analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

balt_avia.rar

Full analysis: https://app.any.run/tasks/5f46b21b-a4be-4555-9682-d750c36539db
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 23, 2019, 11:25:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

BA68B3D981F0553D59FD4E03249ACD91

SHA1:

58649C8AE9F3F32271EAABFD21881E551D051293

SHA256:

6094BE9127D3A28CE5129B16D1205C3CAFAC252E60074D1A2B006CD7023C9AB6

SSDEEP:

24:HLbq8ESj7kiUUeAb/YNzR++9rJLcx3LTmA8JHGUHqA6ruoUS6kuspiLhkcTlrnrk:/BESj1bYN8+MpD8JHzHqp6oUjss1Td4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files with a strange extension

      • WScript.exe (PID: 3776)

    • TROLDESH was detected

      • radABA31.tmp (PID: 2416)

    • Application was dropped or rewritten from another process

      • radABA31.tmp (PID: 2416)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3776)

    • Changes the autorun value in the registry

      • radABA31.tmp (PID: 2416)

    • Deletes shadow copies

      • radABA31.tmp (PID: 2416)

    • Runs app for hidden code execution

      • radABA31.tmp (PID: 2416)

    • Dropped file may contain instructions of ransomware

      • radABA31.tmp (PID: 2416)

    • Actions looks like stealing of personal data

      • radABA31.tmp (PID: 2416)

    • Modifies files in Chrome extension folder

      • radABA31.tmp (PID: 2416)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3776)
      • radABA31.tmp (PID: 2416)

    • Creates files in the user directory

      • WScript.exe (PID: 3776)
      • radABA31.tmp (PID: 2416)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 3364)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3776)
      • radABA31.tmp (PID: 2416)

    • Creates files in the program directory

      • radABA31.tmp (PID: 2416)

    • Checks for external IP

      • radABA31.tmp (PID: 2416)

    • Creates files like Ransomware instruction

      • radABA31.tmp (PID: 2416)

  • INFO

    • Dropped object may contain URL to Tor Browser

      • radABA31.tmp (PID: 2416)

    • Dropped object may contain TOR URL's

      • radABA31.tmp (PID: 2416)

    • Dropped object may contain Bitcoin addresses

      • radABA31.tmp (PID: 2416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radaba31.tmp winrar.exe no specs vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
3036"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\balt_avia.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3776"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\ЗАО Авиакомпания Балтийские авиалинии информация о заказе - Copy.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3804"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radABA31.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2416C:\Users\admin\AppData\Local\Temp\radABA31.tmpC:\Users\admin\AppData\Local\Temp\radABA31.tmp
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Enhanced Storage Password Authentication Program
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3628"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\balt_avia.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3972C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exeradABA31.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2224"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
radABA31.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3376C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3364C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exeradABA31.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3868chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
883
Read events
800
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1 049
Text files
44
Unknown types
35

Dropped files

PID
Process
Filename
Type
3036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3036.29957\ЗАО Авиакомпания Балтийские авиалинии информация о заказе.js
MD5:
SHA256:
2416radABA31.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2416radABA31.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2416radABA31.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
2416radABA31.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
2416radABA31.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:DD3C33CF52D7BE9FB76DA6C72E43642B
SHA256:C6815663585073162B563AD6BF409888A3A1566F3EE35ED2DADF3A56BB79264A
3776WScript.exeC:\Users\admin\AppData\Local\Temp\radABA31.tmpexecutable
MD5:821DB42AED5076881F1CCF04FB9F3025
SHA256:C0D789259CF588B03A0B557BB2E012D5954D76C8757670B0DA23BADE68E0F5CC
2416radABA31.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:212D515C593E7E01D86210A2F320E646
SHA256:D99B3725E2412002FF3ABF297DBC060004805E43FAB4D85E3AC05C522E4B4F20
3776WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].pdfexecutable
MD5:821DB42AED5076881F1CCF04FB9F3025
SHA256:C0D789259CF588B03A0B557BB2E012D5954D76C8757670B0DA23BADE68E0F5CC
2416radABA31.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3776
WScript.exe
GET
200
185.173.26.161:80
http://mischka.eu/modules/php/1.pdf
DE
executable
982 Kb
malicious
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2416
radABA31.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2416
radABA31.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
2416
radABA31.tmp
208.83.223.34:80
Applied Operations, LLC
US
malicious
2416
radABA31.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
2416
radABA31.tmp
163.172.11.141:9100
Online S.a.s.
FR
suspicious
3776
WScript.exe
185.173.26.161:80
mischka.eu
Digital Energy Technologies Limited
DE
suspicious
2416
radABA31.tmp
144.202.91.112:443
Baltimore Technology Park, LLC
US
suspicious
2416
radABA31.tmp
185.244.193.141:9001
suspicious
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2416
radABA31.tmp
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
mischka.eu
  • 185.173.26.161
malicious
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
3776
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3776
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3776
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] JS/Agent.WL2!Eldorado Executable as PDF
3776
WScript.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2416
radABA31.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121
2416
radABA31.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2416
radABA31.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185
2416
radABA31.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
2416
radABA31.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2416
radABA31.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143
23 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
balt_avia.rar