analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Kog.avia.zakaz.85.rar

Full analysis: https://app.any.run/tasks/62d6fde7-d689-470c-8b56-fc25b461deae
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 24, 2019, 07:45:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
ransomware
troldesh
shade
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

0209EC940DD3C36D159E51CE9B12E097

SHA1:

323C084FD6887D13981B7BE7A2E5CACF5FDDDE2A

SHA256:

83783F2581728186F7C1180B0CA6F295B179792DCA0CC59229770C6E02021589

SSDEEP:

24:HHPyS+T9T1ohtyYBtbar9CWH1SjkFUvWPS1+/LvR22vS+72DLRfvRsM2K2W:Kd51EtyYXer4WAh+P0C7R2z+ELRXRR2K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radBC93E.tmp (PID: 1276)
    • Changes the autorun value in the registry

      • radBC93E.tmp (PID: 1276)
    • Downloads executable files with a strange extension

      • WScript.exe (PID: 3120)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3120)
    • TROLDESH was detected

      • radBC93E.tmp (PID: 1276)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3120)
    • Creates files in the user directory

      • WScript.exe (PID: 3120)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3360)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3120)
      • radBC93E.tmp (PID: 1276)
    • Creates files in the program directory

      • radBC93E.tmp (PID: 1276)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • radBC93E.tmp (PID: 1276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radbc93e.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3584"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Kog.avia.zakaz.85.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3120"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\ООО Авиакомпания Когалымавиа информация о заказе.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3360"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radBC93E.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1276C:\Users\admin\AppData\Local\Temp\radBC93E.tmpC:\Users\admin\AppData\Local\Temp\radBC93E.tmp
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Enhanced Storage Password Authentication Program
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
479
Read events
446
Write events
33
Delete events
0

Modification events

(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3584) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Kog.avia.zakaz.85.rar
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3584) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3584) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4804
Value:
JScript Script File
Executable files
3
Suspicious files
0
Text files
14
Unknown types
1

Dropped files

PID
Process
Filename
Type
3584WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3584.47728\ООО Авиакомпания Когалымавиа информация о заказе.js
MD5:
SHA256:
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
3120WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].pdfexecutable
MD5:46D391CB2A6C43CEE82609EE33FB371B
SHA256:83402D37DDB5EDDFA17C102BDF00B8BC095DDF47173E0069A0327D28DC040E11
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:9422E616DBF3695CCBBAB46119E00951
SHA256:68C47D1C601D7E202DC48A6FA9C4B8EC3E8CEA79C60A4A95511D885869BE7CAC
3120WScript.exeC:\Users\admin\AppData\Local\Temp\radBC93E.tmpexecutable
MD5:46D391CB2A6C43CEE82609EE33FB371B
SHA256:83402D37DDB5EDDFA17C102BDF00B8BC095DDF47173E0069A0327D28DC040E11
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certstext
MD5:DED3EE772A771AE86D5F16102087B7AD
SHA256:1C9810D551225170A13DDA1F9003CA7FF135DE4288E5487C7186F4AC9FCA0BE3
1276radBC93E.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:3D5883A84509D285D759824399471ABF
SHA256:89AFFA87619012853AB13DE7F7CA7A82382F13FFEEA0D36EB2A392A61CD985C7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
13
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3120
WScript.exe
GET
200
213.186.33.48:80
http://solutionpc.be/modules/php/1.pdf
FR
executable
982 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3120
WScript.exe
213.186.33.48:80
solutionpc.be
OVH SAS
FR
suspicious
1276
radBC93E.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
3120
WScript.exe
95.216.112.32:443
dsilvaonline.com
Hetzner Online GmbH
DE
suspicious
1276
radBC93E.tmp
208.83.223.34:80
Applied Operations, LLC
US
malicious
1276
radBC93E.tmp
154.35.32.5:443
Rethem Hosting LLC
US
suspicious
1276
radBC93E.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
1276
radBC93E.tmp
76.73.17.194:9090
Cogent Communications
US
malicious
1276
radBC93E.tmp
144.76.96.6:9001
Hetzner Online GmbH
DE
suspicious
1276
radBC93E.tmp
148.251.193.183:9001
Hetzner Online GmbH
DE
suspicious
1276
radBC93E.tmp
193.106.166.105:19001
Fiberby ApS
DK
suspicious

DNS requests

Domain
IP
Reputation
dsilvaonline.com
  • 95.216.112.32
suspicious
solutionpc.be
  • 213.186.33.48
malicious

Threats

PID
Process
Class
Message
3120
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3120
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3120
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] JS/Agent.WL2!Eldorado Executable as PDF
1276
radBC93E.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123
1276
radBC93E.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1276
radBC93E.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
1276
radBC93E.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1276
radBC93E.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150
1276
radBC93E.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156
1276
radBC93E.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276
No debug info