File name: | ZIP-Password-IS-951951______VmProtect.zip |
Full analysis: | https://app.any.run/tasks/f8d41113-dd73-4d61-b68c-ee94b82967b6 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 15, 2022, 02:52:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | EFE9E1BFE8405AE27DFADA0D189F44CA |
SHA1: | EFD3770EDCEBC03E5437945B50C0D784576F29E9 |
SHA256: | 659FE37447FF0D6A6B470144E321829140D3B4AAB03488AAC75C6571CAD87CED |
SSDEEP: | 98304:35W4nrEUX8K2qry24uzoTG04RPD9KRI0NBmDlWUKa+T4lmG+g8ILBVQaGKyHEsRw:35WW8QrFLJhKO0/0lxA4lm1acaykOwya |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0001 |
ZipCompression: | Deflated |
ZipModifyDate: | 2022:01:15 04:30:21 |
ZipCRC: | 0x8f8191d0 |
ZipCompressedSize: | 5835653 |
ZipUncompressedSize: | 5847902 |
ZipFileName: | 149_setupInstaller.exe |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ZIP-Password-IS-951951______VmProtect.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
684 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3628 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
760 | "C:\Users\admin\AppData\Local\Temp\setup_installer.exe" | C:\Users\admin\AppData\Local\Temp\setup_installer.exe | 149_setupInstaller.exe | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Setup SFX Exit code: 0 Version: 19.00 Modules
| |||||||||||||||
3324 | "C:\Users\admin\AppData\Local\Temp\7zS8F245514\setup_install.exe" | C:\Users\admin\AppData\Local\Temp\7zS8F245514\setup_install.exe | setup_installer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
984 | C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable | C:\Windows\system32\cmd.exe | — | setup_install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
4012 | C:\Windows\system32\cmd.exe /c 61e231ab47792_Sat02fb6439.exe | C:\Windows\system32\cmd.exe | — | setup_install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3648 | C:\Windows\system32\cmd.exe /c 61e231ad0641a_Sat02817ac1e8.exe | C:\Windows\system32\cmd.exe | — | setup_install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
2736 | powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3012 | C:\Windows\system32\cmd.exe /c 61e231ae18706_Sat028e900d3.exe | C:\Windows\system32\cmd.exe | — | setup_install.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 3221225477 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3628 | 149_setupInstaller.exe | C:\Users\admin\AppData\Local\Temp\nsi1E93.tmp | — | |
MD5:— | SHA256:— | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b2a394a_Sat02fc0e52.exe | executable | |
MD5:996061FE21353BF63874579CC6C090CC | SHA256:B9DAD89B3DE1D7F9A4B73A5D107C74F716A6E2E89D653C48AB47108B37AD699A | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b0801f9_Sat02dabcd2901f.exe | executable | |
MD5:2D44954853F3E92224B63CF7F7167F94 | SHA256:F751D17574983AE5F9A1B9E8F4385421B3742D63445358ED90C297713F9AE3E1 | |||
2280 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2280.29416\149_setupInstaller.exe | executable | |
MD5:0A05D389853187296C0052984B606112 | SHA256:D00D68B4427FE3317CA214B9BBA6E686005E52D0E5A2EB1B3BED8A8CE80D8CB9 | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ae18706_Sat028e900d3.exe | executable | |
MD5:32FB5C7255772327D5FBE5C608BAEFAD | SHA256:7D0345717D865C97BB0C46E47674F1FFD60979E6F11AAE25D544251C7FF2148F | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231ad0641a_Sat02817ac1e8.exe | executable | |
MD5:243E257AB5A5DB0E1B249BDC2ABC4CFB | SHA256:3382B220421A7F7AFA30D6936DA856741C278167B1E67DB70A1B5BE4894D8F80 | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231af132e7_Sat020ee35cf.exe | executable | |
MD5:29FA0D00300D275C04B2D0CC3B969C57 | SHA256:28314E224DCBAE977CBF7DEC0CDA849E4A56CEC90B3568A29B6BBD9234B895AA | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\16422138324989.exe | text | |
MD5:F9497731DE40DEFDDFCB721C59671C8A | SHA256:5A0B9495F165A8E0B337C357895AA760BE82B4812ABE175CC43800B72D6E49E9 | |||
3628 | 149_setupInstaller.exe | C:\Users\admin\AppData\Local\Temp\setup_installer.exe | executable | |
MD5:52AE12984522B8D30237BA4085835529 | SHA256:63B0460AB54AA4799B8FB9AE97E308B15D58FED495031B69431E6009DD95BD2C | |||
760 | setup_installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8F245514\61e231b686514_Sat020f28d97695.exe | executable | |
MD5:257B02D3E3B214638FFBBC3A97035701 | SHA256:5DCB3935AB6201AEF474AC8C43748F5DA13D48D068EBA604EE1F7FAC7E882F4D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1688 | 61e231b2a394a_Sat02fc0e52.tmp | HEAD | 200 | 93.189.42.32:80 | http://noplayboy.com/77.exe | RU | — | — | malicious |
2608 | 61e231c7536eb_Sat028b7251.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAWAJn8G8pVTNI4cGFpe7i4%3D | US | der | 471 b | whitelisted |
2608 | 61e231c7536eb_Sat028b7251.exe | GET | 200 | 93.184.220.29:80 | http://statuse.digitalcertvalidation.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEAYJR5FkG19ljPHMaGsuvmc%3D | US | der | 471 b | whitelisted |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | GET | 400 | 212.193.30.45:80 | http://212.193.30.45/proxies.txt | RU | html | 301 b | malicious |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | GET | 400 | 2.56.59.42:80 | http://2.56.59.42/base/api/statistics.php | unknown | html | 326 b | malicious |
3436 | 61e231c2c70ca_Sat02e1a7ed.exe | GET | 200 | 13.107.4.50:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?516a7ec72d606910 | US | compressed | 59.9 Kb | whitelisted |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | GET | 400 | 45.144.225.57:80 | http://45.144.225.57/server.txt | unknown | html | 301 b | malicious |
3412 | 61e231b686514_Sat020f28d97695.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?43c1a155bc578b0f | US | compressed | 59.9 Kb | whitelisted |
3412 | 61e231b686514_Sat020f28d97695.exe | GET | 301 | 91.107.126.191:80 | http://web-stat.biz/connection | RU | html | 162 b | malicious |
2920 | 61e231ad0641a_Sat02817ac1e8.exe | GET | 200 | 92.123.224.113:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPRApfVsPmQefP8%2BOlu%2BSG2vQ%3D%3D | unknown | der | 503 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2920 | 61e231ad0641a_Sat02817ac1e8.exe | 148.251.234.83:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | 212.193.30.45:80 | — | — | RU | malicious |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
3324 | setup_install.exe | 172.67.164.34:80 | kelenxz.xyz | — | US | malicious |
2608 | 61e231c7536eb_Sat028b7251.exe | 149.28.253.196:443 | www.listincode.com | — | US | suspicious |
1324 | 61e231afbd0ff_Sat0275ca378161.exe | 172.67.188.70:443 | v.xyzgamev.com | — | US | suspicious |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | 45.144.225.57:80 | — | — | — | malicious |
2608 | 61e231c7536eb_Sat028b7251.exe | 13.107.4.50:80 | ctldl.windowsupdate.com | Microsoft Corporation | US | whitelisted |
3436 | 61e231c2c70ca_Sat02e1a7ed.exe | 104.21.88.113:443 | dpcapps.me | Cloudflare Inc | US | unknown |
3412 | 61e231b686514_Sat020f28d97695.exe | 91.107.126.191:443 | web-stat.biz | Domain names registrar REG.RU, Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
kelenxz.xyz |
| malicious |
www.listincode.com |
| whitelisted |
v.xyzgamev.com |
| suspicious |
iplogger.org |
| shared |
web-stat.biz |
| malicious |
pastebin.com |
| shared |
whatisart.top |
| suspicious |
noplayboy.com |
| malicious |
dpcapps.me |
| malicious |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3324 | setup_install.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
3520 | 61e231b18bfb5_Sat022d459aaa7.exe | A Network Trojan was detected | ET MALWARE User-Agent (???) |
3412 | 61e231b686514_Sat020f28d97695.exe | A Network Trojan was detected | ET TROJAN GCleaner Downloader Activity M5 |
2080 | 61e231c8a77c0_Sat021d76eef2.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2080 | 61e231c8a77c0_Sat021d76eef2.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |