analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FinCERT_BAPB_MLW2019061101.zip

Full analysis: https://app.any.run/tasks/5da1eda8-6770-456c-a20c-2872295da300
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 07:11:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
redaman
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

AFD573D653F196A8D9BA5D1882AFC505

SHA1:

D97C08130580D675D234CD091DB16F10E1B8D890

SHA256:

7D11C6F39079E9C885C3656F8455FC9B69DCC9ACEBF5D034BEAE2CD31C406C9F

SSDEEP:

12288:BJEv9Z23DtXE23UQ8RJec7RDVrppdUOXKi8:BozwtU2eeCVT5Ki8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Док-ты вторник.exe (PID: 1656)

    • Changes the autorun value in the registry

      • Док-ты вторник.exe (PID: 1656)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3552)
      • rundll32.exe (PID: 3832)
      • WinRAR.exe (PID: 1564)
      • explorer.exe (PID: 116)

    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 3552)

    • Changes settings of System certificates

      • rundll32.exe (PID: 3832)

    • REDAMAN was detected

      • rundll32.exe (PID: 3832)

  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 116)
      • OUTLOOK.EXE (PID: 3604)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 116)
      • OUTLOOK.EXE (PID: 3604)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1564)
      • Док-ты вторник.exe (PID: 1656)
      • rundll32.exe (PID: 3552)

    • Uses RUNDLL32.EXE to load library

      • Док-ты вторник.exe (PID: 1656)

    • Creates files in the program directory

      • rundll32.exe (PID: 3552)

    • Executed via Task Scheduler

      • rundll32.exe (PID: 3832)

    • Connects to server without host name

      • rundll32.exe (PID: 3832)

    • Adds / modifies Windows certificates

      • rundll32.exe (PID: 3832)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3360)
      • explorer.exe (PID: 116)

    • Manual execution by user

      • OUTLOOK.EXE (PID: 3604)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 3604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: [Content] ????뢠?騥 ???㬥??? 11.06.eml
ZipUncompressedSize: 307455
ZipCompressedSize: 231617
ZipCRC: 0x4743c0e5
ZipModifyDate: 2019:06:11 14:56:09
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs outlook.exe winrar.exe док-ты вторник.exe rundll32.exe #REDAMAN rundll32.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3360"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_MLW2019061101.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3604"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content] çá¬adóáeT¿Ñ ñ«¬p¼Ñ¡Gd 11.06.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
1564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\V1R6JZNF\Док-ты вторник.001"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1656"C:\Users\admin\AppData\Local\Temp\Rar$EXa1564.5874\Док-ты вторник.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1564.5874\Док-ты вторник.exe
WinRAR.exe
User:
admin
Company:
Корпорация Майкрософт
Integrity Level:
MEDIUM
Description:
Самоизвлечение CAB-файлов Win32
Exit code:
0
Version:
6.00.2900.5512 (xpsp.080413-2105)
3552rundll32.exe core.dll,DllGetClassObject root 000000000000 Post Install program: <None>C:\Windows\system32\rundll32.exe
Док-ты вторник.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3832rundll32.exe "C:\ProgramData\2daf8815353e\2eac8b16363d.dat",DllGetClassObject rootC:\Windows\system32\rundll32.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
116C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 088
Read events
4 595
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
3
Text files
24
Unknown types
6

Dropped files

PID
Process
Filename
Type
3604OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4270.tmp.cvr
MD5:
SHA256:
3604OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp455F.tmp
MD5:
SHA256:
3604OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\V1R6JZNF\Док-ты вторник (2).001\:Zone.Identifier:$DATA
MD5:
SHA256:
3360WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3360.2980\[Content] çá¬adóáeT¿Ñ ñ«¬p¼Ñ¡Gd 11.06.emleml
MD5:CDD0C73A1A44934B909EEBD79A095B3D
SHA256:CEA54251A97307BA42E445B36F9B6FA40CAE2F19792198ED0E239582B6FAAC7D
1564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1564.5697\Док-ты вторник.exe
MD5:
SHA256:
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:8715BB1E111E825F286D1DB22C205820
SHA256:BD983266066D7AABDE5F4AEB11AC7E12C6A6E602CD5CAF57110E56978E8ED56F
116explorer.exeC:\Users\admin\Desktop\[Content] çá¬adóáeT¿Ñ ñ«¬p¼Ñ¡Gd 11.06.emleml
MD5:CDD0C73A1A44934B909EEBD79A095B3D
SHA256:CEA54251A97307BA42E445B36F9B6FA40CAE2F19792198ED0E239582B6FAAC7D
116explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613\index.datdat
MD5:74990FF0872E4014305643D7564C46BA
SHA256:F6EFA47D5413E177AA0DD13C0107348ED285F2863E91A71954FF147FE56B2974
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\[Content] çá¬adóáeT¿Ñ ñ«¬p¼Ñ¡Gd 11.06.eml.lnklnk
MD5:0E00AE6D2F337054CB5B1F8D1E7CD900
SHA256:929A88447A36F03E0F519BADC75C630581FEC9D72737AD7BEFDE94DB36964B6B
3604OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_RssRule_2_5C7DC8C6F60C614BABFDB006BD1B0B51.datxml
MD5:D8B37ED0410FB241C283F72B76987F18
SHA256:31E68049F6B7F21511E70CD7F2D95B9CF1354CF54603E8F47C1FC40F40B7A114
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3604
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3832
rundll32.exe
POST
200
94.156.35.33:80
http://94.156.35.33/index.php
BG
text
9 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3604
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3832
rundll32.exe
94.156.35.33:80
BelCloud Hosting Corporation
BG
malicious
3832
rundll32.exe
104.25.48.99:443
chain.so
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
chain.so
  • 104.25.48.99
  • 104.25.47.99
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3832
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan[Banker]/Win32.RTM
3832
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.RTM.N (Redaman)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FinCERT_BAPB_MLW2019061101.zip