analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://andrewka6.pythonanywhere.com/ret.txt

Full analysis: https://app.any.run/tasks/7385e783-16e7-47f6-a62a-81e2a0b30f77
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: October 20, 2020, 10:40:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MD5:

8A27372BA5C51FFA45F6B560BFC48CA5

SHA1:

7FE194D7EBC9B5A9B42B2F2048D71C374F301B0D

SHA256:

514AE2CD6333495149E8A8E22884A47DE045E97485FD74919D0949B7887A7E9F

SSDEEP:

3:N1Kf1QkKru/eKMCT:C9Z/e8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2484)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2484)
      • iexplore.exe (PID: 1864)
    • Application launched itself

      • iexplore.exe (PID: 2484)
    • Changes internet zones settings

      • iexplore.exe (PID: 2484)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1864)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2484)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2484)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2484)
    • Creates files in the user directory

      • iexplore.exe (PID: 2484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2484"C:\Program Files\Internet Explorer\iexplore.exe" http://andrewka6.pythonanywhere.com/ret.txtC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1864"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2484 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
696
Read events
616
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
1864iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4DF6.tmp
MD5:
SHA256:
1864iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4DF7.tmp
MD5:
SHA256:
2484iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2484iexplore.exeC:\Users\admin\AppData\Local\Temp\CabC8A4.tmp
MD5:
SHA256:
2484iexplore.exeC:\Users\admin\AppData\Local\Temp\TarC8A5.tmp
MD5:
SHA256:
2484iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC8D5.tmp
MD5:
SHA256:
2484iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\KJ2B7VPU.txt
MD5:
SHA256:
2484iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\4CSNBWTG.txt
MD5:
SHA256:
1864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874der
MD5:374C5AE0009A2CE310557DCBA05AB7DA
SHA256:23D6B891E5AD12CE805C2A3AC186136F35C965D62F7F58F2D662BB2F902AC28D
1864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_F5B19EEC46B3A283B42FC10E36B8EC76binary
MD5:314880FB825DC35F696E380498956A55
SHA256:BA84BF2783658CA8C93C73AC681E2F1B44F23145571D755B18C3B43EEE4088A7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
16
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1864
iexplore.exe
GET
404
35.173.69.207:80
http://andrewka6.pythonanywhere.com/ret.txt
US
html
1.12 Kb
malicious
1864
iexplore.exe
GET
404
35.173.69.207:80
http://andrewka6.pythonanywhere.com/ret.txt
US
html
1.12 Kb
malicious
2484
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF%2FEdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEA1kUGtF8wzjWmwt3ywYtDc%3D
US
der
471 b
whitelisted
2484
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2484
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1864
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAGC%2BAmOouYmuRo7J4Qfua8%3D
US
der
1.47 Kb
whitelisted
2484
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1864
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2484
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2484
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2484
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2484
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1864
iexplore.exe
52.216.236.213:443
s3.amazonaws.com
Amazon.com, Inc.
US
unknown
1864
iexplore.exe
35.173.69.207:80
andrewka6.pythonanywhere.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
andrewka6.pythonanywhere.com
  • 35.173.69.207
malicious
s3.amazonaws.com
  • 52.216.236.213
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.47.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN ThiefQuest CnC Domain in DNS Lookup
2 ETPRO signatures available at the full report
No debug info