analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Presupuesto-A.zip

Full analysis: https://app.any.run/tasks/48829b4b-89df-43b5-9a02-23fbdfe1c2fb
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 03, 2019, 01:53:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
trojan
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

43A4FE82846B7619E84CA001CA85739C

SHA1:

95D6BD6268D2296C73C7AA91182CDD2635B766AB

SHA256:

41186A9A605EEA91256F20173A2EE8A4E8DA43922356017A54A4AFB8BA907E3E

SSDEEP:

6144:az3D46AIg1Qj12GQMiej7BpGov3EO8iAZhKc/q8SHEhH1TvuoF8hD2xos1B4xH:Ca+BxQc7B46vA3Kc/q8IEvud12xosY5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Presupuesto-comercial.com (PID: 3892)
      • Presupuesto-comercial.com (PID: 2112)

    • Stealing of credential data

      • Presupuesto-comercial.com (PID: 3892)
      • Presupuesto-comercial.com (PID: 2112)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 896)

    • Application launched itself

      • WinRAR.exe (PID: 1648)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 896)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2772)
      • OUTLOOK.EXE (PID: 3816)

    • Executed via COM

      • OUTLOOK.EXE (PID: 2772)
      • OUTLOOK.EXE (PID: 3816)

    • Starts CMD.EXE for commands execution

      • Presupuesto-comercial.com (PID: 3892)
      • Presupuesto-comercial.com (PID: 2112)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 896)

    • Manual execution by user

      • Presupuesto-comercial.com (PID: 2112)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2772)
      • OUTLOOK.EXE (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Presupuesto-A/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:12:02 07:35:00
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
10
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winrar.exe presupuesto-comercial.com outlook.exe cmd.exe no specs cmd.exe no specs presupuesto-comercial.com outlook.exe cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1648"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Presupuesto-A.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
896"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa1648.6319\Presupuesto-comercial.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3892"C:\Users\admin\AppData\Local\Temp\Rar$DIa896.7154\Presupuesto-comercial.com" C:\Users\admin\AppData\Local\Temp\Rar$DIa896.7154\Presupuesto-comercial.com
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2772"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
504cmd /c ""C:\Users\admin\AppData\Local\Temp\Rar$DIa896.7154\Presupuesto-comercial.bat" "C:\Windows\system32\cmd.exePresupuesto-comercial.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1520cmd /c C:\Users\admin\AppData\Local\Temp\Rar$DIa896.7154\Presupuesto-comercial.batC:\Windows\system32\cmd.exePresupuesto-comercial.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2112"C:\Users\admin\Desktop\Presupuesto-comercial.com" C:\Users\admin\Desktop\Presupuesto-comercial.com
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3816"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
2840cmd /c ""C:\Users\admin\Desktop\Presupuesto-comercial.bat" "C:\Windows\system32\cmd.exePresupuesto-comercial.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3308cmd /c C:\Users\admin\Desktop\Presupuesto-comercial.batC:\Windows\system32\cmd.exePresupuesto-comercial.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 615
Read events
2 370
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
49
Unknown types
0

Dropped files

PID
Process
Filename
Type
2772OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRF15F.tmp.cvr
MD5:
SHA256:
896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa896.9661\Presupuesto-comercial.com
MD5:
SHA256:
3816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR6278.tmp.cvr
MD5:
SHA256:
896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa896.7154\Presupuesto-comercial.comexecutable
MD5:C68536824D8AF3904747E4B0E29BC994
SHA256:99739165AC2C14ADAB012CAEF073FD6F342BBC6571BF761C13D79634567BF51C
2772OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:42583618EFD677791FAE05C8A476E00D
SHA256:806CE04B56F8FAE1FDC111EE5F432ED8A1CD46D18F4D533BB56721A80C09FD01
1648WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1648.6319\Presupuesto-comercial.zipcompressed
MD5:59C01CFC76BC6C88AF1FE8BD9ADFE720
SHA256:394E8B097ADF527674139CD85D19041663F8156BB43A4F74074208E08C5012BC
3816OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:5316518C6CA7DB4AF850A33AD35CC0C9
SHA256:6AA490150B040E67B61FF8E3BE11346D2BB8A9F6847EAC1478C3C6DE714C22EA
2772OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\~Outlook Data File - NoMail.pst.tmpbinary
MD5:754D3BA90D1B23F4BDD767BFF4962750
SHA256:139226B6402B03DACB2ADB646DEB0829C10D8B3B9AFE20A4AAC17AFA1EB7E9BC
3892Presupuesto-comercial.comC:\Users\admin\AppData\Local\Temp\smtps_9B8312F9660B44249E80D4CCC931B60320191203015433.txttext
MD5:63A1CADA930CD11A9CE6B8CEAD05C149
SHA256:EB08F70A4C691A963A259A55100FDA3C1CA19D304A37B1EC062266F9A89FC7D1
3892Presupuesto-comercial.comC:\Users\admin\AppData\Local\Temp\Rar$DIa896.7154\Presupuesto-comercial.battext
MD5:FE70A5BA37A7E3B0DBD5C9E4B50356ED
SHA256:84EF4E4BFBF886DEE989CA575CFD486A79688B63349BEE0876A29A4E68BE1959
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3816
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3892
Presupuesto-comercial.com
POST
200
195.231.0.41:80
http://atacadaocomercial.com.br/Bllack/executa_upload.php
DK
html
322 b
malicious
2112
Presupuesto-comercial.com
POST
200
195.231.0.41:80
http://atacadaocomercial.com.br/Bllack/executa_upload.php
DK
html
322 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3816
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
195.231.0.41:80
atacadaocomercial.com.br
DK
malicious
2112
Presupuesto-comercial.com
195.231.0.41:80
atacadaocomercial.com.br
DK
malicious

DNS requests

Domain
IP
Reputation
atacadaocomercial.com.br
  • 195.231.0.41
malicious
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Presupuesto-A.zip