analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-75741864-10162020.zip

Full analysis: https://app.any.run/tasks/7f717d5f-59f9-49cd-bfd8-4892e65bb8aa
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:14:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F2DFF05D5A8764DEAAD9FED4167430AD

SHA1:

1ED06C17A08F758A572E272C144E3006E5D019D6

SHA256:

58B2E6135A5BE16FC97B2773232182D6C702580B12D230F9346B16841A479EE7

SSDEEP:

384:Dcc3b2qHoRRI8LOxXWutyG6Qh6Kcoq6w0OAO1jnmF6FZuUL9EDWz1BsxOg:Amb2tR0xXgsh6Ky65OVjmF6FZuUqWzoH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ytfovlym.exe (PID: 2844)
      • nosto.exe (PID: 2580)
      • nosto.exe (PID: 2984)
      • ytfovlym.exe (PID: 2344)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2772)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2772)

    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 2772)

    • QBOT was detected

      • nosto.exe (PID: 2984)

    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 2772)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3176)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 2984)

    • Starts itself from another location

      • nosto.exe (PID: 2984)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 2984)
      • cmd.exe (PID: 3176)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2944)

    • Application launched itself

      • nosto.exe (PID: 2984)
      • ytfovlym.exe (PID: 2844)

    • Creates files in the user directory

      • nosto.exe (PID: 2984)

  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2772)

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2772)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Calculation-75741864-10162020.xlsb
ZipUncompressedSize: 26689
ZipCompressedSize: 21421
ZipCRC: 0xb46147e0
ZipModifyDate: 2020:10:19 16:24:18
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-75741864-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2772"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2984"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2580C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2844C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3176"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3132ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2344C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2920C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 155
Read events
1 089
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2772EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR6EAD.tmp.cvr
MD5:
SHA256:
2920explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:045F8679DDEA73496977EA214C89B18A
SHA256:8E932C676B08EDCA2E665CFA8E221BC68301DE681C4A44D455A0954CFC755181
2984nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:55EB03762CECEF738A51705E93314811
SHA256:570FE9CD3B8068C8F71AE13C4FE5F49ADCD7A71B68E63781D7EAD2DBCE116859
2772EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:55EB03762CECEF738A51705E93314811
SHA256:570FE9CD3B8068C8F71AE13C4FE5F49ADCD7A71B68E63781D7EAD2DBCE116859
2772EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:55EB03762CECEF738A51705E93314811
SHA256:570FE9CD3B8068C8F71AE13C4FE5F49ADCD7A71B68E63781D7EAD2DBCE116859
2984nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:CB52C7F1F832D4625128640FC46F588F
SHA256:0B5507EC1FACE2206548B8E8D1D400CF6A0C3670C2FBAFA7C6A5460EC9C88AB5
2944WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2944.32804\Calculation-75741864-10162020.xlsbdocument
MD5:F5530BF011735CED950A74AD23CACE20
SHA256:BF9BB5ABAF19E470FBAA8AE73868891BE01B5A886E6B794CCB3C8AEB8754EC1D
3176cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
EXCEL.EXE
GET
200
183.181.83.123:80
http://home-delivery-cleaning.net/ecbmuibsl/3415201.png
JP
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2772
EXCEL.EXE
183.181.83.123:80
home-delivery-cleaning.net
SAKURA Internet Inc.
JP
malicious

DNS requests

Domain
IP
Reputation
home-delivery-cleaning.net
  • 183.181.83.123
malicious

Threats

PID
Process
Class
Message
2772
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2772
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2772
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2772
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2772
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2772
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-75741864-10162020.zip