File name: | SQLi Dumper v9.2_pass_hacknho.zip |
Full analysis: | https://app.any.run/tasks/3a46137e-7569-4277-94c5-150d34f2a39d |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | November 14, 2018, 19:18:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8766B53BED4C1D747087A6DDAE1A9B1D |
SHA1: | 5C1E64E1B3AB2CF4EC0AF4242CE3797B71EA3918 |
SHA256: | 412B184A18DE1B07E5567BCE7C1796FBF587C500DD29B38AC9B1F53FA700AAE9 |
SSDEEP: | 49152:sKd4BwSemV1TU7STpRV1jVnIK+IZVXgYYq9tqBOM9S+PhkoffQpknKQ:sKatemV1TU7STpRXVHZZgCWOX+JxffQy |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Settings |
---|---|
ZipUncompressedSize: | 22733 |
ZipCompressedSize: | 3757 |
ZipCRC: | 0x638a9849 |
ZipModifyDate: | 2016:03:03 21:54:02 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3756 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3900 | "C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\SQLi v.9.2.exe" | C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\SQLi v.9.2.exe | explorer.exe | |
User: admin Company: SQLi Trush Corp Integrity Level: MEDIUM Description: SQLi Dumper v.9.2 Version: 9.2.0.0 | ||||
2376 | "C:\Users\admin\AppData\Local\TempSetup.exe" | C:\Users\admin\AppData\Local\TempSetup.exe | SQLi v.9.2.exe | |
User: admin Company: Intel Corporation Integrity Level: MEDIUM Description: hkcmd Module Exit code: 0 Version: 8.1.1.7800 | ||||
2972 | "C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\~SQLi_v_9_2.exe" | C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\~SQLi_v_9_2.exe | SQLi v.9.2.exe | |
User: admin Company: SQLi Trush Corp Integrity Level: MEDIUM Description: SQLi Dumper v.9.2 Exit code: 0 Version: 9.2.0.0 | ||||
2980 | "C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe" | C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe | TempSetup.exe | |
User: admin Company: Intel Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3812 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe | svchost.exe | |
User: admin Company: Intel Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 8.1.1.7900 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2980 | svchost.exe | C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp | — | |
MD5:— | SHA256:— | |||
2980 | svchost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe | executable | |
MD5:D9FF6DFC7DD658DA99565B5C0F2FAA0E | SHA256:D757ECD4B4C1DFD494C73724705CDA63F3E011CDDB74D9B1C11386759B12D3D2 | |||
3756 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\SQLi v.9.2.exe | executable | |
MD5:4090822C06F51605ACC0F87F519D2CC0 | SHA256:7D080F8D7E88030E626C0FA7F0FB0CC8FDCE3EABBEAE6AAFC8E2470EA5472FF1 | |||
3900 | SQLi v.9.2.exe | C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\~SQLi_v_9_2.exe | executable | |
MD5:02A89F085C851E92F93994C1BDAC7990 | SHA256:C650C12AB69F9D1B790A82D9C2BBB8891B49F1FCB34E3A26F3DD691F3EDB582C | |||
2376 | TempSetup.exe | C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\server.zip | compressed | |
MD5:B8D7B81375FA1519B427494412693A12 | SHA256:3C51F4C04034B7EF1F6F2846BA15F646170F6EE1EC8F85BBF0EEA9B25744CF51 | |||
3900 | SQLi v.9.2.exe | C:\Users\admin\AppData\Local\TempSetup.exe | executable | |
MD5:A1E1FEFE84706DCE00436F2F5A0D30B1 | SHA256:3A82DE818D3D0DD40F7A1137ABF4050A5EB829F6A39B33BB12D3EA9D5F085406 | |||
2376 | TempSetup.exe | C:\Users\admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe | executable | |
MD5:D35EA1C030C33F375BEA4553DC5F5D45 | SHA256:3CD3CCE38A26DB752F3CF775960187305D259007064EF16A6FE2E182220B0442 | |||
3756 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\Settings.xml | xml | |
MD5:6E7770D5E46F5E171F40C4E517985DBD | SHA256:617187E4FF623B004BDA88C4F77571A6726E44BD22C6945900B075A288F63CAA | |||
3756 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\SQLi Dumper v9.2_pass_hacknho\DIC\dic_admin.txt | text | |
MD5:F4675FA366AAE47396F8CFB2F3EB1B9A | SHA256:826FBBAA5DE45C1238FC7B9F4436C1B87444F8103F4F65180F8547E3F271A413 | |||
2980 | svchost.exe | C:\Users\admin\AppData\Local\Temp\$inst\2.tmp | compressed | |
MD5:8708699D2C73BED30A0A08D80F96D6D7 | SHA256:A32E0A83001D2C5D41649063217923DAC167809CAB50EC5784078E41C9EC0F0F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2972 | ~SQLi_v_9_2.exe | GET | 302 | 104.20.209.21:80 | http://pastebin.com/raw/3vsJLpWu | US | — | — | shared |
2972 | ~SQLi_v_9_2.exe | GET | 301 | 104.20.209.21:80 | http://pastebin.com/3vsJLpWu | US | — | — | shared |
3812 | svchost.exe | GET | 403 | 198.143.149.5:80 | http://goldenshoponline.us/1/explorer.txt | US | html | 13.5 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3812 | svchost.exe | 198.143.149.5:80 | goldenshoponline.us | SingleHop, Inc. | US | suspicious |
2972 | ~SQLi_v_9_2.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2972 | ~SQLi_v_9_2.exe | 104.20.209.21:80 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
goldenshoponline.us |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2972 | ~SQLi_v_9_2.exe | Misc activity | SUSPICIOUS [PTsecurity] Minimal HTTP Header for Request to Pastebin |
2972 | ~SQLi_v_9_2.exe | Misc activity | SUSPICIOUS [PTsecurity] Minimal HTTP Header for Request to Pastebin |