File name:

IRC-Worm.Win32.Fagot.zip

Full analysis: https://app.any.run/tasks/1e19ba3e-3ce1-4f37-a240-ba29a375fa2e
Verdict: Malicious activity
Analysis date: May 19, 2024, 20:02:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

2BF50419DDFB8EBC93ECEE03A6766383

SHA1:

DC7E4868A7239FFDE67357DF6D1181ACE872C780

SHA256:

8590A818DA9EF7E3DCB5A5AF61FECF17BF0A93B7BB4107EE6DF5E1C5D8E45480

SSDEEP:

6144:yBd2WUsoef3PXIofg2AVXT8KVCdVd33GFGwPLKXpDae0jp:qd1TJIhVXoRdvnYGwPLMae0l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3980)
      • Skype-Setup.exe (PID: 1548)
      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Changes the login/logoff helper path in the registry

      • fagot.exe (PID: 820)
      • fagot.exe (PID: 952)

    • Creates a writable file in the system directory

      • fagot.exe (PID: 952)

    • Changes the autorun value in the registry

      • fagot.exe (PID: 952)

    • Deletes the SafeBoot registry key

      • fagot.exe (PID: 952)

  • SUSPICIOUS

    • Application launched itself

      • Skype.exe (PID: 1764)

    • Reads the Internet Settings

      • Skype.exe (PID: 1764)
      • Skype-Setup.tmp (PID: 856)

    • Executable content was dropped or overwritten

      • Skype-Setup.exe (PID: 1548)
      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 856)

    • The process drops C-runtime libraries

      • Skype-Setup.tmp (PID: 856)

    • Reads security settings of Internet Explorer

      • Skype-Setup.tmp (PID: 856)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 856)

    • Process drops legitimate windows executable

      • Skype-Setup.tmp (PID: 856)

    • Changes the Home page of Internet Explorer

      • fagot.exe (PID: 952)

    • Reads the date of Windows installation

      • fagot.exe (PID: 952)

    • Changes the title of the Internet Explorer window

      • fagot.exe (PID: 952)

  • INFO

    • Checks supported languages

      • fagot.exe (PID: 820)
      • Skype.exe (PID: 1764)
      • Skype.exe (PID: 1368)
      • Skype.exe (PID: 1424)
      • Skype.exe (PID: 2068)
      • Skype-Setup.exe (PID: 1548)
      • Skype.exe (PID: 2268)
      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 2124)
      • Skype.exe (PID: 2508)
      • wmpnscfg.exe (PID: 1900)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3980)

    • Manual execution by a user

      • Skype.exe (PID: 1764)
      • fagot.exe (PID: 820)
      • wmpnscfg.exe (PID: 1900)
      • fagot.exe (PID: 952)
      • fagot.exe (PID: 1480)
      • firefox.exe (PID: 1644)

    • Reads product name

      • Skype.exe (PID: 1764)

    • Reads the computer name

      • Skype.exe (PID: 1764)
      • Skype.exe (PID: 1424)
      • Skype.exe (PID: 2068)
      • Skype.exe (PID: 2268)
      • Skype-Setup.tmp (PID: 2124)
      • Skype.exe (PID: 2508)
      • wmpnscfg.exe (PID: 1900)
      • Skype-Setup.tmp (PID: 856)
      • fagot.exe (PID: 952)

    • Reads Environment values

      • Skype.exe (PID: 1764)
      • fagot.exe (PID: 952)

    • Reads CPU info

      • Skype.exe (PID: 1764)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 1764)

    • Create files in a temporary directory

      • Skype-Setup.exe (PID: 2188)
      • Skype-Setup.tmp (PID: 856)
      • Skype-Setup.exe (PID: 1548)

    • Creates files in the program directory

      • Skype-Setup.tmp (PID: 856)

    • Reads Windows Product ID

      • fagot.exe (PID: 952)

