File name: | NetExternal glow july 4.2020.rar |
Full analysis: | https://app.any.run/tasks/f1c1129a-2030-48b3-bda0-72531e921772 |
Verdict: | Malicious activity |
Analysis date: | July 12, 2020, 22:52:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 06C2868FE31F7EBC4F6E38D77A075CB4 |
SHA1: | EE6A6E75BA0B889611EAA6A878295A50FC9A3D27 |
SHA256: | 5CD510487BBFB6B806DAF41DD128E8556CD619B6D8F06B49738E6277DB89595E |
SSDEEP: | 12288:7vQMRgSW2QOQlM3+1SONNs9BFGQV9k7n+pytvuLF:rLLjQlO+1SOHD+pyIp |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1952 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NetExternal glow july 4.2020.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3892 | "C:\Users\admin\Desktop\NET-EXTERNAL.exe" | C:\Users\admin\Desktop\NET-EXTERNAL.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: NET Exit code: 4294967295 Version: 2.7.3.2 | ||||
1384 | "C:\Program Files\Internet Explorer\iexplore.exe" https://gofile.io/d/ToBZY6 | C:\Program Files\Internet Explorer\iexplore.exe | NET-EXTERNAL.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1472 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1384 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab9472.tmp | — | |
MD5:— | SHA256:— | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar9473.tmp | — | |
MD5:— | SHA256:— | |||
1952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1952.18688\NET-EXTERNAL.exe | executable | |
MD5:2CC37A90D871FF08FE8BB7BE8241794F | SHA256:4C53DE30D57630EBBB63C05D0B7E8CC03E1091D0AB85017EB8C6559DD92363A3 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab981D.tmp | — | |
MD5:— | SHA256:— | |||
1952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa1952.18688\Chams.ini | text | |
MD5:19353894E67CEFECA2DDD8D81071B1C7 | SHA256:2418FCBA2F3E6F4B024FF184293F5815DC44212606FAB019628D40608660027F | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab984E.tmp | — | |
MD5:— | SHA256:— | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar982E.tmp | — | |
MD5:— | SHA256:— | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar984F.tmp | — | |
MD5:— | SHA256:— | |||
3892 | NET-EXTERNAL.exe | C:\Users\admin\Documents\offsets.ini | text | |
MD5:F826C7DDC7C9F786AAD3ACC9F509502E | SHA256:88EE7519D9CF5DF33776124FAE570B9CD909A3DF72668085B39D57B41F2EB896 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B63B2070F62BD5F36E309FAED531189 | der | |
MD5:90BA58990B46BFFD3A686E883B9AF4BF | SHA256:B0FA5937EDB874F7CF52B8F9F9F91668CAB1DCEB4D1F5949422EA743EB022FAE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1472 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 471 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 471 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 2.16.107.73:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
1472 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
1472 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 471 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
1472 | iexplore.exe | GET | 200 | 104.18.20.226:80 | http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80 | US | der | 1.49 Kb | whitelisted |
1472 | iexplore.exe | GET | 200 | 2.16.107.114:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRONazAeVbvveojcZVjfG8wZg%3D%3D | unknown | der | 527 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 2.16.107.114:80 | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRONazAeVbvveojcZVjfG8wZg%3D%3D | unknown | der | 527 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3892 | NET-EXTERNAL.exe | 104.23.99.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
3892 | NET-EXTERNAL.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
3892 | NET-EXTERNAL.exe | 151.101.0.133:443 | raw.githubusercontent.com | Fastly | US | malicious |
1472 | iexplore.exe | 2.16.107.80:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | suspicious |
1472 | iexplore.exe | 213.32.73.239:443 | gofile.io | OVH SAS | FR | unknown |
1472 | iexplore.exe | 2.16.107.73:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | suspicious |
1472 | iexplore.exe | 2.16.107.114:80 | ocsp.int-x3.letsencrypt.org | Akamai International B.V. | — | suspicious |
1472 | iexplore.exe | 172.217.22.10:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
1472 | iexplore.exe | 151.101.2.109:443 | cdn.jsdelivr.net | Fastly | US | suspicious |
1472 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
raw.githubusercontent.com |
| shared |
pastebin.com |
| shared |
gofile.io |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
cdn.jsdelivr.net |
| whitelisted |
cdn.buymeacoffee.com |
| whitelisted |
cdn.datatables.net |
| whitelisted |
cdn.rawgit.com |
| whitelisted |