File name: | 123456.rar |
Full analysis: | https://app.any.run/tasks/334c883f-6599-4b27-adda-181df8fc1beb |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | April 25, 2019, 18:21:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 1760DDE79193CBC3A8B3A152668AE006 |
SHA1: | BA470940C569695AB08AF0DFDE82E47FB8F31372 |
SHA256: | 630CA2C784D257B9A854A0956DB34ADFD918A5CDA62E6B767134E2B8E40F0D11 |
SSDEEP: | 12288:YZx6+ePHcXGDvg6xHw5188C9PbagirbZljOQriwIs:YZ8tRg6xQv8H9tEbHKQ4s |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
916 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\123456.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2324 | "C:\Users\admin\Desktop\7nwqnoqi8.exe" | C:\Users\admin\Desktop\7nwqnoqi8.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: RoundWindow MFC Application Exit code: 0 Version: 1, 0, 0, 1 | ||||
2800 | /c sc stop WinDefend | C:\Windows\system32\cmd.exe | — | 7nwqnoqi8.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1484 | sc stop WinDefend | C:\Windows\system32\sc.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3896 | /c sc delete WinDefend | C:\Windows\system32\cmd.exe | — | 7nwqnoqi8.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2596 | /c powershell Set-MpPreference -DisableRealtimeMonitoring $true | C:\Windows\system32\cmd.exe | — | 7nwqnoqi8.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2728 | sc delete WinDefend | C:\Windows\system32\sc.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: A tool to aid in developing services for WindowsNT Exit code: 5 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3068 | powershell Set-MpPreference -DisableRealtimeMonitoring $true | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2504 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1088 | "C:\Users\admin\AppData\Roaming\gpuDriver\9pwspqsi8.exe" | C:\Users\admin\AppData\Roaming\gpuDriver\9pwspqsi8.exe | — | DllHost.exe |
User: admin Integrity Level: HIGH Description: RoundWindow MFC Application Exit code: 0 Version: 1, 0, 0, 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
916 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb916.1059\7nwqnoqi8.exe | — | |
MD5:— | SHA256:— | |||
3068 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJ5VUP0SU7YZAHBKOQT3.temp | — | |
MD5:— | SHA256:— | |||
1956 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9C9WXN7NL7LDF1ATX35R.temp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\CabE77F.tmp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\TarE780.tmp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\CabE7AF.tmp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\TarE7B0.tmp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\CabE7D1.tmp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\TarE7D2.tmp | — | |
MD5:— | SHA256:— | |||
2656 | 9pwspqsi8.exe | C:\Users\admin\AppData\Local\Temp\CabE86F.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2656 | 9pwspqsi8.exe | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.6 Kb | whitelisted |
2656 | 9pwspqsi8.exe | GET | 200 | 52.202.139.131:80 | http://checkip.amazonaws.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2656 | 9pwspqsi8.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2656 | 9pwspqsi8.exe | 52.202.139.131:80 | checkip.amazonaws.com | Amazon.com, Inc. | US | shared |
2656 | 9pwspqsi8.exe | 177.105.235.17:449 | — | Internet Pinheirense Ltda - ME | BR | malicious |
2656 | 9pwspqsi8.exe | 198.12.71.40:447 | — | ColoCrossing | US | suspicious |
2656 | 9pwspqsi8.exe | 200.122.209.78:449 | — | EPM Telecomunicaciones S.A. E.S.P. | CO | malicious |
Domain | IP | Reputation |
---|---|---|
www.download.windowsupdate.com |
| whitelisted |
checkip.amazonaws.com |
| shared |
22.69.192.185.zen.spamhaus.org |
| unknown |
22.69.192.185.cbl.abuseat.org |
| unknown |
22.69.192.185.b.barracudacentral.org |
| unknown |
22.69.192.185.dnsbl-1.uceprotect.net |
| unknown |
22.69.192.185.spam.dnsbl.sorbs.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2656 | 9pwspqsi8.exe | Misc activity | SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected |
2656 | 9pwspqsi8.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
2656 | 9pwspqsi8.exe | Misc activity | SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected |
2656 | 9pwspqsi8.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection |
2656 | 9pwspqsi8.exe | Misc activity | SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected |
2656 | 9pwspqsi8.exe | Not Suspicious Traffic | ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) |
2656 | 9pwspqsi8.exe | Misc activity | SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected |
2656 | 9pwspqsi8.exe | A Network Trojan was detected | MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection |