analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.sibatamasamitsu.me

Full analysis: https://app.any.run/tasks/69ba2dd8-af55-4226-acfd-e317afe5c795
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 14:30:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
Indicators:
MD5:

CE0C2F05337A5082E96B6B7D47A90471

SHA1:

4A5708D31845BF545BD27415F828C1268FF04751

SHA256:

442A1E85230C6CD870B573FD634A5A3F25CF90BBB5322BEFBE3ED218871C24BB

SSDEEP:

3:N1KJS4oiI/hQb9:Cc4oWh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3328)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3660)
      • iexplore.exe (PID: 3328)

    • Changes internet zones settings

      • iexplore.exe (PID: 3328)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3660)

    • Creates files in the user directory

      • iexplore.exe (PID: 3328)
      • iexplore.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3660"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3328 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
443
Read events
352
Write events
88
Delete events
3

Modification events

(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{C7CE8EFB-4665-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(3328) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307030004000E000E001E003A001102
Executable files
0
Suspicious files
0
Text files
44
Unknown types
12

Dropped files

PID
Process
Filename
Type
3328iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3660iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:0619710F0DEF20DAEC0286F7D18419E2
SHA256:7C0EB8CA5A16109DE964C2F7C7911750871A1B58C947E062EE2797C0D60E9EC3
3660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\error_icons[1].pngimage
MD5:6547C5FB2D63FCB74CD2467030071C18
SHA256:09B4776A08D6DF046909A3A3F54A9B58C858D55C0ABBFEADE9BBDEABC025118F
3328iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:BE28DA3BC863828CE411E3712849535D
SHA256:8F00319D6B68382F179C3B4E2D5160B25D7BB22371825AAE09E238824AFBCCAB
3660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\opensans-300i[1].eoteot
MD5:FC2CB1A0BBF3294CD276FDC34538D0F2
SHA256:B5B38B2FC120908C86F73A14A6B18E98F230A4B4E4BE0566EDC5799BE289DF0B
3660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3660iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@valenciagenthner[1].txttext
MD5:C9F394E5BB8D7CAD2CCD328D99D1F506
SHA256:1B307A848E270AF708516EB6354EA9E6E84FEB89DADE251837B55DCFC735F729
3660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\background_gradient[1]image
MD5:20F0110ED5E4E0D5384A496E4880139B
SHA256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
3660iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\cf.errors[1].csstext
MD5:3D041BD798B1C6A68C1CB4F3A1FD6B8A
SHA256:E2DBA22A9EE028E3AA09BAA7C36E14C86EFFBA2516862AAD01019C06E757B375
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3660
iexplore.exe
GET
200
104.27.145.40:80
http://www.valenciagenthner.club/cdn-cgi/styles/fonts/opensans-600.eot
US
eot
18.8 Kb
suspicious
3660
iexplore.exe
GET
301
104.27.145.101:80
http://www.asasas.club/
US
malicious
3660
iexplore.exe
GET
104.27.145.101:80
http://asasas.club/
US
malicious
3660
iexplore.exe
GET
200
104.27.145.40:80
http://www.valenciagenthner.club/cdn-cgi/images/error_icons.png
US
image
16.3 Kb
suspicious
3328
iexplore.exe
GET
521
104.27.145.40:80
http://www.valenciagenthner.club/favicon.ico
US
html
4.46 Kb
suspicious
3660
iexplore.exe
GET
200
104.27.145.40:80
http://www.valenciagenthner.club/cdn-cgi/styles/fonts/opensans-300.eot
US
eot
18.1 Kb
suspicious
3660
iexplore.exe
GET
200
104.27.145.40:80
http://www.valenciagenthner.club/cdn-cgi/styles/fonts/opensans-700.eot
US
eot
19.3 Kb
suspicious
3328
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3660
iexplore.exe
GET
200
104.27.145.40:80
http://www.valenciagenthner.club/cdn-cgi/styles/fonts/opensans-400.eot
US
eot
18.3 Kb
suspicious
3660
iexplore.exe
GET
200
104.27.145.40:80
http://www.valenciagenthner.club/cdn-cgi/styles/fonts/opensans-400i.eot
US
eot
20.7 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3328
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3660
iexplore.exe
172.217.22.10:80
fonts.googleapis.com
Google Inc.
US
whitelisted
3328
iexplore.exe
104.27.145.40:80
www.valenciagenthner.club
Cloudflare Inc
US
shared
3660
iexplore.exe
104.27.145.40:80
www.valenciagenthner.club
Cloudflare Inc
US
shared
3660
iexplore.exe
104.27.145.101:80
www.asasas.club
Cloudflare Inc
US
shared
3660
iexplore.exe
172.217.16.131:80
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.sibatamasamitsu.me
unknown
www.valenciagenthner.club
  • 104.27.145.40
  • 104.27.144.40
suspicious
www.asasas.club
  • 104.27.145.101
  • 104.27.144.101
malicious
asasas.club
  • 104.27.145.101
  • 104.27.144.101
malicious
fonts.googleapis.com
  • 172.217.22.10
whitelisted
fonts.gstatic.com
  • 172.217.16.131
whitelisted

Threats

PID
Process
Class
Message
3660
iexplore.exe
A Network Trojan was detected
ET TROJAN XLS.Unk DDE rar Drop Attempt (.club)
3660
iexplore.exe
A Network Trojan was detected
ET TROJAN XLS.Unk DDE rar Drop Attempt (.club)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.sibatamasamitsu.me