File name: | Пакет документов для оплаты апрель.z |
Full analysis: | https://app.any.run/tasks/24e44d4a-0e7c-4be6-93c6-cc03b71e6bfa |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | September 11, 2019, 09:59:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B0A534D8DF50CE1A28954939F4114736 |
SHA1: | 95F0849C328A06657E776EF89446CF6386E02690 |
SHA256: | 451772D30AD63731C379D8EE2872543C2E0463EB13B1D1F9E3DE82EE5721D78E |
SSDEEP: | 6144:x1k1VohWwiPJXi3lHrUuZ7PUsNIoSP6ja42di:x1y+hePJSVLUuKgIDSZh |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3108 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Пакет документов для оплаты апрель.z.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2484 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Пакет документов для оплаты апрель.z.rar" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3884 | "C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe" | C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe | explorer.exe | |
User: admin Company: Корпорация Майкрософт Integrity Level: HIGH Description: Самоизвлечение CAB-файлов Win32 Exit code: 0 Version: 6.00.2900.5512 (xpsp.080413-2105) | ||||
2904 | rundll32.exe load.dll,DllGetClassObject root 000000000000 Post Install program: <None> | C:\Windows\system32\rundll32.exe | Пакет документов для оплаты апрель.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3488 | rundll32.exe "C:\ProgramData\2401bf603c90\2702bc633f93.dat",DllGetClassObject root | C:\Windows\system32\rundll32.exe | taskeng.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
276 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3712 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3332 | "C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe" | C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe | explorer.exe | |
User: admin Company: Корпорация Майкрософт Integrity Level: HIGH Description: Самоизвлечение CAB-файлов Win32 Exit code: 0 Version: 6.00.2900.5512 (xpsp.080413-2105) | ||||
2156 | rundll32.exe load.dll,DllGetClassObject root 000000000000 Post Install program: <None> | C:\Windows\system32\rundll32.exe | — | Пакет документов для оплаты апрель.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3280 | C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3332 | Пакет документов для оплаты апрель.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\load.dll | — | |
MD5:— | SHA256:— | |||
276 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Пакет документов для оплаты апрель.z.rar.lnk | lnk | |
MD5:0240934712603E102095F738AE29954C | SHA256:89EFC8DE26F0E67C3CD9B2943D6CBB2727D34D3F8BFD2A631EBB934F8A767E8A | |||
2904 | rundll32.exe | C:\ProgramData\2401bf603c90\2702bc633f93.dat | executable | |
MD5:C5E98FC58BB099D9736B75BA76BBDEAD | SHA256:F153BF240E6987C447FA45A69135AD9F41CD90F885F88BF40FF1328FE8C0F085 | |||
2484 | WinRAR.exe | C:\Users\admin\Desktop\Пакет документов для оплаты апрель.exe | executable | |
MD5:1C7EBD1FA0F4260E0C9E5335A177AF39 | SHA256:72C7A800848E5929AD850A39E50271310133D1B067286D7B8948335903C4F541 | |||
276 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:C8801139D551987A79EE08D5F5F2F9C1 | SHA256:38B799EC3E1B24596698CB6F8991450400FA3C4E0E401E1362204C463E6DB9AA | |||
3884 | Пакет документов для оплаты апрель.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\load.dll | executable | |
MD5:C5E98FC58BB099D9736B75BA76BBDEAD | SHA256:F153BF240E6987C447FA45A69135AD9F41CD90F885F88BF40FF1328FE8C0F085 | |||
276 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:5C178B5F0C1F2FEFC4409CE763F1BE56 | SHA256:F25729EDE23FFD95818CE4C7869B2746D9679DD7D4BF3CC29C47035C7BB05279 | |||
276 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019091120190912\index.dat | dat | |
MD5:EE07656E89AE50E544846C97D2692BD8 | SHA256:A857D582B3F8E06B1E91EB2B9BE9C1802A8BB0C63CAD942815432819BDD007BB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3488 | rundll32.exe | POST | — | 185.205.210.233:80 | http://185.205.210.233/index.php | BG | — | — | malicious |
3488 | rundll32.exe | POST | — | 185.203.116.89:80 | http://185.203.116.89/index.php | BG | — | — | malicious |
3488 | rundll32.exe | POST | — | 185.205.210.233:80 | http://185.205.210.233/index.php | BG | — | — | malicious |
3488 | rundll32.exe | POST | — | 185.203.116.89:80 | http://185.203.116.89/index.php | BG | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3488 | rundll32.exe | 162.243.211.124:443 | namecoin.cyphrs.com | Digital Ocean, Inc. | US | unknown |
3488 | rundll32.exe | 217.12.210.54:53 | — | ITL Company | UA | malicious |
3488 | rundll32.exe | 185.203.116.89:80 | — | BelCloud Hosting Corporation | BG | malicious |
— | — | 188.165.200.156:53 | — | OVH SAS | FR | malicious |
3488 | rundll32.exe | 91.217.137.37:53 | — | Meganet-2003 LLC | RU | malicious |
3488 | rundll32.exe | 185.205.210.233:80 | — | BelCloud Hosting Corporation | BG | malicious |
3488 | rundll32.exe | 188.165.200.156:53 | — | OVH SAS | FR | malicious |
Domain | IP | Reputation |
---|---|---|
namecoin.cyphrs.com |
| unknown |
stat-counter-7.bit |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
— | — | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3488 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman) |
3488 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman) |
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |
3488 | rundll32.exe | Potentially Bad Traffic | ET INFO DNS Query Domain .bit |