File name:

Archive.zip

Full analysis: https://app.any.run/tasks/9c3da80c-951b-490e-972f-e5918c4b4a9b
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: January 31, 2024, 12:49:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
apt
mustangpanda
earthpreta
backdoor
toneshell
pubload
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B50E0E40F3F2330CF908D13237E689D6

SHA1:

54465C9934D774FE0C1242DDE4EF344DBB08551F

SHA256:

736036BC0069EAEC6C489E95553111CD235ADB07BC19DDBDD2C63EC41A90D0DD

SSDEEP:

12288:hwhDKAzYZsbe9117sfwwCEyMAeOQenwePoISd:hwhuAzYmbe9T7sfwwC8jenweAjd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 752)
      • Talking Points for China.exe (PID: 2448)

    • Actions looks like stealing of personal data

      • Talking Points for China.exe (PID: 2448)

    • TONESHELL has been detected (SURICATA)

      • Talking Points for China.exe (PID: 2448)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Talking Points for China.exe (PID: 2448)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 752)

    • Checks supported languages

      • Talking Points for China.exe (PID: 2448)

    • Manual execution by a user

      • Talking Points for China.exe (PID: 2448)
      • explorer.exe (PID: 3472)

    • Creates files or folders in the user directory

      • Talking Points for China.exe (PID: 2448)

    • Reads the machine GUID from the registry

      • Talking Points for China.exe (PID: 2448)

    • Reads the computer name

      • Talking Points for China.exe (PID: 2448)

    • Creates files in the program directory

      • Talking Points for China.exe (PID: 2448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0008
ZipCompression: Deflated
ZipModifyDate: 2023:12:12 09:49:42
ZipCRC: 0x92363964
ZipCompressedSize: 78644
ZipUncompressedSize: 178320
ZipFileName: KeyScramblerIE.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #TONESHELL talking points for china.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Archive.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2448"C:\Users\admin\Desktop\Talking Points for China.exe" C:\Users\admin\Desktop\Talking Points for China.exe
explorer.exe
User:
admin
Company:
QFX Software Corporation
Integrity Level:
MEDIUM
Description:
KeyScrambler
Exit code:
0
Version:
3,17,0,4
Modules
Images
c:\users\admin\desktop\talking points for china.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\keyscramblerie.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3472"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 174
Read events
1 154
Write events
20
Delete events
0

Modification events

(PID) Process:(752) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
4
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2448Talking Points for China.exeC:\ProgramData\QFXSoftwarePubKey\Talking Points for China.exeexecutable
MD5:C790EBFCB6A34953A371E32C9174FE46
SHA256:FA7AD2F45128120BCCC33F996F87A81FAA2E9C1236666DD69B943A755F332EB1
752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa752.36314\Talking Points for China.exeexecutable
MD5:C790EBFCB6A34953A371E32C9174FE46
SHA256:FA7AD2F45128120BCCC33F996F87A81FAA2E9C1236666DD69B943A755F332EB1
752WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa752.36314\KeyScramblerIE.DLLexecutable
MD5:AD40D2910A5B1462DBF93619B6CF1157
SHA256:8F3A36AAA55F54AE4E665A3C4213DEC1F16912BF5ED2F0FF5FF9D08A84A451A6
2448Talking Points for China.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\a6356ecc6025d4d797fc752f6fd045e2_90059c37-1320-41a4-b58d-2b75a9850d2fbinary
MD5:3FC7E09170C27C7FC9C3528478D0CEBD
SHA256:FED9FC43BEEC04D9967E6ED8CA0A309D5112F16338D2FB588997C35F7B7A221A
2448Talking Points for China.exeC:\ProgramData\QFXSoftwarePubKey\KeyScramblerIE.DLLexecutable
MD5:AD40D2910A5B1462DBF93619B6CF1157
SHA256:8F3A36AAA55F54AE4E665A3C4213DEC1F16912BF5ED2F0FF5FF9D08A84A451A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
16
DNS requests
0
Threats
6

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2448
Talking Points for China.exe
61.4.102.75:443
Gigabit Hosting Sdn Bhd
MY
unknown
3584
svchost.exe
239.255.255.250:1900
unknown
828
svchost.exe
239.255.255.250:3702
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
2448
Talking Points for China.exe
Potentially Bad Traffic
INFO [ANY.RUN] Malformed TLS App-Layer Outbound Packet
2448
Talking Points for China.exe
Potentially Bad Traffic
INFO [ANY.RUN] Malformed TLS App-Layer Inbound Packet
2448
Talking Points for China.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta)
2448
Talking Points for China.exe
Potentially Bad Traffic
INFO [ANY.RUN] Malformed TLS App-Layer Outbound Packet
2448
Talking Points for China.exe
Potentially Bad Traffic
INFO [ANY.RUN] Malformed TLS App-Layer Inbound Packet
2448
Talking Points for China.exe
Malware Command and Control Activity Detected
BACKDOOR [ANY.RUN] ToneShell FakeTLS Response (APT Mustang Panda / Earth Preta)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Archive.zip