File name: | Checker PornHub V0.1 - Sebastian.rar |
Full analysis: | https://app.any.run/tasks/c2254b2a-e3b9-4420-bdc5-a1d59ba9b2cb |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | January 18, 2019, 12:44:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | F9A9D4C8685E67AE8CE62354B12CF525 |
SHA1: | 295B6E0B07973138F76E2A107D36424C2B007163 |
SHA256: | 825D2A217FD86F139E8AA0EADF8B0E9F5CB14AA872C5C405B07BB64FDA2C3E13 |
SSDEEP: | 49152:dhi74/b0FHWZy6rmIg1wBsLa4astH3kzyiT7fF3Gd0/P5ee6/D9xG/N/U/fUmsV:l/b0WZy6rmIJBsL5H3k2iT7fdY0H4/pk |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3000 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Checker PornHub V0.1 - Sebastian.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
612 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3752 | "C:\Users\admin\Desktop\Checker PornHub V0.1 - Sebastian\Checker Pornhub 0.1.exe" | C:\Users\admin\Desktop\Checker PornHub V0.1 - Sebastian\Checker Pornhub 0.1.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: d87ff389-dc10-4c72-b59e-09cb5ec2e04 Version: 1.0.0.0 | ||||
3508 | "C:\Users\admin\sluPHLJdmMWM.exe" | C:\Users\admin\sluPHLJdmMWM.exe | Checker Pornhub 0.1.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 | ||||
2652 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | Checker Pornhub 0.1.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3736 | "C:\Users\admin\iqsLXduaVPIU.exe" | C:\Users\admin\iqsLXduaVPIU.exe | sluPHLJdmMWM.exe | |
User: admin Company: Checker Pornhub 0.1 || Sebastian-Dark Integrity Level: MEDIUM Description: Checker Pornhub 0.1 || Sebastian-Dark Version: 1.0.0.0 | ||||
2728 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | sluPHLJdmMWM.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
2028 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3992 | "C:\Users\admin\AppData\Roaming\install\svhost.exe" | C:\Users\admin\AppData\Roaming\install\svhost.exe | — | vbc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 | ||||
3568 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | — | Checker Pornhub 0.1.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 4294967295 Version: 8.0.50727.5420 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2652 | vbc.exe | C:\Users\admin\AppData\Local\Temp\admin2.txt | — | |
MD5:— | SHA256:— | |||
2028 | explorer.exe | C:\Users\admin\AppData\Local\Temp\admin7 | — | |
MD5:— | SHA256:— | |||
3752 | Checker Pornhub 0.1.exe | C:\Users\admin\sluPHLJdmMWM.exe | executable | |
MD5:B11FC0D05A9296CEC60C7029AF973228 | SHA256:D3415CF406849BFC521862A95FFB6E45EBCF7702EBAC5A41E2640E727BC8B46E | |||
2028 | explorer.exe | C:\Users\admin\AppData\Local\Temp\admin8 | text | |
MD5:BC9047A7C32A7E1BC80058D671885D72 | SHA256:0B0BC66B360E003722510155F2182C6853F32011ED956081AC64D82D12C47AF8 | |||
3000 | WinRAR.exe | C:\Users\admin\Desktop\Checker PornHub V0.1 - Sebastian\Checker Pornhub 0.1.exe | executable | |
MD5:FFEC9602B12D8CCE0D77B8F8A599DAD2 | SHA256:B706BF4FB3EC7D5700820334F55371EEB97FEC863D18B00A12F3E0BD40B0A5D7 | |||
3508 | sluPHLJdmMWM.exe | C:\Users\admin\iqsLXduaVPIU.exe | executable | |
MD5:5548E4FF94D0A38DC4E3AB717BF90CAD | SHA256:B997C78442B04D825F437BBC7C9285480403524FC0CA53B9527285D9A4D84B23 | |||
3000 | WinRAR.exe | C:\Users\admin\Desktop\Checker PornHub V0.1 - Sebastian\Instrucciones.txt | text | |
MD5:F6B98DB8F1A3241E334DFE2A780988B7 | SHA256:B7DF8A041788A91F91833A30735D7FF74A270EFC819948FFF9D2D876C7425309 | |||
2028 | explorer.exe | C:\Users\admin\AppData\Roaming\C4BA3647\ak.tmp | text | |
MD5:1E22D05CB2D93C1F1E06552FBC3FF9BE | SHA256:D7BCF59CCF97FA9E1CF71C10972D049C44B811D85A2CFEE84BAD8358C8B6064E | |||
2652 | vbc.exe | C:\Users\admin\AppData\Roaming\install\svhost.exe | executable | |
MD5:34AA912DEFA18C2C129F1E09D75C1D7E | SHA256:6DF94B7FA33F1B87142ADC39B3DB0613FC520D9E7A5FD6A5301DD7F51F8D0386 | |||
3000 | WinRAR.exe | C:\Users\admin\Desktop\Checker PornHub V0.1 - Sebastian\xNet.dll | executable | |
MD5:AC1DCEDDBC66A1AB7915AC9931F0CFEC | SHA256:CC949931EF9533ADCED83F3D58862E9732E5DB7AD17B5FD4CB9D209A99EDB592 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3408 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3408 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3408 | iexplore.exe | 104.27.129.19:443 | darkcracking.com | Cloudflare Inc | US | shared |
4088 | iexplore.exe | 104.27.129.19:443 | darkcracking.com | Cloudflare Inc | US | shared |
3736 | iqsLXduaVPIU.exe | 104.27.129.19:443 | darkcracking.com | Cloudflare Inc | US | shared |
4088 | iexplore.exe | 209.197.3.15:443 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
4088 | iexplore.exe | 88.208.41.104:443 | xl-trk.com | DataWeb Global Group B.V. | NL | unknown |
4088 | iexplore.exe | 217.16.184.198:443 | www.smartsuppchat.com | VSHosting s.r.o. | CZ | unknown |
4088 | iexplore.exe | 151.101.120.193:443 | i.imgur.com | Fastly | US | malicious |
4088 | iexplore.exe | 31.172.81.242:443 | sync.users-api.com | First Colo GmbH | DE | unknown |
4088 | iexplore.exe | 92.223.97.97:443 | st-n.ads3-adnow.com | G-Core Labs S.A. | LU | suspicious |
Domain | IP | Reputation |
---|---|---|
darkcracking.com |
| unknown |
www.bing.com |
| whitelisted |
maxcdn.bootstrapcdn.com |
| whitelisted |
i.imgur.com |
| shared |
st-n.ads3-adnow.com |
| suspicious |
st-n.ads1-adnow.com |
| suspicious |
xl-trk.com |
| unknown |
sync.users-api.com |
| unknown |
www.smartsuppchat.com |
| whitelisted |
connect.facebook.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2028 | explorer.exe | A Network Trojan was detected | MALWARE [PTsecurity] Cybergate/Rebhip/Spyrat Backdoor |
2028 | explorer.exe | A Network Trojan was detected | ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive |
2028 | explorer.exe | A Network Trojan was detected | ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response |
2028 | explorer.exe | A Network Trojan was detected | ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive |
2028 | explorer.exe | A Network Trojan was detected | ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response |
2028 | explorer.exe | A Network Trojan was detected | ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive |
2028 | explorer.exe | A Network Trojan was detected | ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response |