analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FinCERT_BAPB_MLW2019061101.zip

Full analysis: https://app.any.run/tasks/56b47676-5702-49c5-b434-844c43a17e67
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: June 12, 2019, 07:05:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
redaman
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

AFD573D653F196A8D9BA5D1882AFC505

SHA1:

D97C08130580D675D234CD091DB16F10E1B8D890

SHA256:

7D11C6F39079E9C885C3656F8455FC9B69DCC9ACEBF5D034BEAE2CD31C406C9F

SSDEEP:

12288:BJEv9Z23DtXE23UQ8RJec7RDVrppdUOXKi8:BozwtU2eeCVT5Ki8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 2908)
    • Changes the autorun value in the registry

      • Документы 11 июня.exe (PID: 1380)
      • Документы 11 июня.exe (PID: 3396)
    • Application was dropped or rewritten from another process

      • Документы 11 июня.exe (PID: 1380)
      • Документы 11 июня.exe (PID: 3396)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2908)
      • rundll32.exe (PID: 1040)
      • explorer.exe (PID: 116)
      • OUTLOOK.EXE (PID: 2556)
      • WinRAR.exe (PID: 2944)
      • rundll32.exe (PID: 3156)
    • REDAMAN was detected

      • rundll32.exe (PID: 1040)
    • Changes settings of System certificates

      • rundll32.exe (PID: 1040)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • explorer.exe (PID: 116)
      • OUTLOOK.EXE (PID: 2556)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2556)
      • explorer.exe (PID: 116)
    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 2908)
      • Документы 11 июня.exe (PID: 1380)
      • WinRAR.exe (PID: 3448)
    • Creates files in the program directory

      • rundll32.exe (PID: 2908)
    • Uses RUNDLL32.EXE to load library

      • Документы 11 июня.exe (PID: 1380)
      • Документы 11 июня.exe (PID: 3396)
    • Connects to server without host name

      • rundll32.exe (PID: 1040)
    • Executed via Task Scheduler

      • rundll32.exe (PID: 1040)
    • Adds / modifies Windows certificates

      • rundll32.exe (PID: 1040)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3612)
      • explorer.exe (PID: 116)
    • Manual execution by user

      • OUTLOOK.EXE (PID: 2556)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2019:06:11 14:56:09
ZipCRC: 0x4743c0e5
ZipCompressedSize: 231617
ZipUncompressedSize: 307455
ZipFileName: [Content] ????뢠?騥 ???㬥??? 11.06.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
10
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs outlook.exe winrar.exe документы 11 июня.exe rundll32.exe #REDAMAN rundll32.exe explorer.exe no specs winrar.exe no specs документы 11 июня.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3612"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019061101.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2556"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3448"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1380"C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.19184\Документы 11 июня.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3448.19184\Документы 11 июня.exe
WinRAR.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
2908rundll32.exe core.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exe
Документы 11 июня.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1040rundll32.exe "C:\ProgramData\2daf8815353e\2eac8b16363d.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Документы 11 июня.001"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3396"C:\Users\admin\Desktop\Документы 11 июня.exe" C:\Users\admin\Desktop\Документы 11 июня.exe
explorer.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
3156rundll32.exe core.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exeДокументы 11 июня.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 465
Read events
4 928
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
3
Text files
24
Unknown types
9

Dropped files

PID
Process
Filename
Type
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR81EA.tmp.cvr
MD5:
SHA256:
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp84F8.tmp
MD5:
SHA256:
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня (2).001\:Zone.Identifier:$DATA
MD5:
SHA256:
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.eml.lnklnk
MD5:3244B8B6699039394ED9EA8E2EC4CAF9
SHA256:947C6CCB19291909C3FC67D863B464F21017AED33DC74FEDD3CE939338B35C78
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:A5F53E63E78E89546770D6B7F11126D7
SHA256:7324ECAE69B0C167234B11AE22155018E9B47B297F90A345A8D8C9C828E0F7FC
116explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613\index.datdat
MD5:87DE23D5A4B790ED5EA47E933339A04D
SHA256:8215C6995D14B8E0D100DA44C79F36276504B857F66875ECFCD56BC1B3E41F3D
116explorer.exeC:\Users\admin\Desktop\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.emleml
MD5:B8D796DAF9AAB46E074D37E80A4A82B9
SHA256:FECD75E31F8CE7321D0F508050758F88A30AC90086312C82C0637D12F67F1744
3612WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3612.16050\[Content] 滿߫¬ ñ«¬-«ó ºá »a«F½d¬ ¼Ñßnµ.emleml
MD5:B8D796DAF9AAB46E074D37E80A4A82B9
SHA256:FECD75E31F8CE7321D0F508050758F88A30AC90086312C82C0637D12F67F1744
116explorer.exeC:\Users\admin\Desktop\Документы 11 июня.001compressed
MD5:15BEE066EA635288CC38F276AD7A1E96
SHA256:451FAAE35F9895D5AC76DC46D298A32100A2E4F6F19F5C909DE1CF46B54F2815
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GFOIWQCN\Документы 11 июня.001compressed
MD5:15BEE066EA635288CC38F276AD7A1E96
SHA256:451FAAE35F9895D5AC76DC46D298A32100A2E4F6F19F5C909DE1CF46B54F2815
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2556
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1040
rundll32.exe
POST
200
94.156.35.33:80
http://94.156.35.33/index.php
BG
text
9 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2556
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1040
rundll32.exe
94.156.35.33:80
BelCloud Hosting Corporation
BG
malicious
1040
rundll32.exe
104.25.48.99:443
chain.so
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
chain.so
  • 104.25.48.99
  • 104.25.47.99
whitelisted

Threats

PID
Process
Class
Message
1040
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
No debug info