| File name: | zz.zip |
| Full analysis: | https://app.any.run/tasks/a5a1b393-7162-4406-96c0-f6974810630d |
| Verdict: | Malicious activity |
| Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
| Analysis date: | February 10, 2025, 05:02:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 8CB889389679A4FE04430E99DEF003FE |
| SHA1: | A0E1CB36A61CD6574F08BCCDE3FD60D91B283F1A |
| SHA256: | 5B90E64B275D76DC50A6B9C85F5EB89F0F1D2686EB93F997AECF6B74D4F84710 |
| SSDEEP: | 3072:kAc6tr045uPHNLb9F7qpONJ1dEY6WZjpXGISlQdQohW2f24gSivrg0IduQh:kB6tuFxNP1WY91pXGwQohW2e4/ivGdD |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 5720)
SNAKEKEYLOGGER has been detected (SURICATA)
- zz.exe (PID: 5616)
SNAKE has been detected (YARA)
- zz.exe (PID: 5616)
Steals credentials from Web Browsers
- zz.exe (PID: 5616)
Actions looks like stealing of personal data
- zz.exe (PID: 5616)
SUSPICIOUS
Checks for external IP
- svchost.exe (PID: 2192)
- zz.exe (PID: 5616)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 5720)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 5720)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 5720)
Possible usage of Discord/Telegram API has been detected (YARA)
- zz.exe (PID: 5616)
The process verifies whether the antivirus software is installed
- zz.exe (PID: 5616)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- zz.exe (PID: 5616)
INFO
Manual execution by a user
- zz.exe (PID: 5616)
Reads the computer name
- zz.exe (PID: 5616)
- MpCmdRun.exe (PID: 364)
- MpCmdRun.exe (PID: 5460)
Disables trace logs
- zz.exe (PID: 5616)
Reads the machine GUID from the registry
- zz.exe (PID: 5616)
Checks supported languages
- zz.exe (PID: 5616)
- MpCmdRun.exe (PID: 364)
- MpCmdRun.exe (PID: 5460)
Checks proxy server information
- zz.exe (PID: 5616)
Reads the software policy settings
- zz.exe (PID: 5616)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5720)
Create files in a temporary directory
- MpCmdRun.exe (PID: 364)
.NET Reactor protector has been detected
- zz.exe (PID: 5616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
SnakeKeylogger
(PID) Process(5616) zz.exe
Keys
DES6fc98cd68a1aab8b
Options
Telegram Bot Token8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4
Telegram Chat ID6306771742
ims-api
(PID) Process(5616) zz.exe
Telegram-Tokens (1)8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4
Telegram-Info-Links
8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4
Get info about bothttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/getMe
Get incoming updateshttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/getUpdates
Get webhookhttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/deleteWebhook?drop_pending_updates=true
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:02:10 13:56:56 |
| ZipCRC: | 0x91e31c35 |
| ZipCompressedSize: | 164889 |
| ZipUncompressedSize: | 228352 |
| ZipFileName: | zz.exe |
Total processes
124
Monitored processes
9
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 364 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5720.10310" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1344 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2160 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2800 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR5720.11874\Rar$Scan26231.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4684 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR5720.10310\Rar$Scan10617.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5460 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR5720.11874" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5616 | "C:\Users\admin\Desktop\zz.exe" | C:\Users\admin\Desktop\zz.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: YFGGCVyufgtwfyuTGFWTVFAUYVF Version: 1.0.0.0 Modules
SnakeKeylogger(PID) Process(5616) zz.exe Keys DES6fc98cd68a1aab8b Options Telegram Bot Token8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4 Telegram Chat ID6306771742 ims-api(PID) Process(5616) zz.exe Telegram-Tokens (1)8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4 Telegram-Info-Links 8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4 Get info about bothttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/getMe Get incoming updateshttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/getUpdates Get webhookhttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/getWebhookInfo Delete webhookhttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/deleteWebhook Drop incoming updateshttps://api.telegram.org/bot8146065464:AAFmO8RMLpJgd1BLjqm9MO8V-EzP0a6-JD4/deleteWebhook?drop_pending_updates=true | |||||||||||||||
| 5720 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\zz.zip | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
Total events
5 882
Read events
5 858
Write events
24
Delete events
0
Modification events
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\zz.zip | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5720) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5616) zz.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\zz_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (5616) zz.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\zz_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
Executable files
2
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5720 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5720.11874\Rar$Scan26231.bat | text | |
MD5:FBD522A24ABF33AD097DC6226AF716BA | SHA256:7467F2A75E0BC830C810EF0B3E712C54660C6275B8535E10B12681EB5E5D82DC | |||
| 364 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | binary | |
MD5:7C0BCFA32104DFAD430FEB387DBABFF5 | SHA256:5C060AB7EC9D8C2556D788D73DD52862D6EECD7A1C5F5733617D0BCF8564AB29 | |||
| 5720 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5720.10310\Rar$Scan10617.bat | text | |
MD5:B416998BFA90FC8FF03B33699CE87720 | SHA256:3E741D5BC047741455DFF3173E56E5531A1419EED0EE25C27E02A46466825D1D | |||
| 5720 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5720.10310\zz.zip\zz.exe | executable | |
MD5:4553428C99B70E4ACE08ECB833EE644F | SHA256:D95CE0D32F940B2178E218B9AF0AAE7BDAF25F8660DC2112E4CA22E10B5F7451 | |||
| 5720 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR5720.11874\zz.zip\zz.exe | executable | |
MD5:4553428C99B70E4ACE08ECB833EE644F | SHA256:D95CE0D32F940B2178E218B9AF0AAE7BDAF25F8660DC2112E4CA22E10B5F7451 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
22
DNS requests
8
Threats
19
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1356 | svchost.exe | GET | 200 | 23.216.77.42:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5616 | zz.exe | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
5616 | zz.exe | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
1356 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5616 | zz.exe | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.21.32.1:443 | https://reallyfreegeoip.org/xml/115.135.196.151 | unknown | — | — | — |
— | — | GET | 200 | 104.21.48.1:443 | https://reallyfreegeoip.org/xml/115.135.196.151 | unknown | — | — | — |
5616 | zz.exe | GET | 200 | 132.226.8.169:80 | http://checkip.dyndns.org/ | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1356 | svchost.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5616 | zz.exe | 132.226.8.169:80 | checkip.dyndns.org | ORACLE-BMC-31898 | JP | whitelisted |
1356 | svchost.exe | 23.216.77.42:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1356 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
checkip.dyndns.org |
| whitelisted |
www.microsoft.com |
| whitelisted |
reallyfreegeoip.org |
| malicious |
settings-win.data.microsoft.com |
| whitelisted |
api.telegram.org |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Device Retrieving External IP Address Detected | ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org) |
5616 | zz.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |
5616 | zz.exe | Device Retrieving External IP Address Detected | ET INFO 404/Snake/Matiex Keylogger Style External IP Check |
2192 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org) |
5616 | zz.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |
2192 | svchost.exe | Misc activity | ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org) |
5616 | zz.exe | Misc activity | ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI |
5616 | zz.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |
5616 | zz.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |
5616 | zz.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup - checkip.dyndns.org |