    • Application launched itself

      • firefox.exe (PID: 2780)
      • firefox.exe (PID: 1644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:12:03 12:37:30
ZipCRC: 0xd833ef6f
ZipCompressedSize: 186354
ZipUncompressedSize: 381952
ZipFileName: IRC-Worm.Win32.Fagot.a
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
22
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe fagot.exe skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype.exe no specs wmpnscfg.exe no specs skype-setup.exe skype-setup.tmp taskkill.exe no specs fagot.exe no specs fagot.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820"C:\Users\admin\Desktop\fagot.exe" C:\Users\admin\Desktop\fagot.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\desktop\fagot.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
856"C:\Users\admin\AppData\Local\Temp\is-QI7A2.tmp\Skype-Setup.tmp" /SL5="$30204,88729071,404480,C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /SPAWNWND=$201BC /NOTIFYWND=$60182 /silent !desktopiconC:\Users\admin\AppData\Local\Temp\is-QI7A2.tmp\Skype-Setup.tmp
Skype-Setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
5
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qi7a2.tmp\skype-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
952"C:\Users\admin\Desktop\fagot.exe" C:\Users\admin\Desktop\fagot.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\fagot.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\gdi32.dll
1368"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad" --url=appcenter://generic?aid=a7417433-29d9-4bc0-8826-af367733939d&iid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2&uid=ad142ee9-ecfe-4580-ec0f-259fb963ccd2 --annotation=IsOfficialBuild=1 --annotation=_companyName=Skype --annotation=_productName=skype-preview --annotation=_version=8.110.0.215 "--annotation=exe=C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=19.1.8 --initial-client-data=0x32c,0x330,0x334,0x328,0x338,0x7b8c2d8,0x7b8c2e8,0x7b8c2f4C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1424"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1320 --field-trial-handle=1336,i,18422754130700279209,449581166882106587,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1480"C:\Users\admin\Desktop\fagot.exe" C:\Users\admin\Desktop\fagot.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\fagot.exe
c:\windows\system32\ntdll.dll
1548"C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /silent !desktopiconC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype Setup
Exit code:
5
Version:
8.110.0.218
Modules
Images
c:\users\admin\appdata\roaming\microsoft\skype for desktop\skype-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1644"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1764"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1888"C:\Windows\System32\taskkill.exe" /f /im Skype.exeC:\Windows\System32\taskkill.exeSkype-Setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
20 092
Read events
14 299
Write events
53
Delete events
5 740

Modification events

(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3980) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\IRC-Worm.Win32.Fagot.zip
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3980) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
108
Suspicious files
15
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\ecscache.jsonbinary
MD5:0D8FA4FE4E295FD23A0BA369316EEC24
SHA256:DBC7E23D680CF96714E9E303EC42EE78C9B858DA7500CEDD75765444B64F53D2
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\settings.datbinary
MD5:3B2AEFD32F61DB8110091B81A16A9AD1
SHA256:27A6D2020F45CD9D3F4DFCF837EC661A1D997B08D23E3CB41B94186C21A50B37
856Skype-Setup.tmpC:\Program Files\Microsoft\Skype for Desktop\is-5R92O.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
1548Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-V0NP7.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
2188Skype-Setup.exeC:\Users\admin\AppData\Local\Temp\is-QI7A2.tmp\Skype-Setup.tmpexecutable
MD5:55364BFEA54A03CCBA0F0400DF3D629F
SHA256:94B0E7DCDE2CBE4543EB28111FC5567EA622437F5A58A5E716BB7CFE0BF8DFAE
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOGtext
MD5:AD64FBCDFD727F39794641CE9B99F62B
SHA256:4FCB26F67D1DB6DC52A29580A8765F71E4FFED616F4BE6BFDC449FC5CA5F5122
3980WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3980.29326\IRC-Worm.Win32.Fagot.aexecutable
MD5:30CDAB5CF1D607EE7B34F44AB38E9190
SHA256:1517527C1D705A6EBC6EC9194AA95459E875AC3902A9F4AAB3BF24B6A6F8407F
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.old~RF109f7e.TMPtext
MD5:FF878337359379694741312E6B39EF79
SHA256:AFDE1D769112411CE68EBA5A2821FED0E058B8A31D0795F6047718DD324B3C8F
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\settings.jsonbinary
MD5:8AAB3FFA37C9CEF3FF1B107AE8FD1335
SHA256:AB9B6A671A41D213308E5D83C4DC72F090C25CD97392CB43A6EEF2FB55159833
1764Skype.exeC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Local Storage\leveldb\LOG.oldtext
MD5:AEAB6EEF48334E4749D630894ADCA674
SHA256:7B1139E4ABA3CF16CA2C097DC19F515B73C934315CC497769B6627C6252AE264
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
1764
Skype.exe
52.113.194.133:443
get.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1764
Skype.exe
13.107.42.16:443
a.config.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1764
Skype.exe
184.28.88.180:443
download.skype.com
AKAMAI-AS
US
unknown

DNS requests

Domain
IP
Reputation
get.skype.com
  • 52.113.194.133
whitelisted
a.config.skype.com
  • 13.107.42.16
whitelisted
download.skype.com
  • 184.28.88.180
whitelisted
detectportal.firefox.com
unknown

Threats

No threats detected
Process
Message
Skype.exe
[0519/210326.370:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
fagot.exe
FTH: (952): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IRC-Worm.Win32.Fagot.zip