File name: | Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.rar |
Full analysis: | https://app.any.run/tasks/c038e9bd-a206-4e70-95c7-3e0f1e7ae357 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | March 31, 2023, 23:11:24 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, flags: Locked EncryptedBlockHeader |
MD5: | FECE27B4884C071FCDBF66CCDFA52C2D |
SHA1: | 76DAE8C49CAE7E71FD9CA55D2AD22123F27B4F16 |
SHA256: | 55F9D1F7767797AA6C9EEF0C2FB01E88C3050006B496B2FDB02F4F2B3E419579 |
SSDEEP: | 24576:Ms58hBNs1DpSodGnaduQi9wEhKzmOu/8jCu/C4mSCpXP3vUqcmeFUVlAmzB2:Ms58KsxaEDiEhKzu/8uwmSCdfgFms |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1048 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3864 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1048.29614\Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1048.29614\Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 4294967295 Modules
| |||||||||||||||
988 | "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\admin\AppData\Roaming\AppData.exe'" /f | C:\Windows\System32\cmd.exe | — | Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1764 | "cmd" /c copy "C:\Users\admin\AppData\Local\Temp\Rar$EXb1048.29614\Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe" "C:\Users\admin\AppData\Roaming\AppData.exe" | C:\Windows\System32\cmd.exe | — | Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1796 | schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\admin\AppData\Roaming\AppData.exe'" /f | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2700 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "'C:\Users\admin\AppData\Local\Temp\Rar$EXb1048.29614\Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3080 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
Remcos(PID) Process(3080) csc.exe Max_keylog_file100000 Keylog_dirremcos Copy_dirRemcos Connect_delay0 Audio_dirMicRecords Audio_path%ProgramFiles% Audio_record_time5 Delete_fileFalse Mouse_optionFalse Screenshot_cryptFalse Screenshot_fileScreenshots Screenshot_path%APPDATA% Take_ScreenshotFalse Screenshot_time5 Screenshot_flagFalse Hide_keylogFalse Keylog_cryptFalse Keylog_filelogs.dat Keylog_path%LOCALAPPDATA% Keylog_flag1 Mutex_nameRmc-KRVPQ3 Hide_fileFalse Startup_valueRemcos Copy_fileremcos.exe Setup_path%LOCALAPPDATA% Install_HKLM\Explorer\Run1 Install_HKLM\RunTrue Install_HKCU\RunTrue Install_flagFalse Connect_interval1 BotnetRemoteHost Hosts (2)127.0.0.1:8029 afgdsg.duckdns.org:8029 |
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1048) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1048 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1048.29614\Factura y comprobante de pago detalle de transaccion -pdf-65478396473847389.exe | — | |
MD5:— | SHA256:— | |||
1764 | cmd.exe | C:\Users\admin\AppData\Roaming\AppData.exe | — | |
MD5:— | SHA256:— | |||
3080 | csc.exe | C:\ProgramData\remcos\logs.dat | binary | |
MD5:161252DADE8B424F5F4B82E59E08A2F7 | SHA256:DF47346480278B2D38EBE4C075B4BFF3A9D45BEB648BC5DEDE3164F38A34959E | |||
2700 | powershell.exe | C:\Users\admin\AppData\Local\Temp\pthz0zcp.ycg.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2700 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ybchbkja.hka.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
2700 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | dbf | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3080 | csc.exe | 177.255.88.17:8029 | afgdsg.duckdns.org | Colombia Movil | CO | malicious |
— | — | 177.255.88.17:8029 | afgdsg.duckdns.org | Colombia Movil | CO | malicious |
Domain | IP | Reputation |
---|---|---|
afgdsg.duckdns.org |
| malicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |