analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://neonprime.co.uk/wp-content/plugins/Z6nAB/0000765693-202010195.jar

Full analysis: https://app.any.run/tasks/7a4abf25-be50-4f82-a10f-8b60bf250ead
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: October 20, 2020, 09:56:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
qealler
Indicators:
MD5:

EAD5F4E11EA85692E8427F7C69A5FB49

SHA1:

7DDB468FE80EBB7B998584450FC4543591BB45D8

SHA256:

5307AEC2835E9B833E07BBC51728D9416082CB3E014C15C627B7C908BEA38D2D

SSDEEP:

3:N89V5Ay+VIGEAQjcLtTLYcTIi:2JhfAscBv/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Stealing of credential data

      • javaw.exe (PID: 272)
    • Actions looks like stealing of personal data

      • javaw.exe (PID: 272)
    • QEALLER was detected

      • javaw.exe (PID: 272)
    • Loads dropped or rewritten executable

      • javaw.exe (PID: 272)
    • Executes PowerShell scripts

      • cmd.exe (PID: 804)
    • Connects to CnC server

      • javaw.exe (PID: 272)
  • SUSPICIOUS

    • Executes JAVA applets

      • iexplore.exe (PID: 2508)
    • Creates files in the user directory

      • javaw.exe (PID: 272)
      • powershell.exe (PID: 2676)
    • Executable content was dropped or overwritten

      • javaw.exe (PID: 272)
    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 272)
    • Starts application with an unusual extension

      • cmd.exe (PID: 804)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2508)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2508)
      • iexplore.exe (PID: 1628)
    • Application launched itself

      • iexplore.exe (PID: 2508)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2508)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2508)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2508)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2508)
    • Creates files in the user directory

      • iexplore.exe (PID: 2508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe #QEALLER javaw.exe cmd.exe no specs chcp.com no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2508"C:\Program Files\Internet Explorer\iexplore.exe" https://neonprime.co.uk/wp-content/plugins/Z6nAB/0000765693-202010195.jarC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1628"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2508 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
272"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\0000765693-202010195.jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
iexplore.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
804cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -C:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3192chcp 1252 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2676powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 035
Read events
909
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
12
Text files
4
Unknown types
5

Dropped files

PID
Process
Filename
Type
1628iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab42EA.tmp
MD5:
SHA256:
1628iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar42EB.tmp
MD5:
SHA256:
2508iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA90B82B4C41CDA86.TMP
MD5:
SHA256:
2508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\0000765693-202010195.jar.t9x08t9.partial:Zone.Identifier
MD5:
SHA256:
2676powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q8NPD4K9X4GUOZERA2BP.temp
MD5:
SHA256:
2508iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab2A1D.tmp
MD5:
SHA256:
2508iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar2A1E.tmp
MD5:
SHA256:
2508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2A4E.tmp
MD5:
SHA256:
272javaw.exeC:\Users\admin\AppData\Local\Temp\tmp405870955493\4058709705676115892583218711724.tmpsqlite
MD5:00847124B209184DA7C908E603C1EDA7
SHA256:19E37C4F202A0EF7645AD8525676C405A7F66EBB5EE22ACCD93EDECB95F8854E
2508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9A7B7013-12BA-11EB-85AF-12A9866C77DE}.datbinary
MD5:3C5BAA72570948290A93B457AE3746F5
SHA256:CBC942AAE0181BFD0FAA45E9728209C7487EA9F178AD02B560BEC530A714DF07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1628
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2508
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2508
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2508
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2508
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
272
javaw.exe
179.43.141.91:80
Private Layer INC
CH
malicious
1628
iexplore.exe
160.153.133.195:443
neonprime.co.uk
GoDaddy.com, LLC
US
malicious
1628
iexplore.exe
192.124.249.36:80
ocsp.godaddy.com
Sucuri
US
suspicious

DNS requests

Domain
IP
Reputation
neonprime.co.uk
  • 160.153.133.195
malicious
ocsp.godaddy.com
  • 192.124.249.36
  • 192.124.249.22
  • 192.124.249.41
  • 192.124.249.23
  • 192.124.249.24
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

PID
Process
Class
Message
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
272
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
11 ETPRO signatures available at the full report
No debug info