File name: | Live Radio Pro Tab_5da0756ca78bf[1].exe.zip |
Full analysis: | https://app.any.run/tasks/0528c092-5245-43ed-8a23-06ceff794b89 |
Verdict: | Malicious activity |
Analysis date: | October 14, 2019, 19:07:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 664D3495E8900E7E8605CEA24DB238C0 |
SHA1: | B03CC7C0016D61C606BD6EF35BF8574A42AEDD56 |
SHA256: | 757503262E623F28E526BBF14756F5A613056B8BEC0457286B00733456E627B7 |
SSDEEP: | 12288:T5AYeRwkZcwM9i0iVrtKXBkLrbWHEYb7BLRjVn6mddGXfuPGuJKA:TyPRDcX40iQGABLRjV6vfuPXwA |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Live Radio Pro Tab_5da0756ca78bf[1].exe |
---|---|
ZipUncompressedSize: | 789480 |
ZipCompressedSize: | 750745 |
ZipCRC: | 0xfef74738 |
ZipModifyDate: | 2019:10:14 18:59:02 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2528 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Live Radio Pro Tab_5da0756ca78bf[1].exe.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
892 | "C:\Users\admin\Desktop\Live Radio Pro Tab_5da0756ca78bf[1].exe" | C:\Users\admin\Desktop\Live Radio Pro Tab_5da0756ca78bf[1].exe | explorer.exe | |
User: admin Company: Better Cloud Solutions LTD Integrity Level: MEDIUM Description: Desktop web search Exit code: 1 Version: 3.6.0.1 | ||||
3836 | "C:\Users\admin\Desktop\Live Radio Pro Tab_5da0756ca78bf[1].exe" | C:\Users\admin\Desktop\Live Radio Pro Tab_5da0756ca78bf[1].exe | explorer.exe | |
User: admin Company: Better Cloud Solutions LTD Integrity Level: MEDIUM Description: Desktop web search Exit code: 0 Version: 3.6.0.1 | ||||
3868 | "C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe" /firstrun | C:\Users\admin\AppData\Local\Email Access Online\Email Access Online.exe | Live Radio Pro Tab_5da0756ca78bf[1].exe | |
User: admin Company: Better Cloud Solutions LTD Integrity Level: MEDIUM Description: Desktop web search Version: 3.6.0.1 | ||||
2456 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20191014&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | Email Access Online.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4084 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:71937 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3140 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2528 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2528.10559\Live Radio Pro Tab_5da0756ca78bf[1].exe | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\email[1].json | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\Cab2999.tmp | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\Tar299A.tmp | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\Cab299B.tmp | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\Tar299C.tmp | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\Cab2A1A.tmp | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\Tar2A1B.tmp | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\nsw1610.tmp\ping | — | |
MD5:— | SHA256:— | |||
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | C:\Users\admin\AppData\Local\Temp\nsw160F.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | GET | 200 | 3.19.196.51:80 | http://websearchdl.com/Content/kits/sbui/widgets/email/email.json?useragent=SB&user_id=&source=-lp0-bb8-sbe&traffic_source=&subid=20191014&implementation_id=email_ | US | text | 441 b | suspicious |
3868 | Email Access Online.exe | GET | 404 | 3.19.196.51:80 | http://searchbardistro.com/cgi/adk/chrdlid.cgi?dfn=Email%20Access%20Online&err=6 | US | html | 141 b | suspicious |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 57.0 Kb | whitelisted |
3868 | Email Access Online.exe | GET | 404 | 3.19.196.51:80 | http://websearchdl.com/Content/kits/SBVersion.json?distSubId3=3.6.0.1 | US | binary | 20 b | suspicious |
4084 | IEXPLORE.EXE | GET | 302 | 52.202.4.117:80 | http://results.hemailaccessonline.com/?uc=20191014&ap=appfocus1&source=-lp0-bb8-sbe&uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&i_id=email_1&page=newtab | US | html | 287 b | malicious |
3868 | Email Access Online.exe | GET | 200 | 3.19.196.51:80 | http://websearchdl.com/Content/kits/rotate_strings.json?useragent=SB&user_id=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&source=-lp0-bb8-sbe&traffic_source=appfocus1&subid=20191014&implementation_id=email_ | US | text | 437 b | suspicious |
2456 | IEXPLORE.EXE | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3868 | Email Access Online.exe | GET | 302 | 52.202.4.117:80 | http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20191014&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1&query=sbinit | US | html | 157 b | malicious |
4084 | IEXPLORE.EXE | GET | 302 | 52.202.4.117:80 | http://results.hemailaccessonline.com/s?uid=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&uc=20191014&source=-lp0-bb8-sbe&i_id=email_&ap=appfocus1 | US | html | 249 b | malicious |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | GET | 200 | 35.168.129.108:80 | http://imp.hemailaccessonline.com/impression.do?useragent=NSIS&user_id=7ce42b2c-83ca-4350-9603-a9aaeee50b9a&source=-lp0-bb8-sbe&traffic_source=appfocus1&subid=20191014&implementation_id=email_&event=sbe_offer_accepted | US | image | 109 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
892 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 3.19.196.51:80 | searchbardistro.com | — | US | unknown |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 93.184.221.240:80 | www.download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 3.19.196.51:443 | searchbardistro.com | — | US | unknown |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 35.168.129.108:80 | imp.hemailaccessonline.com | Amazon.com, Inc. | US | suspicious |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 3.19.196.51:80 | searchbardistro.com | — | US | unknown |
3868 | Email Access Online.exe | 3.19.196.51:80 | searchbardistro.com | — | US | unknown |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 13.35.254.82:80 | x.ss2.us | — | US | suspicious |
892 | Live Radio Pro Tab_5da0756ca78bf[1].exe | 3.13.88.241:80 | searchbardistro.com | — | US | unknown |
3868 | Email Access Online.exe | 35.168.129.108:80 | imp.hemailaccessonline.com | Amazon.com, Inc. | US | suspicious |
4084 | IEXPLORE.EXE | 52.202.4.117:80 | results.hemailaccessonline.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
searchbardistro.com |
| suspicious |
websearchdl.com |
| suspicious |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
imp.hemailaccessonline.com |
| unknown |
results.hemailaccessonline.com |
| malicious |
www.bing.com |
| whitelisted |
appfocus.go2cloud.org |
| shared |
thenewscentral.org |
| suspicious |
ajax.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |
3836 | Live Radio Pro Tab_5da0756ca78bf[1].exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
892 | Live Radio Pro Tab_5da0756ca78bf[1].exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) |
892 | Live Radio Pro Tab_5da0756ca78bf[1].exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |