File name: | Best PC Software 2023.zip |
Full analysis: | https://app.any.run/tasks/29fdd1a8-8022-4539-a2cd-bd0a293313cb |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | April 01, 2023, 14:14:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 80751C2729541619281B6EBC3F4759D1 |
SHA1: | B9DCC1FEFB0E3498E2B9AFBB06498F51957A8823 |
SHA256: | 6C1BC4C2526FF9F627B778EF80637EA9D40F79A9AA8575371037089D9F11CD0D |
SSDEEP: | 196608:8s1+Ewp2to9nzctJTqH1ADxVS/7EZwNgOtW/FRXvjt67CxPo0eF8aa/I8:8KwpjzcXIqxVIYuNJApx6XTap |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | None |
ZipModifyDate: | 2023:04:01 08:44:18 |
ZipCRC: | 0x00000000 |
ZipCompressedSize: | - |
ZipUncompressedSize: | - |
ZipFileName: | Best PC Software 2023/ |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2588 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Best PC Software 2023.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3480 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2588.46119\Best PC Software 2023\Sеtup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2588.46119\Best PC Software 2023\Sеtup.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2888 | "C:\Users\admin\AppData\Roaming\HN2v0SSo.exe" | C:\Users\admin\AppData\Roaming\HN2v0SSo.exe | — | Sеtup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2588) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2588 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2588.46119\Best PC Software 2023\Sеtup.exe | — | |
MD5:— | SHA256:— | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\Roaming\HN2v0SSo.exe | executable | |
MD5:29D3F4AA52D5E748585480880661348A | SHA256:A8DC9CF18FAA505F034C5E0BA42C132E73DA7411D5237EC036C792A09E2B6A71 | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\99XS1j1J66Su | sqlite | |
MD5:B8E63E7225C9F4E0A81371F29D6456D8 | SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8 | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\VW7VkMW4MYvF | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\raLi6rN6ebmk | sqlite | |
MD5:23D08A78BC908C0B29E9800D3D5614E7 | SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59 | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\3vo0XMzEk122 | sqlite | |
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087 | SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\LEGs0YtD7M3O | text | |
MD5:E7CE898AADD69F4E4280010B7808116E | SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02 | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\raLi6rN6ebmk-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\softokn3.dll | executable | |
MD5:63A1FE06BE877497C4C2017CA0303537 | SHA256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0 | |||
3480 | Sеtup.exe | C:\Users\admin\AppData\LocalLow\sqlite3.dll | executable | |
MD5:DBF4F8DCEFB8056DC6BAE4B67FF810CE | SHA256:47B64311719000FA8C432165A0FDCDFED735D5B54977B052DE915B1CBBBF9D68 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3480 | Sеtup.exe | GET | 200 | 37.220.87.61:80 | http://37.220.87.61/Clip1.exe | UZ | executable | 6.78 Mb | malicious |
3480 | Sеtup.exe | GET | 200 | 77.73.134.35:80 | http://77.73.134.35/bebra.exe | KZ | executable | 13.8 Mb | malicious |
3480 | Sеtup.exe | POST | 200 | 37.220.87.66:80 | http://37.220.87.66/ | UZ | text | 7.22 Kb | malicious |
3480 | Sеtup.exe | POST | 200 | 37.220.87.66:80 | http://37.220.87.66/bae082128e0e1333be4bf5447da6da4c | UZ | text | 8 b | malicious |
3480 | Sеtup.exe | POST | 200 | 37.220.87.66:80 | http://37.220.87.66/bae082128e0e1333be4bf5447da6da4c | UZ | text | 8 b | malicious |
3480 | Sеtup.exe | GET | 200 | 37.220.87.66:80 | http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll | UZ | executable | 78.2 Kb | malicious |
3480 | Sеtup.exe | GET | 200 | 37.220.87.66:80 | http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll | UZ | executable | 1.05 Mb | malicious |
3480 | Sеtup.exe | GET | 200 | 37.220.87.66:80 | http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll | UZ | executable | 668 Kb | malicious |
3480 | Sеtup.exe | GET | 200 | 37.220.87.66:80 | http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll | UZ | executable | 1.95 Mb | malicious |
3480 | Sеtup.exe | POST | 200 | 37.220.87.66:80 | http://37.220.87.66/bae082128e0e1333be4bf5447da6da4c | UZ | text | 8 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 37.220.87.61:80 | — | LLC Internet Tehnologii | UZ | malicious |
3480 | Sеtup.exe | 77.73.134.35:80 | — | Partner LLC | KZ | malicious |
3480 | Sеtup.exe | 37.220.87.66:80 | — | LLC Internet Tehnologii | UZ | malicious |
PID | Process | Class | Message |
---|---|---|---|
3480 | Sеtup.exe | A Network Trojan was detected | ET MALWARE Win32/RecordBreaker CnC Checkin M1 |
3480 | Sеtup.exe | A Network Trojan was detected | ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response |
3480 | Sеtup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3480 | Sеtup.exe | A suspicious filename was detected | ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity |
3480 | Sеtup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3480 | Sеtup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3480 | Sеtup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3480 | Sеtup.exe | A suspicious filename was detected | ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity |
3480 | Sеtup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3480 | Sеtup.exe | A suspicious filename was detected | ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity |