analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Adobe-Photoshop-CS6-Crack---Serial-Key-2021-Latest_5fc390fbac0e9.zip

Full analysis: https://app.any.run/tasks/7560af47-bb09-4ce8-8004-207463b5c468
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 29, 2020, 12:23:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
stealer
trojan
loader
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

397B13C495DA1404721B5138F0569D16

SHA1:

45B2C2A80D1FE478E1282C83974496139444E075

SHA256:

4AB8916FD108B0BC29F3CCAD5150F32CFA543ECF26A001AB6762E26FACAE6448

SSDEEP:

24576:iqMy4h2tsXzYByyzVSTbjx8+6C9PcuUWImJ8SoIh8SkctQg:7N4hu/IIYjaZC9O6mIawQg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup_install.exe (PID: 3040)
      • SearchIndexer.com (PID: 3000)
      • SearchIndexer.com (PID: 3680)
      • File.exe (PID: 2700)
      • File.exe (PID: 2380)
      • SmartClock.exe (PID: 932)
      • 6las.exe (PID: 3396)
      • 4fra.exe (PID: 2332)
      • lvbop.exe (PID: 1868)
      • startjo.exe (PID: 3688)
      • CL_Debug_Log.txt (PID: 1408)
      • Helper.exe (PID: 3944)
      • Helper.exe (PID: 3756)
      • Helper.exe (PID: 3860)
      • tor.exe (PID: 2152)
      • Helper.exe (PID: 1396)
      • Helper.exe (PID: 1884)

    • Runs app for hidden code execution

      • cmd.exe (PID: 3184)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3012)

    • Stealing of credential data

      • ipconfig.exe (PID: 2720)

    • Actions looks like stealing of personal data

      • ipconfig.exe (PID: 2720)

    • Loads the Task Scheduler COM API

      • 4fra.exe (PID: 2332)
      • schtasks.exe (PID: 3568)

    • Writes to a start menu file

      • 4fra.exe (PID: 2332)

    • Loads dropped or rewritten executable

      • File.exe (PID: 2700)
      • tor.exe (PID: 2152)

    • Changes settings of System certificates

      • startjo.exe (PID: 3688)
      • WScript.exe (PID: 2736)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 576)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 2256)
      • cmd.exe (PID: 3184)
      • SearchIndexer.com (PID: 3000)
      • Helper.exe (PID: 3756)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1880)
      • cmd.exe (PID: 3012)
      • ipconfig.exe (PID: 2720)
      • 4fra.exe (PID: 2332)
      • File.exe (PID: 2700)
      • CL_Debug_Log.txt (PID: 1408)
      • startjo.exe (PID: 3688)
      • Helper.exe (PID: 3944)
      • Helper.exe (PID: 3756)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1880)
      • Helper.exe (PID: 3944)

    • Starts CMD.EXE for commands execution

      • setup_install.exe (PID: 3040)
      • cmd.exe (PID: 3184)
      • ipconfig.exe (PID: 2720)
      • 6las.exe (PID: 3396)
      • startjo.exe (PID: 3688)
      • lvbop.exe (PID: 1868)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 1880)
      • Helper.exe (PID: 3756)
      • Helper.exe (PID: 3944)

    • Starts CertUtil for decode files

      • cmd.exe (PID: 3184)
      • cmd.exe (PID: 3012)

    • Drop AutoIt3 executable file

      • cmd.exe (PID: 3012)

    • Starts application with an unusual extension

      • SearchIndexer.com (PID: 3000)
      • cmd.exe (PID: 3012)
      • startjo.exe (PID: 3688)

    • Reads the cookies of Google Chrome

      • ipconfig.exe (PID: 2720)

    • Reads the cookies of Mozilla Firefox

      • ipconfig.exe (PID: 2720)

    • Uses IPCONFIG.EXE to discover IP address

      • SearchIndexer.com (PID: 3680)

    • Drops a file with a compile date too recent

      • File.exe (PID: 2700)
      • CL_Debug_Log.txt (PID: 1408)
      • startjo.exe (PID: 3688)

    • Starts CMD.EXE for self-deleting

      • ipconfig.exe (PID: 2720)
      • 6las.exe (PID: 3396)

    • Creates a directory in Program Files

      • File.exe (PID: 2700)

    • Creates files in the program directory

      • File.exe (PID: 2700)
      • 6las.exe (PID: 3396)

    • Creates files in the user directory

      • 4fra.exe (PID: 2332)
      • startjo.exe (PID: 3688)
      • Helper.exe (PID: 3944)
      • Helper.exe (PID: 3756)
      • tor.exe (PID: 2152)

    • Starts itself from another location

      • 4fra.exe (PID: 2332)

    • Checks for external IP

      • 6las.exe (PID: 3396)
      • lvbop.exe (PID: 1868)

    • Adds / modifies Windows certificates

      • startjo.exe (PID: 3688)
      • WScript.exe (PID: 2736)

    • Searches for installed software

      • ipconfig.exe (PID: 2720)

    • Executes scripts

      • cmd.exe (PID: 1776)

    • Executed via Task Scheduler

      • Helper.exe (PID: 3756)
      • Helper.exe (PID: 3860)
      • Helper.exe (PID: 1396)
      • Helper.exe (PID: 1884)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • tor.exe (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:11:29 12:15:27
ZipCRC: 0x1ea06776
ZipCompressedSize: 242
ZipUncompressedSize: 349
ZipFileName: Adobe-Photoshop-CS6-Crack---Serial-Key-2021-Latest/5fc390fb374a05fc390f-files/5fc390fb374a05fc390f-ReadMe-First.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
39
Malicious processes
14
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs winrar.exe no specs notepad.exe no specs winrar.exe setup_install.exe no specs cmd.exe no specs cmd.exe no specs certutil.exe no specs cmd.exe ping.exe no specs certutil.exe no specs searchindexer.com no specs ping.exe no specs searchindexer.com no specs ipconfig.exe file.exe no specs file.exe cmd.exe no specs timeout.exe no specs lvbop.exe 6las.exe 4fra.exe startjo.exe smartclock.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cl_debug_log.txt cmd.exe no specs schtasks.exe no specs cmd.exe no specs wscript.exe helper.exe helper.exe no specs helper.exe tor.exe helper.exe no specs helper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2256"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Adobe-Photoshop-CS6-Crack---Serial-Key-2021-Latest_5fc390fbac0e9.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2788"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.44993\5fc390fb9dd89_setup_files.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2212"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.49916\5fc390fb374a05fc390f-PASSWORD.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1880"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2256.619\5fc390fb9dd89_setup_files.zipC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3040"C:\Users\admin\AppData\Local\Temp\Rar$EXb1880.1166\setup_install.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1880.1166\setup_install.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Awx00 Yuzsogv Zuaiooptxq
Exit code:
0
Version:
2.5.0374.27586 (mclyssq_vrh.461130-5544)
3716cmd /c FoRnSZcaC:\Windows\system32\cmd.exesetup_install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3184cmd /c certutil -decode 4-25 8-68 & cmd < 8-68C:\Windows\system32\cmd.exesetup_install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
572certutil -decode 4-25 8-68 C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3012cmd C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3916ping -n 1 DJrui.DJruiC:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 070
Read events
3 916
Write events
0
Delete events
0

Modification events

No data
Executable files
28
Suspicious files
14
Text files
375
Unknown types
18

Dropped files

PID
Process
Filename
Type
3208certutil.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\I
MD5:
SHA256:
3040setup_install.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1-23text
MD5:5467C8CD3057AAAB2EFE65E31BFF9A6E
SHA256:41248BB83F95B452653FB79F5CE3A62ADA04DBF0DCD015BDFC2F68808FD993A7
3040setup_install.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\4-25text
MD5:A92BD4AA7A7B22B258AF90AF39DAF414
SHA256:1258D4C3ED24AE26C2522FFBA2033566821B1DEBB7FFCEA16228664C2A2A2303
1880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1880.1166\setup_install.exeexecutable
MD5:38BD6C0B26A0CE922D7AA12EF263A89A
SHA256:75258043FC90BE9E9DE1FBADD8A3B9D66E57F3B603BA2D340D4830175C2328EE
2720ipconfig.exeC:\Users\admin\AppData\Local\Temp\Y5OWyUHzAa\J7vet.tmpsqlite
MD5:00847124B209184DA7C908E603C1EDA7
SHA256:19E37C4F202A0EF7645AD8525676C405A7F66EBB5EE22ACCD93EDECB95F8854E
2256WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2256.619\5fc390fb9dd89_setup_files.zipcompressed
MD5:C2C9D2FDD3E75C09F17A4009A088F46D
SHA256:EC30D6C8BA92E04309447C6069EDA5CB64CF89E9742A9D94BA9AF622E2C43A54
3040setup_install.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1-0image
MD5:6BA8E5615AB5CA00BDBEC5125D88EECC
SHA256:46B8249FFDE2291F97487AC961E3F274AF76505841D2F4B8269E2A3960C7614F
3040setup_install.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\56-50binary
MD5:F27ED8B512A51A4DE0E58A8A92949DEF
SHA256:9B79D372AFFBB485743297B5915EC824C0D4135DC4B517E39D1EF271D9D850F3
2720ipconfig.exeC:\Users\admin\AppData\Local\Temp\Y5OWyUHzAa\_Files\_Cookies\google_chrome.txttext
MD5:32E45ECC52E9506E30A8851DCA3E9E1E
SHA256:8E6AF3CEF325FFE08C889FADC4AB6474FAE5DFF73796E45A5FC9DE9F62DFC0E6
2720ipconfig.exeC:\Users\admin\AppData\Local\Temp\Y5OWyUHzAa\_Files\_AllPasswords_list.txttext
MD5:456BA549B52FAE21D4D51A9F9A0456C5
SHA256:F992BA2F96C67BC7BF726F950F6111984E0C657CA8A9403453706BBC2611C38A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
16
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2720
ipconfig.exe
GET
302
45.8.124.132:80
http://shhhes02.top/download.php?file=lv.exe
unknown
malicious
2720
ipconfig.exe
GET
200
45.8.124.132:80
http://shhhes02.top/downfiles/lv.exe
unknown
executable
20.5 Mb
malicious
3396
6las.exe
GET
200
208.95.112.1:80
http://ip-api.com/line
unknown
text
135 b
shared
1868
lvbop.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
text
276 b
shared
2720
ipconfig.exe
POST
200
185.238.1.60:80
http://humusser25.top/index.php
unknown
text
2 b
malicious
2736
WScript.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2720
ipconfig.exe
POST
200
185.238.1.60:80
http://moraffdd03.top/index.php
unknown
text
3 b
malicious
2736
WScript.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2736
WScript.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEGmjTouN%2FW5s3CDseaiw7qE%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2736
WScript.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
2736
WScript.exe
88.99.66.31:443
2no.co
Hetzner Online GmbH
DE
malicious
3396
6las.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2720
ipconfig.exe
185.238.1.60:80
humusser25.top
malicious
2720
ipconfig.exe
45.8.124.132:80
shhhes02.top
malicious
3688
startjo.exe
88.99.66.31:443
2no.co
Hetzner Online GmbH
DE
malicious
1868
lvbop.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2152
tor.exe
45.79.108.130:9001
Linode, LLC
US
suspicious
2152
tor.exe
96.253.78.108:443
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2152
tor.exe
163.172.184.32:443
Online S.a.s.
FR
suspicious

DNS requests

Domain
IP
Reputation
DJrui.DJrui
unknown
heExvnEUQmrowxbOmY.heExvnEUQmrowxbOmY
unknown
humusser25.top
  • 185.238.1.60
  • 193.106.175.29
malicious
moraffdd03.top
  • 185.238.1.60
  • 193.106.175.29
malicious
shhhes02.top
  • 45.8.124.132
  • 188.120.239.57
malicious
ip-api.com
  • 208.95.112.1
shared
2no.co
  • 88.99.66.31
whitelisted
iplogger.org
  • 88.99.66.31
shared
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2720
ipconfig.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2720
ipconfig.exe
A Network Trojan was detected
STEALER [PTsecurity] Possible Exfiltration Action (POST Zip Archive)
2720
ipconfig.exe
A Network Trojan was detected
STEALER [PTsecurity] Possible Exfiltration Action (POST Zip Archive)
2720
ipconfig.exe
A Network Trojan was detected
ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
2720
ipconfig.exe
A Network Trojan was detected
STEALER [PTsecurity] Possible Exfiltration Action (POST Zip Archive)
2720
ipconfig.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2720
ipconfig.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2720
ipconfig.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2720
ipconfig.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
12 ETPRO signatures available at the full report
Process
Message
lvbop.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
6las.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
4fra.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
startjo.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
SmartClock.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Adobe-Photoshop-CS6-Crack---Serial-Key-2021-Latest_5fc390fbac0e9.zip