Malware analysis account_invoice_may2019.zip Malicious activity

Add for printing

File name:	account_invoice_may2019.zip
Full analysis:	https://app.any.run/tasks/8942470c-f218-44c2-b139-6d11387f6e6c
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 20, 2019, 12:31:33
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	3F91C575BE180FF8A9E801AA8C479AC0
SHA1:	6AD0A0A26880A011803894D17EA21244A464D192
SHA256:	87A7EAE0D1963BF42E84394F8670FF8B667EDE6ED4B9520FC85E003EAE4B7D38
SSDEEP:	1536:hHmZanqqFYWL8muVFCgQ/XuWbIg4FjbUK2ZVs8pkgcQZT9iTzWfpMs1b:hHmZaqq2g8nV8D/+WbIgM3yrVkg/Zeze

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Executable content was dropped or overwritten
  - EXCEL.EXE (PID: 3048)
- Unusual execution from Microsoft Office
  - EXCEL.EXE (PID: 3048)
- Application was dropped or rewritten from another process
  - rtegre.exe (PID: 3172)
  - wprgxyeqd79.exe (PID: 3132)
- Loads dropped or rewritten executable
  - EXCEL.EXE (PID: 3048)
  - WinRAR.exe (PID: 3372)
  - wprgxyeqd79.exe (PID: 3132)
  - rtegre.exe (PID: 3172)
- Stealing of credential data
  - rtegre.exe (PID: 3172)
SUSPICIOUS
- Starts Microsoft Office Application
  - WinRAR.exe (PID: 3372)
- Executable content was dropped or overwritten
  - wprgxyeqd79.exe (PID: 3132)
- Loads DLL from Mozilla Firefox
  - rtegre.exe (PID: 3172)
INFO
- Reads Microsoft Office registry keys
  - EXCEL.EXE (PID: 3048)
- Creates files in the user directory
  - EXCEL.EXE (PID: 3048)
- Dropped object may contain Bitcoin addresses
  - EXCEL.EXE (PID: 3048)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	account_invoice_may2019.xls
ZipUncompressedSize:	179200
ZipCompressedSize:	88686
ZipCRC:	0xf5295efb
ZipModifyDate:	2019:05:16 11:01:11
ZipCompression:	Deflated
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3372	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\account_invoice_may2019.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
3048	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE		WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000
3132	C:\Users\Public\wprgxyeqd79.exe	C:\Users\Public\wprgxyeqd79.exe		EXCEL.EXE
User: admin Company: Miranda IM Integrity Level: MEDIUM Description: Tile Textheight Clipbook Mostly Wading Exit code: 0 Version: 8.7.56.236
3172	C:\Users\Public\rtegre.exe	C:\Users\Public\rtegre.exe		EXCEL.EXE
User: admin Company: x264 project Integrity Level: MEDIUM Description: Nkcreatestaticmapping Aboriginal Year Version: 5.7.3.790

Add for printing

Total events

1 045

Read events

993

Write events

Delete events

Modification events


(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\account_invoice_may2019.zip
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3372) WinRAR.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:	write	Name:	EXCELFiles
Value: 1320419345
(PID) Process:	(3048) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	+s=
Value: 2B733D00E80B0000010000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3048	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVR337C.tmp.cvr		—
		MD5:—	SHA256:—
3172	rtegre.exe	C:\Users\admin\AppData\Local\Temp\{8BC2BF45-ABFD-43A2-8DDD-71C75AF9BA15}\1870088882.dll		—
		MD5:—	SHA256:—
3172	rtegre.exe	C:\Users\admin\AppData\Local\Temp\{8BC2BF45-ABFD-43A2-8DDD-71C75AF9BA15}\log		—
		MD5:—	SHA256:—
3172	rtegre.exe	C:\Users\admin\AppData\Local\Temp\{8BC2BF45-ABFD-43A2-8DDD-71C75AF9BA15}\temp		sqlite
		MD5:7ED7E7FFE1DC4EAAEE2EDAFDD4815A47	SHA256:BD7D82BAB01903699A91783F35D7E1EBF2BA8AEDC1023F09C0E6934B1B0651C3
3048	EXCEL.EXE	C:\Users\Public\rtegre.exe		executable
		MD5:7E77BB853D227E06B635E6EB3E0B31F0	SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165
3048	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ananas[1].exe		executable
		MD5:7E77BB853D227E06B635E6EB3E0B31F0	SHA256:385F0A0CCAEC6272C8270F0D5228F2641CCA916E84825EBB35DBEBB036FA2165
3048	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\pasmmm[1].exe		executable
		MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B	SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B
3048	EXCEL.EXE	C:\Users\Public\wprgxyeqd79.exe		executable
		MD5:6DF420B5D8BDDB0F5FFE3EDCC9A4464B	SHA256:1EE1BA514212F11A69D002005DFC623B1871CC808F18DDFA2191102BBB9F623B
3372	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa3372.3927\account_invoice_may2019.xls		document
		MD5:E6B0A9CDCAA3FA84251DF340F8FF8E73	SHA256:50B63D790D46F6D46E20A15DE180815E1A5620950B25F48BBF16731A3C0F9DEB
3132	wprgxyeqd79.exe	C:\Users\admin\AppData\Local\Temp\1D86.tmp		executable
		MD5:ED60C95C805DBAEE92C90C3AB930085A	SHA256:D35574D2CC42B4EDBF217A86639864422FBE02443250A36EB2CD11B22F165C39

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3172	rtegre.exe	GET	—	154.35.175.225:80	http://154.35.175.225/tor/status-vote/current/consensus	US	—	—	malicious
3172	rtegre.exe	GET	—	50.31.252.28:80	http://50.31.252.28/tor/server/fp/99339f3e68bccc1391bf14c821d80766fe0c5956	JP	—	—	suspicious
3172	rtegre.exe	GET	—	104.251.250.115:80	http://104.251.250.115/tor/server/fp/495985474f547b5d97acb2941c7aed048d7e7e14	US	—	—	suspicious
3172	rtegre.exe	GET	—	178.32.223.22:80	http://178.32.223.22/tor/server/fp/9ba84e8c90083676f86c7427c8d105925f13716c	FR	—	—	suspicious
3172	rtegre.exe	GET	—	51.89.6.40:80	http://51.89.6.40/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033	GB	—	—	suspicious
3172	rtegre.exe	GET	—	91.213.8.89:80	http://91.213.8.89/tor/server/fp/c5d55d11f26c52a6bfee8dd23c250548aa67e9ac	UA	—	—	suspicious
3172	rtegre.exe	GET	—	46.28.110.244:80	http://46.28.110.244/tor/server/fp/4c62b1e2949560304c37b52c95e5680886d9dfca	CZ	—	—	suspicious
3172	rtegre.exe	GET	—	85.255.15.54:80	http://85.255.15.54/tor/server/fp/79bf9325567bcc2fc5c8e9005ed098644d70f877	CZ	—	—	suspicious
3172	rtegre.exe	GET	—	199.249.230.70:80	http://199.249.230.70/tor/server/fp/de44c8772af0eec9cfda6db51ec25ece690fa7bf	US	—	—	suspicious
3172	rtegre.exe	GET	—	199.249.230.110:80	http://199.249.230.110/tor/server/fp/7473548133fc51ded4427faed6efae9b246b927f	US	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3172	rtegre.exe	154.35.175.225:80	—	Rethem Hosting LLC	US	malicious
3048	EXCEL.EXE	47.245.58.124:443	kentona.su	—	US	suspicious
3172	rtegre.exe	50.16.229.140:443	api.ipify.org	Amazon.com, Inc.	US	malicious
3172	rtegre.exe	91.213.8.89:80	—	PE Ivanov Vitaliy Sergeevich	UA	suspicious
3172	rtegre.exe	50.31.252.28:80	—	Hosting Services, Inc.	JP	suspicious
3172	rtegre.exe	93.95.100.166:443	—	JSC Mediasoft ekspert	RU	suspicious
3172	rtegre.exe	129.6.15.28:13	time-a.nist.gov	National Bureau of Standards	US	unknown
3172	rtegre.exe	51.89.6.40:80	—	—	GB	suspicious
3172	rtegre.exe	79.252.120.82:443	—	Deutsche Telekom AG	DE	suspicious
3172	rtegre.exe	72.132.134.217:80	—	Time Warner Cable Internet LLC	US	suspicious

DNS requests

Domain	IP	Reputation
kentona.su	47.245.58.124	malicious
api.ipify.org	50.16.229.140 23.21.121.219 54.204.36.156 107.22.215.20 50.19.247.198 54.225.171.237 54.243.198.12 54.243.147.226	shared
time-a.nist.gov	129.6.15.28	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3172	rtegre.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 161
3172	rtegre.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
3172	rtegre.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
3172	rtegre.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
3172	rtegre.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
3172	rtegre.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
3172	rtegre.exe	Misc activity	SUSPICIOUS [PTsecurity] ipify.org External IP Check
3172	rtegre.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 682
3172	rtegre.exe	Potential Corporate Privacy Violation	ET P2P Tor Get Server Request

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

account_invoice_may2019.zip

3F91C575BE180FF8A9E801AA8C479AC0

6AD0A0A26880A011803894D17EA21244A464D192

87A7EAE0D1963BF42E84394F8670FF8B667EDE6ED4B9520FC85E003EAE4B7D38

1536:hHmZanqqFYWL8muVFCgQ/XuWbIg4FjbUK2ZVs8pkgcQZT9iTzWfpMs1b:hHmZaqq2g8nV8D/+WbIgM3yrVkg/Zeze

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executable content was dropped or overwritten

Unusual execution from Microsoft Office

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Stealing of credential data

SUSPICIOUS

Starts Microsoft Office Application

Executable content was dropped or overwritten

Loads DLL from Mozilla Firefox

INFO

Reads Microsoft Office registry keys

Creates files in the user directory

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings