File name: | Новая папка (2).rar |
Full analysis: | https://app.any.run/tasks/d0b0721a-dc6b-4bf1-8e39-7300da504da5 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | September 30, 2020, 11:36:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | F00C29A5C1831EB7EF758549AD62E4A9 |
SHA1: | E3F89E543C4CDD4371C161093036DB4CE19398A5 |
SHA256: | 585BE9405B325B3639602A9377211B4CA5608C50F165AD990659EE7894834CC3 |
SSDEEP: | 196608:iBfuWALAqFhiO4ngPNbFXZfSUSn/kQECeiENtH6LJLKP:vWuyOOYjXZfSrudnNtao |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2708 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Новая папка (2).rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3832 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
948 | "C:\Users\admin\Desktop\1Macro.exe" | C:\Users\admin\Desktop\1Macro.exe | — | explorer.exe |
User: admin Company: MacroEngine Integrity Level: MEDIUM Description: Macro Exit code: 3221226540 Version: 5.1.1.0 | ||||
2704 | "C:\Users\admin\Desktop\1Macro.exe" | C:\Users\admin\Desktop\1Macro.exe | explorer.exe | |
User: admin Company: MacroEngine Integrity Level: HIGH Description: Macro Exit code: 0 Version: 5.1.1.0 | ||||
2116 | "C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe" | C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe | 1Macro.exe | |
User: admin Integrity Level: HIGH Description: OneMacro Exit code: 0 Version: 1.3.3.7 | ||||
3748 | "C:\Users\admin\AppData\Roaming\spoofer.exe" | C:\Users\admin\AppData\Roaming\spoofer.exe | 1Macro.exe | |
User: admin Company: Intel plugin Integrity Level: HIGH Description: Intel plugin Exit code: 0 Version: 2.0.0.0 | ||||
2492 | "C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe" | C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe | FY0GPLT3JZKTSG8.exe | |
User: admin Integrity Level: HIGH Description: OneMacro Exit code: 0 Version: 1.3.3.7 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2704 | 1Macro.exe | C:\Users\admin\AppData\Local\Temp\nsv1644.tmp | — | |
MD5:— | SHA256:— | |||
2704 | 1Macro.exe | C:\Users\admin\AppData\Roaming\CrackServer.dll | executable | |
MD5:F15068868AC7EBF82EEF6D79768019EC | SHA256:1742EBB7FE6760CD62EA777434439F688B147E8C426D7EFFCE4FCF8D1138027A | |||
3748 | spoofer.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T12_37_22.0368750+01_001414 | sqlite | |
MD5:0B3C43342CE2A99318AA0FE9E531C57B | SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8 | |||
3748 | spoofer.exe | C:\Users\admin\AppData\Roaming\DVLRNDZuL1F8BFBFF000506E3C4BA364742\421F8BFBFF000506E3C4BA3647DVLRNDZuL\Browsers\Cookies\Cookies_Mozilla.txt | text | |
MD5:B9265145B0724A8CFF164F93B06B83FC | SHA256:D1B92521C343B4ACFD01E0EE9CEAE183BD385DD6F6C065430E32E46705271F8D | |||
2708 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\1Macro.exe | executable | |
MD5:FE937A6C7019622541FDB8105F88BFF6 | SHA256:D14E69553ECD0DCAE0CAD61BAA01AE3C86D83D7A1B27B9345102769B3DA0351A | |||
2704 | 1Macro.exe | C:\Users\admin\AppData\Roaming\JTextBox.dll | executable | |
MD5:B0297443F4FF499DA015CB94744C6495 | SHA256:F29BEC38BF0DEF7C6B3E69D927E28260CC605C5306DD93D8AE16958BBF10D902 | |||
3748 | spoofer.exe | C:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T12_37_21.8337500+01_001414 | sqlite | |
MD5:7C426E0FC19063A433349CE713DA84A0 | SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C | |||
2708 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\CrackServer.dll | executable | |
MD5:F15068868AC7EBF82EEF6D79768019EC | SHA256:1742EBB7FE6760CD62EA777434439F688B147E8C426D7EFFCE4FCF8D1138027A | |||
2708 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\JTextBox.dll | executable | |
MD5:B0297443F4FF499DA015CB94744C6495 | SHA256:F29BEC38BF0DEF7C6B3E69D927E28260CC605C5306DD93D8AE16958BBF10D902 | |||
2116 | FY0GPLT3JZKTSG8.exe | C:\Users\admin\AppData\Local\Temp\font.ttf | ttf | |
MD5:22DD36F616C2ECE8A4B1CC2217095003 | SHA256:E94D1A99BE4ECF5BCC9DFDA953F56EA936CBDB191CAF29701D16604E87BBBBC4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2116 | FY0GPLT3JZKTSG8.exe | GET | 200 | 46.174.50.8:80 | http://1macro.ru/API/Simplifica.ttf | RU | ttf | 55.5 Kb | malicious |
3748 | spoofer.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | xml | 433 b | shared |
2492 | FY0GPLT3JZKTSG8.exe | GET | 200 | 46.174.50.8:80 | http://1macro.ru/API/auth1.php?hwid=1F8BFBFF000506E300371461220350285564 | RU | text | 32 b | malicious |
3748 | spoofer.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | xml | 433 b | shared |
3748 | spoofer.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | xml | 433 b | shared |
3748 | spoofer.exe | POST | 200 | 94.24.36.14:80 | http://gfs262n304.userstorage.mega.co.nz/ul/-wzQKLTtVo-7-gJ_24g07IN_rxUuQqGv9zdMMMQeUdsXnW6ju5C8ovgcj0t0m9lCRcRwoLNe5F8_kea8rdk4nA/0 | RO | text | 36 b | suspicious |
2492 | FY0GPLT3JZKTSG8.exe | GET | 200 | 46.174.50.8:80 | http://1macro.ru/API/version.txt | RU | text | 3 b | malicious |
2492 | FY0GPLT3JZKTSG8.exe | GET | 200 | 46.174.50.8:80 | http://1macro.ru/API/server1.php | RU | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3748 | spoofer.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
2492 | FY0GPLT3JZKTSG8.exe | 46.174.50.8:80 | 1macro.ru | RS-Media LLC | RU | malicious |
3748 | spoofer.exe | 54.204.14.42:443 | api.ipify.org | Amazon.com, Inc. | US | suspicious |
2116 | FY0GPLT3JZKTSG8.exe | 46.174.50.8:80 | 1macro.ru | RS-Media LLC | RU | malicious |
3748 | spoofer.exe | 94.24.36.14:80 | gfs262n304.userstorage.mega.co.nz | — | RO | suspicious |
3748 | spoofer.exe | 66.203.125.15:443 | g.api.mega.co.nz | RealNetworks, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
1macro.ru |
| malicious |
api.ipify.org |
| shared |
ip-api.com |
| shared |
g.api.mega.co.nz |
| shared |
gfs262n304.userstorage.mega.co.nz |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3748 | spoofer.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
3748 | spoofer.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
3748 | spoofer.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3748 | spoofer.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3748 | spoofer.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3748 | spoofer.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3748 | spoofer.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3748 | spoofer.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
3748 | spoofer.exe | Potential Corporate Privacy Violation | ET POLICY HTTP POST to MEGA Userstorage |
3748 | spoofer.exe | A Network Trojan was detected | STEALER [PTsecurity] Agensla.gen |
Process | Message |
---|---|
spoofer.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|