File name:

Public.zip

Full analysis: https://app.any.run/tasks/6cfe26b0-3647-499b-8e3d-0f64e38d769a
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: June 05, 2024, 20:09:52
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
apt
backdoor
toneshell
mustangpanda
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

BE56464FF1C0B25A7614DBD7EAE2A0D6

SHA1:

A7DE58A79B099BED8069DA81631AD7953526A92D

SHA256:

63F0DB814407BA78D6357C41BA1AB72CC202E0C1FBE1E5FFDE04449454BBD37F

SSDEEP:

98304:e4Vz5GyTL/KDvwcaTAgwWsiart3A2PeQCyQveE6QwmktpvMRJhhP7R3JAuHAV2Mu:XZOEM9xbYcuhp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 5356)

    • Connects to the CnC server

      • GSW32.EXE (PID: 1500)

    • TONESHELL has been detected (SURICATA)

      • GSW32.EXE (PID: 1500)

  • SUSPICIOUS

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 2040)

    • Contacting a server suspected of hosting an CnC

      • GSW32.EXE (PID: 1500)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5356)

    • Reads the computer name

      • GSW32.EXE (PID: 1500)

    • Manual execution by a user

      • cmd.exe (PID: 2040)

    • Checks supported languages

      • GSW32.EXE (PID: 1500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:06 05:08:06
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Public/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
97
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs conhost.exe no specs #TONESHELL gsw32.exe

Process information

PID
CMD
Path
Indicators
Parent process
1500GSW32.EXE newgameC:\Users\admin\Desktop\Public\GSW32.EXE
cmd.exe
User:
admin
Company:
Bits Per Second Ltd
Integrity Level:
MEDIUM
Description:
Graphics Server
Version:
5.10.0000
Modules
Images
c:\users\admin\desktop\public\gsw32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2040C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\Public\1.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3420\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5356"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Public.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
5 962
Read events
5 953
Write events
9
Delete events
0

Modification events

(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:VerInfo
Value:
005B050027BFCC5D84B7DA01
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Public.zip
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5356) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
Executable files
9
Suspicious files
5
Text files
1
Unknown types
9

Dropped files

PID
Process
Filename
Type
5356WinRAR.exeC:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DATbinary
MD5:2D56B1A454DA2B0C68A591B3EF7621EE
SHA256:AD46782BB27D3AA69953CF090E2A5C8942F4B9135CA4318F0C996171EC50F225
5356WinRAR.exeC:\Users\admin\Desktop\__MACOSX\._Publicad
MD5:4F532927C338FF83BFA90548F1E9F9C0
SHA256:271125E8CD1BFB42AFD04A66740212048B81254F3788ADB6F8B2688580C50746
5356WinRAR.exeC:\Users\admin\Desktop\__MACOSX\Public\GBPPKVJOT\._RBGUIFramework.dllad
MD5:5EFFCFC0B60D7A5A8AE49904587A84F5
SHA256:94F966ADC0AF1F866E01E8C3790DED9690700E001CDDF2FFEE1F64B14998295C
5356WinRAR.exeC:\Users\admin\Desktop\Public\GBPPKVJOT\drivespan.dllexecutable
MD5:4A44A85791C006E05DD13B9FEF62A288
SHA256:5503F926631AEC5BC21E4E2B698A698B243521A2F62F5FF24DDA6B6F9C9F2D76
5356WinRAR.exeC:\Users\admin\Desktop\__MACOSX\Public\GBPPKVJOT\._KTEPerUserOptions.exead
MD5:5EFFCFC0B60D7A5A8AE49904587A84F5
SHA256:94F966ADC0AF1F866E01E8C3790DED9690700E001CDDF2FFEE1F64B14998295C
5356WinRAR.exeC:\Users\admin\Desktop\__MACOSX\Public\._GSW32.EXEad
MD5:5EFFCFC0B60D7A5A8AE49904587A84F5
SHA256:94F966ADC0AF1F866E01E8C3790DED9690700E001CDDF2FFEE1F64B14998295C
5356WinRAR.exeC:\Users\admin\Desktop\Public\GBPPKVJOT\Transfer.exeexecutable
MD5:5C5B7B316BF8DE96E811E4C0443D9664
SHA256:A10C24C6F02363CAFF783FE2ADCA9FE7D2826F25BF302AC343914CD971E904BD
5356WinRAR.exeC:\Users\admin\Desktop\__MACOSX\Public\GBPPKVJOT\._DAQDeviceControl.exead
MD5:5EFFCFC0B60D7A5A8AE49904587A84F5
SHA256:94F966ADC0AF1F866E01E8C3790DED9690700E001CDDF2FFEE1F64B14998295C
5356WinRAR.exeC:\Users\admin\Desktop\Public\GBPPKVJOT\KTEMain32.dllexecutable
MD5:D9E43FDCB1848C89F06F4BD9EA389F27
SHA256:995D22EDE53BA9243EA82AB6E166DF240880759CC9160ACC6A1EE9EFB8DB591C
5356WinRAR.exeC:\Users\admin\Desktop\__MACOSX\Public\._GBPPKVJOTad
MD5:4F532927C338FF83BFA90548F1E9F9C0
SHA256:271125E8CD1BFB42AFD04A66740212048B81254F3788ADB6F8B2688580C50746
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
27
DNS requests
11
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2868
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
2828
svchost.exe
GET
200
23.219.78.213:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?59087454e37d4481
unknown
unknown
2828
svchost.exe
GET
200
23.219.78.213:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?c5ad0c81702e938e
unknown
unknown
2828
svchost.exe
GET
200
23.219.78.213:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?ba6f1cb668fab3fd
unknown
unknown
1088
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4552
svchost.exe
239.255.255.250:1900
unknown
3112
svchost.exe
2.20.72.213:443
fs.microsoft.com
AKAMAI-AS
AT
unknown
4
System
192.168.100.255:137
whitelisted
2868
OfficeClickToRun.exe
20.42.65.90:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2868
OfficeClickToRun.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1500
GSW32.EXE
103.159.132.80:443
Gigabit Hosting Sdn Bhd
MY
unknown
2828
svchost.exe
23.219.78.213:80
ctldl.windowsupdate.com
CLARO S.A.
BR
unknown
1500
GSW32.EXE
37.120.222.19:443
M247 Ltd
DE
unknown
1500
GSW32.EXE
172.66.43.185:443
www.domains4bitcoins.com
CLOUDFLARENET
US
unknown
2844
svchost.exe
20.189.173.8:443
v20.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
fs.microsoft.com
  • 2.20.72.213
whitelisted
self.events.data.microsoft.com
  • 20.42.65.90
whitelisted
www.domains4bitcoins.com
  • 172.66.43.185
  • 172.66.40.71
unknown
ctldl.windowsupdate.com
  • 23.219.78.213
  • 23.219.78.199
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
v20.events.data.microsoft.com
  • 20.189.173.8
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.4
  • 40.126.31.67
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang Panda / Earth Preta)
1500
GSW32.EXE
Generic Protocol Command Decode
SURICATA HTTP request header invalid
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Public.zip