http://131.188.40.189/tor/status-vote/current/consensus | DE | — | — | malicious |
2788 | rher.exe | GET | — | 180.150.226.99:80 | http://180.150.226.99/tor/server/fp/365f393040aa2979dc01d102f5052cad048f42f7 | KR | — | — | malicious |
2788 | rher.exe | GET | — | 185.100.85.147:80 | http://185.100.85.147/tor/server/fp/365f393040aa2979dc01d102f5052cad048f42f7 | RO | — | — | suspicious |
2788 | rher.exe | GET | — | 200.122.181.101:80 | http://200.122.181.101/tor/server/fp/f6f59b64b2494f29899e8072bcb0e6b3e070a917 | CR | — | — | suspicious |
2788 | rher.exe | GET | — | 93.115.86.8:80 | http://93.115.86.8/tor/server/fp/e61ca793fdc9dab0da69b6235c8498e0166dedf4 | RO | — | — | suspicious |
2788 | rher.exe | GET | — | 109.70.100.10:80 | http://109.70.100.10/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033 | AT | — | — | suspicious |
2788 | rher.exe | GET | — | 171.25.193.78:80 | http://171.25.193.78/tor/server/fp/f98e806a87f0f7306f17199fd704782d3634d4af | SE | — | — | suspicious |
2788 | rher.exe | GET | — | 92.117.228.149:80 | http://92.117.228.149/tor/server/fp/2e969a9d0ed4a6699a229a06d6ff363f724d5549 | DE | — | — | suspicious |
2788 | rher.exe | GET | — | 77.55.212.215:80 | http://77.55.212.215/tor/server/fp/365f393040aa2979dc01d102f5052cad048f42f7 | PL | — | — | suspicious |
2788 | rher.exe | GET | — | 94.16.122.65:443 | http://94.16.122.65:443/tor/server/fp/51429a0f427a8dcb5b9de64e35ecbbb76dab0f7f | DE | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 77.55.212.215:80 | — | Nazwa.pl Sp.z.o.o. | PL | suspicious |
2788 | rher.exe | 185.100.85.147:80 | — | Flokinet Ltd | RO | suspicious |
2788 | rher.exe | 66.111.2.131:9030 | — | The New York Internet Company | US | suspicious |
— | — | 95.216.14.222:80 | — | Hetzner Online GmbH | DE | suspicious |
2788 | rher.exe | 180.150.226.99:80 | — | Korea Telecom | KR | malicious |
— | — | 131.188.40.189:80 | — | Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. | DE | malicious |
3292 | WINWORD.EXE | 47.245.58.124:443 | kentona.su | — | US | suspicious |
2788 | rher.exe | 185.163.45.212:443 | — | MivoCloud SRL | MD | suspicious |
— | — | 54.243.147.226:443 | api.ipify.org | Amazon.com, Inc. | US | malicious |
2788 | rher.exe | 179.48.248.17:80 | — | Racknation S.A. | CR | suspicious |
Domain | IP | Reputation |
---|---|---|
kentona.su |
| malicious |
api.ipify.org |
| shared |
time-a.nist.gov |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
2788 | rher.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122 |
2788 | rher.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550 |
2788 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2788 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2788 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2788 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2788 | rher.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |