Malware analysis onetap.rar Malicious activity | ANY.RUN

Add for printing

File name:	onetap.rar
Full analysis:	https://app.any.run/tasks/4020a9b6-2389-469f-869e-f144890e85e8
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	August 17, 2019, 13:40:14
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion opendir loader
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	4ED4BC2EBDBEF22BFE47148E60C353CA
SHA1:	C092620605420BF30595762DE43D6B3BEE842DAA
SHA256:	80D69AA4DC29EB05FD64AA950E92963844DC6255EF2A43854B3D38358FD4424C
SSDEEP:	49152:vP9Bufux6GzCwL5a2HFe1ix9rnaYMV/vno7ZtvhJ8sLAdZuB3ZG8:9BvJzZ5ZJx9rnaZV/vo7Zt38s8nu1ZP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - yzh4alpite4.exe (PID: 2472)
  - sys_win_asdasdl.exe (PID: 3560)
  - DLL Injector.exe (PID: 2964)
  - Wmi64Update.exe (PID: 3296)
  - taskshell.exe (PID: 3516)
- Downloads executable files from IP
  - yzh4alpite4.exe (PID: 2472)
- Downloads executable files from the Internet
  - yzh4alpite4.exe (PID: 2472)
- Changes the login/logoff helper path in the registry
  - yzh4alpite4.exe (PID: 2472)
- Changes the autorun value in the registry
  - sys_win_asdasdl.exe (PID: 3560)
- Loads the Task Scheduler COM API
  - schtasks.exe (PID: 2100)
- Uses Task Scheduler to run other applications
  - sys_win_asdasdl.exe (PID: 3560)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3064)
  - DLL Injector.exe (PID: 2964)
  - yzh4alpite4.exe (PID: 2472)
  - sys_win_asdasdl.exe (PID: 3560)
- Creates files in the user directory
  - DLL Injector.exe (PID: 2964)
- Creates files in the program directory
  - sys_win_asdasdl.exe (PID: 3560)
- Starts CHOICE.EXE (used to create a delay)
  - cmd.exe (PID: 3204)
- Starts CMD.EXE for commands execution
  - yzh4alpite4.exe (PID: 2472)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3064	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\onetap.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
2964	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.23967\DLL Injector.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.23967\DLL Injector.exe		WinRAR.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2472	"C:\Users\admin\AppData\Roaming\yzh4alpite4.exe"	C:\Users\admin\AppData\Roaming\yzh4alpite4.exe		DLL Injector.exe
User: admin Company: r0u0wnzgkgh Integrity Level: MEDIUM Description: ietghrwutmp Exit code: 0 Version: 8.2.6.2
3560	"C:\Users\admin\AppData\Local\Temp\sys_win_asdasdl.exe"	C:\Users\admin\AppData\Local\Temp\sys_win_asdasdl.exe		yzh4alpite4.exe
User: admin Integrity Level: MEDIUM Description: Build 1.6 pro Exit code: 0 Version: 1.0.0.0
3204	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\admin\AppData\Roaming\yzh4alpite4.exe	C:\Windows\System32\cmd.exe	—	yzh4alpite4.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
4020	choice /C Y /N /D Y /T 3	C:\Windows\system32\choice.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3296	"C:\ProgramData\WMI Provider Host\Wmi64Update.exe"	C:\ProgramData\WMI Provider Host\Wmi64Update.exe	—	sys_win_asdasdl.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Provider Host Version: 10.0.17134.1
2100	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WMI Host Updater" /tr "C:\ProgramData\WMI Provider Host\\Wmi64Update.exe" /f	C:\Windows\System32\schtasks.exe	—	sys_win_asdasdl.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3516	"C:\ProgramData\taskshell.exe"	C:\ProgramData\taskshell.exe	—	Wmi64Update.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Perflib Event Messages Version: 10.0.17134.1 (WinBuild.160101.0800)

Add for printing

Total events

1 386

Read events

1 312

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2472	yzh4alpite4.exe	C:\Users\admin\yzh4alpite4.exe		—
		MD5:—	SHA256:—
3560	sys_win_asdasdl.exe	C:\ProgramData\WMI Provider Host\WmiHost.exe		executable
		MD5:E72D9E00161D7EDE92730DA84F1FDC74	SHA256:110770DA318AA1884C9AD2F3A00A8761CFA076FA679D0F022DABB1DC360167DE
3560	sys_win_asdasdl.exe	C:\ProgramData\taskshell.exe		executable
		MD5:245B363E4CCD16ECD8442B60DFB44AFF	SHA256:D37C6FB632120B2DAE53CCAA4BEF644D19C608500EA96027247E329662A64A2A
3064	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.23967\onetap.dll		executable
		MD5:28968DC06C7457569DF6B6BDF608018F	SHA256:CD31E5611FAEF2D711B2C9BFA52654739D41BE47A530549258FF625CA2815E01
3560	sys_win_asdasdl.exe	C:\ProgramData\config.json		text
		MD5:C953421CFF315BFD649C2DBA9CC9ACC5	SHA256:B6C5E741FDB7A5685C3BAEE713912EA226CB4BE237798A6463A40750CC543521
3560	sys_win_asdasdl.exe	C:\ProgramData\WMI Provider Host\nvrtc64_100_0.dll		executable
		MD5:4D75E1F6D7AA5B4A6C0E5919387A48D2	SHA256:D2CBA3352A6EB26E7871BD1D7D66F24893ADEC7787A2707FCE08D640C2CAE9F0
3064	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3064.23967\patcher.dll		executable
		MD5:7739E2F32659C10FEEBF2BBC1EF2B32F	SHA256:24541E7483B98714E281FFF245C488D99647C2DB3A82BA655E146DCE4D8851F5
2472	yzh4alpite4.exe	C:\Users\admin\AppData\Local\Temp\sys_win_asdasdl.exe		executable
		MD5:2EB545210FDC7F283571E5990394F235	SHA256:32FF329DB7D7E6D3B5DEA0770EDC882FF8C119606E6D485DB0C7156461CF281D
2964	DLL Injector.exe	C:\Users\admin\AppData\Roaming\DLL Injector .exe		executable
		MD5:10AB8E4E0015E98C431B5AA4188DC782	SHA256:090C80C0C994B7E9560B27CA8B979C4CE723D5578788B3C404EDF11D49B9B96C
3560	sys_win_asdasdl.exe	C:\ProgramData\WMI Provider Host\Wmi64Update.exe		executable
		MD5:317A68FA2B5D95BCE3722DD67F1CC699	SHA256:1FE7C7B1F4FFB05E43CF09717783DC8D2599CE41C6E45B9D0222C3A0D8D29A00

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2472	yzh4alpite4.exe	GET	200	37.230.210.84:80	http://37.230.210.84/still/miner.exe	RU	executable	56.7 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2472	yzh4alpite4.exe	88.99.66.31:443	iplogger.org	Hetzner Online GmbH	DE	malicious
3560	sys_win_asdasdl.exe	145.14.145.130:443	cwnyfyxugire.000webhostapp.com	Hostinger International Limited	US	shared
2472	yzh4alpite4.exe	37.230.210.84:80	—	RS-Media LLC	RU	suspicious
3560	sys_win_asdasdl.exe	88.99.66.31:443	iplogger.org	Hetzner Online GmbH	DE	malicious

DNS requests

Domain	IP	Reputation
iplogger.org	88.99.66.31	shared
cwnyfyxugire.000webhostapp.com	145.14.145.130	shared

Threats

PID	Process	Class	Message
2472	yzh4alpite4.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate
2472	yzh4alpite4.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate
2472	yzh4alpite4.exe	A Network Trojan was detected	ET INFO Executable Download from dotted-quad Host
2472	yzh4alpite4.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
2472	yzh4alpite4.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2472	yzh4alpite4.exe	Potentially Bad Traffic	ET INFO SUSPICIOUS Dotted Quad Host MZ Response
—	—	Not Suspicious Traffic	ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
3560	sys_win_asdasdl.exe	Not Suspicious Traffic	ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
3560	sys_win_asdasdl.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate
3560	sys_win_asdasdl.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

onetap.rar

4ED4BC2EBDBEF22BFE47148E60C353CA

C092620605420BF30595762DE43D6B3BEE842DAA

80D69AA4DC29EB05FD64AA950E92963844DC6255EF2A43854B3D38358FD4424C

49152:vP9Bufux6GzCwL5a2HFe1ix9rnaYMV/vno7ZtvhJ8sLAdZuB3ZG8:9BvJzZ5ZJx9rnaZV/vo7Zt38s8nu1ZP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Downloads executable files from IP

Downloads executable files from the Internet

Changes the login/logoff helper path in the registry

Changes the autorun value in the registry

Loads the Task Scheduler COM API

Uses Task Scheduler to run other applications

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Creates files in the program directory

Starts CHOICE.EXE (used to create a delay)

Starts CMD.EXE for commands execution

INFO

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings