analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

123456.rar

Full analysis: https://app.any.run/tasks/334c883f-6599-4b27-adda-181df8fc1beb
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 18:21:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trickbot
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

1760DDE79193CBC3A8B3A152668AE006

SHA1:

BA470940C569695AB08AF0DFDE82E47FB8F31372

SHA256:

630CA2C784D257B9A854A0956DB34ADFD918A5CDA62E6B767134E2B8E40F0D11

SSDEEP:

12288:YZx6+ePHcXGDvg6xHw5188C9PbagirbZljOQriwIs:YZ8tRg6xQv8H9tEbHKQ4s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 7nwqnoqi8.exe (PID: 2324)
      • 9pwspqsi8.exe (PID: 1088)
      • 7nwqnoqi8.exe (PID: 3828)
      • 9pwspqsi8.exe (PID: 2656)

    • Known privilege escalation attack

      • DllHost.exe (PID: 2504)

    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 1684)
      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1140)

    • Loads the Task Scheduler COM API

      • 9pwspqsi8.exe (PID: 1088)
      • 9pwspqsi8.exe (PID: 2656)

    • Changes settings of System certificates

      • 9pwspqsi8.exe (PID: 2656)

    • TRICKBOT was detected

      • 9pwspqsi8.exe (PID: 2656)

  • SUSPICIOUS

    • Creates files in the user directory

      • 7nwqnoqi8.exe (PID: 2324)
      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 1956)
      • 9pwspqsi8.exe (PID: 2656)

    • Executable content was dropped or overwritten

      • 7nwqnoqi8.exe (PID: 2324)
      • 7nwqnoqi8.exe (PID: 3828)

    • Starts CMD.EXE for commands execution

      • 7nwqnoqi8.exe (PID: 2324)
      • 9pwspqsi8.exe (PID: 1088)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2596)
      • cmd.exe (PID: 2328)

    • Starts itself from another location

      • 7nwqnoqi8.exe (PID: 3828)

    • Adds / modifies Windows certificates

      • 9pwspqsi8.exe (PID: 2656)

    • Checks for external IP

      • 9pwspqsi8.exe (PID: 2656)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs 7nwqnoqi8.exe cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs 9pwspqsi8.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs 7nwqnoqi8.exe #TRICKBOT 9pwspqsi8.exe

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\123456.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2324"C:\Users\admin\Desktop\7nwqnoqi8.exe" C:\Users\admin\Desktop\7nwqnoqi8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RoundWindow MFC Application
Exit code:
0
Version:
1, 0, 0, 1
2800/c sc stop WinDefendC:\Windows\system32\cmd.exe7nwqnoqi8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1484sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3896/c sc delete WinDefendC:\Windows\system32\cmd.exe7nwqnoqi8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2596/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\system32\cmd.exe7nwqnoqi8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2728sc delete WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3068powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2504C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1088"C:\Users\admin\AppData\Roaming\gpuDriver\9pwspqsi8.exe" C:\Users\admin\AppData\Roaming\gpuDriver\9pwspqsi8.exeDllHost.exe
User:
admin
Integrity Level:
HIGH
Description:
RoundWindow MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Total events
1 202
Read events
1 065
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
12
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
916WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb916.1059\7nwqnoqi8.exe
MD5:
SHA256:
3068powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJ5VUP0SU7YZAHBKOQT3.temp
MD5:
SHA256:
1956powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9C9WXN7NL7LDF1ATX35R.temp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE77F.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\TarE780.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE7AF.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\TarE7B0.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE7D1.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\TarE7D2.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE86F.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
9pwspqsi8.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
2656
9pwspqsi8.exe
GET
200
52.202.139.131:80
http://checkip.amazonaws.com/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
9pwspqsi8.exe
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2656
9pwspqsi8.exe
52.202.139.131:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
2656
9pwspqsi8.exe
177.105.235.17:449
Internet Pinheirense Ltda - ME
BR
malicious
2656
9pwspqsi8.exe
198.12.71.40:447
ColoCrossing
US
suspicious
2656
9pwspqsi8.exe
200.122.209.78:449
EPM Telecomunicaciones S.A. E.S.P.
CO
malicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.42
  • 205.185.216.10
  • 205.185.216.10
whitelisted
checkip.amazonaws.com
  • 52.202.139.131
  • 34.233.102.38
  • 52.206.161.133
  • 18.211.215.84
  • 52.6.79.229
  • 52.200.125.74
shared
22.69.192.185.zen.spamhaus.org
unknown
22.69.192.185.cbl.abuseat.org
unknown
22.69.192.185.b.barracudacentral.org
unknown
22.69.192.185.dnsbl-1.uceprotect.net
unknown
22.69.192.185.spam.dnsbl.sorbs.net
unknown

Threats

PID
Process
Class
Message
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
123456.rar