analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.alamo-slab.ml

Full analysis: https://app.any.run/tasks/0bb4cb8f-011f-4350-a75e-dbd8fc1823df
Verdict: Malicious activity
Analysis date: July 11, 2019, 14:40:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7A2345F95C31F3AE39B73BF741D81F49

SHA1:

7FD1936BF29EF77DAC2F0167AF9EAD2D486711A8

SHA256:

87374992C63993B80284CD4F9683AC48EC83AA3F1F626EFC1D29BA473112CB27

SSDEEP:

3:N1KJS4B4U:Cc4L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2816)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3144)
    • Creates files in the user directory

      • iexplore.exe (PID: 3144)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2816)
      • iexplore.exe (PID: 3372)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3372)
    • Application launched itself

      • iexplore.exe (PID: 3144)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3372)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3372"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3144 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2816C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
462
Read events
397
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
41
Unknown types
14

Dropped files

PID
Process
Filename
Type
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3144iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3372iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@freenom[2].txt
MD5:
SHA256:
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071120190712\index.datdat
MD5:1BCCCEF464C4A351148B82A8E15E6321
SHA256:E605EAC08805437EC3ECF16FD7C3730075B22B99E8A3A5C1875010760AE40504
3372iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:5CC58223ACA9D4E1CE1D7AD92B62B05D
SHA256:3B03F1C5E2B89579840CB27B4960533E686E69B40FBF65A8A93ACD610BE2727B
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D4411473F54032570A481D6426B4C3AA
SHA256:52F4DF188312156F3A1465731C863440764808359CFE9D8CCC1663DD2825B152
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712\index.datdat
MD5:ED425798CE04753440E137EF3209A1E9
SHA256:E91EB0501B292F008B79349246971B78F580213E973DBD52AAB199784BFA310C
3372iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@freenom[1].txttext
MD5:9ECB4F36946594A830AF0AFD09BA6077
SHA256:F9D0A0F02889EAB77BBE5D625AA1D1DCF4195DAAECF7C4ABD08BE3FE2265FA56
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IJVLG3F7\index[1].htmhtml
MD5:8872693DEF6083F7CF51AB8E199289AC
SHA256:3FF5C184D2DD6D021B9EFB2604CE3AB0A6A1C5917B115EEAB02EB8FBA27F41A3
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RW7K4DLW\css[1].txttext
MD5:24D9C865BED92FD610E49A7176A56F23
SHA256:C2A0E4B9C5534D08B753116DB757CC9B9DB31BC0A68EA6B6371483CC1A32C5BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
24
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3372
iexplore.exe
GET
301
217.115.151.99:80
http://domain.dot.tk/p/?d=ALAMO-SLAB.ML&i=185.183.107.227&c=43&ro=0&ref=unknown&_=1562856062382
DE
whitelisted
3372
iexplore.exe
GET
302
35.204.240.39:80
http://freenom.link/?k=80808080&_=1562856062
US
whitelisted
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/en/routers.js
US
text
17.8 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/en/index.html?lang=en
US
html
1.86 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/images.v2/icon-privacy.png
US
image
7.86 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/images.v2/icon-dashboard.png
US
image
11.1 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/css/lander.css
US
text
5.51 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/images.v2/icon-dashboard-green.png
US
image
9.68 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/images.v2/freenom-world.png
US
image
9.02 Kb
suspicious
3372
iexplore.exe
GET
200
35.204.240.39:80
http://www.freenom.link/images.v2/bg-header.gif
US
image
1.07 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3372
iexplore.exe
172.217.22.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3372
iexplore.exe
216.58.207.46:443
www.youtube.com
Google Inc.
US
whitelisted
3144
iexplore.exe
195.20.54.119:80
www.alamo-slab.ml
Verotel International B.V.
NL
suspicious
3372
iexplore.exe
195.20.54.119:80
www.alamo-slab.ml
Verotel International B.V.
NL
suspicious
3144
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3372
iexplore.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
3372
iexplore.exe
209.197.3.15:80
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
3372
iexplore.exe
172.217.16.131:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3372
iexplore.exe
172.217.22.110:443
www.google-analytics.com
Google Inc.
US
whitelisted
217.115.151.99:80
domain.dot.tk
Host Europe GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.alamo-slab.ml
  • 195.20.54.119
suspicious
domain.dot.tk
  • 217.115.151.99
whitelisted
freenom.link
  • 35.204.240.39
whitelisted
www.freenom.link
  • 35.204.240.39
suspicious
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
fonts.googleapis.com
  • 172.217.22.106
whitelisted
code.jquery.com
  • 205.185.208.52
whitelisted
fonts.gstatic.com
  • 172.217.16.131
whitelisted
www.google-analytics.com
  • 172.217.22.110
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
3372
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
3372
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Malicious Redirect (EK seen)
No debug info