analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample_72.zip

Full analysis: https://app.any.run/tasks/2a23e45b-ffac-4fee-8cd6-ef251504c7fd
Verdict: Malicious activity
Analysis date: June 12, 2019, 09:51:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

BA88ED3DBC3D47BF7A1C1F4C5DB60692

SHA1:

9BF477F8D8DD492B96FD0B35C90BA1E6F5CF54E0

SHA256:

70BBDF93F0103BC8202CEC82096F47D8731319343480F29951C20EB93CE04F06

SSDEEP:

12288:thFq4EUwKpQFJKzW10Ik9WNJiOBCC1AdlxFEAk:RLxpQrKzFIkk9gC1il/EAk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • sample_72.exe (PID: 2900)
      • sample_72.exe (PID: 3908)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3660)
      • sample_72.exe (PID: 3908)
    • Reads internet explorer settings

      • sample_72.exe (PID: 3908)
    • Application launched itself

      • sample_72.exe (PID: 2900)
  • INFO

    • Manual execution by user

      • sample_72.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: sample_72/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:05:01 18:48:23
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe sample_72.exe no specs sample_72.exe

Process information

PID
CMD
Path
Indicators
Parent process
3660"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample_72.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2900"C:\Users\admin\Desktop\sample_72\sample_72.exe" C:\Users\admin\Desktop\sample_72\sample_72.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3908"C:\Users\admin\Desktop\sample_72\sample_72.exe" /RSFC:\Users\admin\Desktop\sample_72\sample_72.exe
sample_72.exe
User:
admin
Integrity Level:
HIGH
Total events
955
Read events
907
Write events
48
Delete events
0

Modification events

(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3660) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\sample_72.zip
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(3660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
2
Suspicious files
0
Text files
57
Unknown types
1

Dropped files

PID
Process
Filename
Type
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\00126E91.log
MD5:
SHA256:
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\images\Close.pngimage
MD5:13E974317ABAF08AA7AAD7DC164D8AC0
SHA256:9BDC0A4226491FFC64C7F23C384D04CA2403952519BF44478EA01184B4EECA8B
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\defaultOffer\offer_html.txthtml
MD5:8867335D0EB07D83FF205DDF127DD3C3
SHA256:663759DA214C10324EC30427E6E9A25D84A19954FB2F6F39D71BC0CECA1C4E19
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\images\Color_Button.pngimage
MD5:233E3ECAF8B6F0A9F82CA79CCD1788A1
SHA256:8B0BF039E841739DA7555D8B2348B02111B9A00CCA8F654AE73953778155F638
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\css\main.csstext
MD5:CEEC7EF9D2B2161421B843782577BA15
SHA256:AA312EBAF436CB8A041A42C446E2B1509B97337A0968A2D7FEE22444B02BB906
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\css\ie6_main.csstext
MD5:94B29BB4559B10F46B6ABE3137D23847
SHA256:251340AEA1EAC86CB0D89DD0D3BD2F109C9FC8F194BAE4355102433C24BDC60B
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\images\Close_Hover.pngimage
MD5:0294FE3135DDB5537282A6B7BBC2300C
SHA256:C247C19DD3072264D855207E7CF5C727E2A84C075D9EC3F14F494F2ADFC314C3
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\images\BG.jpgimage
MD5:DCF8583E3CBC79D7CBE4124B8239EDF6
SHA256:2F1051DE724651D5F7C80285172D7BA06C57AEE132A8B77B3831A7E4A5B9986C
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\defaultOffer\offer_code.txttext
MD5:7B4144DBDE53AFEC68826F47E6C4E015
SHA256:B538B2475B91E2E3F1DF6E7BDBEEAD8B1B791AF9658D1B3C63B5262854E369C0
2900sample_72.exeC:\Users\admin\AppData\Local\Temp\ish1207953\images\Color_Button_Hover.pngimage
MD5:9775ECCCBE3A96A4A6FF159C12C5C75A
SHA256:B8F73314D652D0D572C3A63F7797DC04BC959F2DFC659905FE8AC2F9F2F6FF30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
23
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3908
sample_72.exe
GET
192.96.201.161:80
http://cdnus.kitaracdn.com/ofr/BabylonToolbarV5.cis
US
malicious
3908
sample_72.exe
GET
192.96.201.161:80
http://cdnus.kitaracdn.com/ofr/BabylonToolbarV5.cis
US
malicious
3908
sample_72.exe
GET
403
192.96.201.161:80
http://cdnus.kitaracdn.com/ofr/BabylonToolbarV5.cis
US
xml
243 b
malicious
3908
sample_72.exe
GET
403
95.211.184.67:80
http://cdneu.kitaracdn.com/ofr/BabylonToolbarV5.cis
NL
xml
243 b
malicious
3908
sample_72.exe
GET
403
192.96.201.161:80
http://cdnus.kitaracdn.com/ofr/BabylonToolbarV5.cis
US
xml
243 b
malicious
3908
sample_72.exe
GET
403
192.96.201.161:80
http://cdnus.kitaracdn.com/ofr/BabylonToolbarV5.cis
US
xml
243 b
malicious
3908
sample_72.exe
GET
403
95.211.184.67:80
http://cdneu.kitaracdn.com/ofr/BabylonToolbarV5.cis
NL
xml
243 b
malicious
3908
sample_72.exe
GET
403
95.211.184.67:80
http://cdneu.kitaracdn.com/ofr/BabylonToolbarV5.cis
NL
xml
243 b
malicious
3908
sample_72.exe
GET
403
95.211.184.67:80
http://cdneu.kitaracdn.com/ofr/BabylonToolbarV5.cis
NL
xml
243 b
malicious
3908
sample_72.exe
GET
192.96.201.161:80
http://cdnus.kitaracdn.com/ofr/BabylonToolbarV5.cis
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3908
sample_72.exe
192.96.201.161:80
cdnus.kitaracdn.com
Leaseweb USA, Inc.
US
malicious
3908
sample_72.exe
52.214.73.247:80
rp.kitaracdn.com
Amazon.com, Inc.
IE
malicious
3908
sample_72.exe
95.211.184.67:80
cdneu.kitaracdn.com
LeaseWeb Netherlands B.V.
NL
malicious
95.211.184.67:80
cdneu.kitaracdn.com
LeaseWeb Netherlands B.V.
NL
malicious
192.96.201.161:80
cdnus.kitaracdn.com
Leaseweb USA, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
os.kitaracdn.com
unknown
cdnus.kitaracdn.com
  • 192.96.201.161
malicious
cdneu.kitaracdn.com
  • 95.211.184.67
malicious
rp.kitaracdn.com
  • 52.214.73.247
  • 54.194.149.175
malicious

Threats

No threats detected
No debug info