Malware analysis File_pass1234.7z Malicious activity | ANY.RUN

Add for printing

download:	File_pass1234.7z
Full analysis:	https://app.any.run/tasks/bfbfd744-5e63-4aab-b337-f1834d648281
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. Malware Trends Tracker >>>
Analysis date:	June 19, 2023, 08:31:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	privateloader opendir loader g0njxa
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	228119EE4C65CB1007F6A059D9B9EA04
SHA1:	FFF65D55391A3AABD4262886CBABF87F6F2600FD
SHA256:	540B52866F994DC6C92ED34BB9E3D7F9ED6183CE5AD09DAA9C0704DA733AE060
SSDEEP:	98304:O3vnS3jwpt1B1ODe16f/dqDlvgYCrBBkTRuRs4hI5z:OKMnODe16f/dqZvawRuRjqz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
Mozilla Maintenance Service (67.0.4)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Creates a writable file the system directory
  - File.exe (PID: 2496)
- PRIVATELOADER was detected
  - File.exe (PID: 2496)
- Connects to the CnC server
  - File.exe (PID: 2496)
- Actions looks like stealing of personal data
  - File.exe (PID: 2496)
SUSPICIOUS
- Connects to the server without a host name
  - File.exe (PID: 2496)
- Adds/modifies Windows certificates
  - WinRAR.exe (PID: 2448)
- Executes as Windows Service
  - raserver.exe (PID: 2508)
  - raserver.exe (PID: 1440)
- Reads settings of System Certificates
  - File.exe (PID: 2496)
- Reads the Internet Settings
  - File.exe (PID: 2496)
- Reads security settings of Internet Explorer
  - File.exe (PID: 2496)
- Checks Windows Trust Settings
  - File.exe (PID: 2496)
- Executable content was dropped or overwritten
  - File.exe (PID: 2496)
- Process requests binary or script from the Internet
  - File.exe (PID: 2496)
- Connects to unusual port
  - File.exe (PID: 2496)
INFO
- The process checks LSA protection
  - File.exe (PID: 2496)
  - File.exe (PID: 2740)
- Checks supported languages
  - File.exe (PID: 2740)
  - File.exe (PID: 2496)
- Reads the computer name
  - File.exe (PID: 2496)
  - File.exe (PID: 2740)
- Checks proxy server information
  - File.exe (PID: 2496)
- Reads the machine GUID from the registry
  - File.exe (PID: 2496)
- Manual execution by a user
  - File.exe (PID: 2740)
- Process checks computer location settings
  - File.exe (PID: 2496)
- Creates files or folders in the user directory
  - File.exe (PID: 2496)
- Create files in a temporary directory
  - File.exe (PID: 2496)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1440

C:\Windows\system32\RAServer.exe /offerraupdate

C:\Windows\System32\raserver.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Remote Assistance COM Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\raserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2448

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\File_pass1234.7z"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll

2496

"C:\Users\admin\AppData\Local\Temp\Rar$EXb2448.551\File.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb2448.551\File.exe

WinRAR.exe

User:

admin

Company:

MPC-HC Team

Integrity Level:

HIGH

Description:

MPC-HC (x64)

Exit code:

Version:

1.9.23 (a8e9113b5)

Modules

Images
c:\users\admin\appdata\local\temp\rar$exb2448.551\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll

2508

C:\Windows\system32\RAServer.exe /offerraupdate

C:\Windows\System32\raserver.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Remote Assistance COM Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\raserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll

2740

"C:\Users\admin\Desktop\File.exe"

C:\Users\admin\Desktop\File.exe

explorer.exe

User:

admin

Company:

MPC-HC Team

Integrity Level:

HIGH

Description:

MPC-HC (x64)

Exit code:

Version:

1.9.23 (a8e9113b5)

Modules

Images
c:\users\admin\desktop\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2972

"C:\Users\admin\AppData\Local\Temp\Rar$EXb2448.551\File.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXb2448.551\File.exe

—

WinRAR.exe

User:

admin

Company:

MPC-HC Team

Integrity Level:

MEDIUM

Description:

MPC-HC (x64)

Exit code:

3221226540

Version:

1.9.23 (a8e9113b5)

Modules

Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$exb2448.551\file.exe

Add for printing

Total events

2 388

Read events

2 299

Write events

Delete events

Modification events


(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2448	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb2448.551\File.exe		—
		MD5:—	SHA256:—
2448	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb2448.1491\File.exe		—
		MD5:—	SHA256:—
2496	File.exe	C:\Windows\System32\GroupPolicy\gpt.ini		text
		MD5:39DFFC602ED934569F26BE44EC645814	SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
2496	File.exe	C:\Windows\System32\GroupPolicy\Machine\Registry.pol		binary
		MD5:CDFD60E717A44C2349B553E011958B85	SHA256:0EE08DA4DA3E4133E1809099FC646468E7156644C9A772F704B80E338015211F
2496	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\0FJG430T.txt		text
		MD5:1F53143555FF466F69C98B6ED18CE414	SHA256:0F2C1F86DD11D68BA6C96534732AE8F57323124EAC967ECFD0CC1F626C908B87
2496	File.exe	C:\Users\admin\Pictures\Minor Policy\7GYslHBw3ezh2EIVbi5ZRi2E.exe		executable
		MD5:A80A71FA1BB88E7708609F4D287FD266	SHA256:365CBD4B53AD81CD83207C6E760DF0BA183DECCB997C88EA9E46DA2F827C2056
2496	File.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\photo221[1].exe		executable
		MD5:8BC0F9A464D40D9DF7D79790A414A0E0	SHA256:BA78E7BD378AC34115266A5AB0543D6944723FCAD4C596DBA9A8BAB5968E9BB5
2496	File.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:8AE33739D4BFFE20CBD2D8EB10A92406	SHA256:1935F47FAC25B080267A029CFB3B7C99863D56E23D1E2463F7273DEDAB5F22AC
2496	File.exe	C:\Users\admin\Pictures\Minor Policy\DMztWI8DpbTKYm92dxw0rv89.exe		executable
		MD5:EE0516A44D6E7CC5E2BEF2CA0E5CF461	SHA256:8DC7D4261B9EA7463AE129A04C13BEB905D7A5722B03C90EA57E0A81C04F0880
2496	File.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\BXR0X7MX.txt		text
		MD5:E6249403B037D3941C71BB4140497313	SHA256:9B9D05D7468FBD9B64A08E6F6D6909F63218664F47A3B126AD88CDC9892BA3EA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

740

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2496	File.exe	HEAD	—	194.169.175.124:80	http://194.169.175.124:3002/	US	—	—	malicious
2496	File.exe	GET	—	45.12.253.74:80	http://45.12.253.74/pineapple.php?pub=mixinte	BG	—	—	malicious
2496	File.exe	HEAD	200	83.97.73.131:80	http://83.97.73.131/gallery/photo221.exe	unknown	—	—	malicious
2496	File.exe	GET	—	83.97.73.131:80	http://83.97.73.131/gallery/photo221.exe	unknown	—	—	malicious
2496	File.exe	HEAD	200	188.114.97.3:80	http://ji.jahhaega2qq.com/m/p0aw25.exe	US	—	—	malicious
2496	File.exe	GET	200	188.114.97.3:80	http://ji.jahhaega2qq.com/m/p0aw25.exe	US	executable	417 Kb	malicious
2496	File.exe	POST	200	208.67.104.60:80	http://208.67.104.60/api/firegate.php	US	text	108 b	malicious
2496	File.exe	POST	200	208.67.104.60:80	http://208.67.104.60/api/firegate.php	US	text	108 b	malicious
2496	File.exe	GET	200	163.123.143.4:80	http://163.123.143.4/download/Service32.exe	unknown	executable	5.11 Mb	malicious
2496	File.exe	GET	200	45.9.74.80:80	http://45.9.74.80/undoo.exe	SC	executable	772 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
328	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2496	File.exe	208.67.104.60:80	—	Delis LLC	US	malicious
2496	File.exe	104.26.8.59:443	api.myip.com	CLOUDFLARENET	US	suspicious
2740	File.exe	94.142.138.113:80	—	Network Management Ltd	RU	malicious
2496	File.exe	172.67.75.163:443	api.myip.com	CLOUDFLARENET	US	suspicious
2496	File.exe	87.240.132.78:80	vk.com	VKontakte Ltd	RU	suspicious
2496	File.exe	87.240.129.133:80	vk.com	VKontakte Ltd	RU	malicious
2496	File.exe	87.240.132.67:80	vk.com	VKontakte Ltd	RU	suspicious
2496	File.exe	93.186.225.194:80	vk.com	VKontakte Ltd	RU	suspicious

DNS requests

Domain	IP	Reputation
api.myip.com	104.26.8.59 172.67.75.163 104.26.9.59	suspicious
teredo.ipv6.microsoft.com	—	whitelisted
ipinfo.io	34.117.59.81	shared
vk.com	87.240.132.78 87.240.129.133 87.240.132.67 87.240.132.72 93.186.225.194 87.240.137.164	whitelisted
dns.msftncsi.com	131.107.255.255	shared
hugersi.com	91.215.85.147	suspicious
ji.jahhaega2qq.com	188.114.96.3 188.114.97.3	malicious
bitbucket.org	104.192.141.1	shared
bbuseruploads.s3.amazonaws.com	3.5.28.106 52.216.209.105 52.217.164.105 3.5.29.240 52.216.108.123 54.231.161.169 52.217.167.225 52.217.43.100	shared
x.ss2.us	143.204.214.29 143.204.214.104 143.204.214.191 143.204.214.125	whitelisted

Threats

PID	Process	Class	Message
2496	File.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 39
2496	File.exe	Malware Command and Control Activity Detected	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
2496	File.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2496	File.exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
2496	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body
2496	File.exe	Generic Protocol Command Decode	SURICATA Applayer Detect protocol only one direction
2496	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2496	File.exe	Generic Protocol Command Decode	SURICATA Applayer Mismatch protocol both directions
2496	File.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2496	File.exe	Generic Protocol Command Decode	SURICATA HTTP Unexpected Request body

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

File_pass1234.7z

228119EE4C65CB1007F6A059D9B9EA04

FFF65D55391A3AABD4262886CBABF87F6F2600FD

540B52866F994DC6C92ED34BB9E3D7F9ED6183CE5AD09DAA9C0704DA733AE060

98304:O3vnS3jwpt1B1ODe16f/dqDlvgYCrBBkTRuRs4hI5z:OKMnODe16f/dqZvawRuRjqz

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file the system directory

PRIVATELOADER was detected

Connects to the CnC server

Actions looks like stealing of personal data

SUSPICIOUS

Connects to the server without a host name

Adds/modifies Windows certificates

Executes as Windows Service

Reads settings of System Certificates

Reads the Internet Settings

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Executable content was dropped or overwritten

Process requests binary or script from the Internet

Connects to unusual port

INFO

The process checks LSA protection

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the machine GUID from the registry

Manual execution by a user

Process checks computer location settings

Creates files or folders in the user directory

Create files in a temporary directory

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings