analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773

Full analysis: https://app.any.run/tasks/3d12845f-cf03-4d57-9394-b6fa1ab852a5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 11, 2019, 19:24:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trickbot
Indicators:
MD5:

17A9E938A3537B9FD50EEA7A5A8A7039

SHA1:

9C8F11EAE1DEE00E581E1AD92ECBC41F589A8F96

SHA256:

895FA799E7E8A4CD604EF44D58C6F60A170AF84145791BC507C3D5F748665631

SSDEEP:

3:N1KX/L5NHVJSU2EH/E4rX0XrW:CvLLHeOEAXurW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • JFHRсав.exe (PID: 3864)
      • ouwrj.exe (PID: 2780)
      • JFHRсав.exe (PID: 308)
      • LFHTсав.exe (PID: 3596)
      • ouwrj.exe (PID: 4012)
      • ouwrj.exe (PID: 2596)

    • Known privilege escalation attack

      • DllHost.exe (PID: 3412)
      • DllHost.exe (PID: 2608)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 2816)
      • WScript.exe (PID: 3680)

    • Disables Windows Defender

      • JFHRсав.exe (PID: 308)
      • LFHTсав.exe (PID: 3596)
      • ouwrj.exe (PID: 2596)

    • Stops/Deletes Windows Defender service via SC.exe

      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 3320)
      • cmd.exe (PID: 3432)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 3580)
      • cmd.exe (PID: 3612)

    • Executes PowerShell scripts

      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 3468)
      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 3236)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 3600)
      • cmd.exe (PID: 3280)
      • cmd.exe (PID: 2772)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 940)
      • cmd.exe (PID: 3984)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 3144)
      • cmd.exe (PID: 2716)
      • cmd.exe (PID: 476)
      • cmd.exe (PID: 1628)
      • cmd.exe (PID: 316)
      • cmd.exe (PID: 2936)
      • cmd.exe (PID: 3168)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 3796)
      • cmd.exe (PID: 1640)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 840)
      • cmd.exe (PID: 2684)
      • cmd.exe (PID: 4064)

    • Loads the Task Scheduler COM API

      • JFHRсав.exe (PID: 308)
      • LFHTсав.exe (PID: 3596)

    • Trickbot detected

      • ouwrj.exe (PID: 2596)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2816)
      • ouwrj.exe (PID: 2780)
      • WScript.exe (PID: 3680)
      • JFHRсав.exe (PID: 308)
      • ouwrj.exe (PID: 2596)

    • Executes scripts

      • WinRAR.exe (PID: 2648)

    • Creates files in the program directory

      • ouwrj.exe (PID: 2780)
      • LFHTсав.exe (PID: 3596)

    • Executed via COM

      • DllHost.exe (PID: 3412)
      • DllHost.exe (PID: 2608)

    • Starts itself from another location

      • ouwrj.exe (PID: 2780)

    • Starts CMD.EXE for commands execution

      • JFHRсав.exe (PID: 308)
      • LFHTсав.exe (PID: 3596)
      • ouwrj.exe (PID: 2596)

    • Creates files in the user directory

      • powershell.exe (PID: 2760)
      • powershell.exe (PID: 3652)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 3560)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2412)
      • JFHRсав.exe (PID: 308)
      • powershell.exe (PID: 4004)
      • powershell.exe (PID: 3624)
      • powershell.exe (PID: 3928)
      • LFHTсав.exe (PID: 3596)
      • powershell.exe (PID: 908)
      • powershell.exe (PID: 3424)
      • powershell.exe (PID: 1412)
      • powershell.exe (PID: 4044)
      • powershell.exe (PID: 3572)
      • powershell.exe (PID: 3648)
      • powershell.exe (PID: 2084)
      • powershell.exe (PID: 2928)
      • ouwrj.exe (PID: 2596)
      • powershell.exe (PID: 1996)
      • powershell.exe (PID: 3448)

    • Executed via Task Scheduler

      • LFHTсав.exe (PID: 3596)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3136)

    • Changes internet zones settings

      • iexplore.exe (PID: 3136)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3640)
      • iexplore.exe (PID: 3136)

    • Manual execution by user

      • WinRAR.exe (PID: 2648)
      • WScript.exe (PID: 3680)
      • WinRAR.exe (PID: 2652)

    • Creates files in the user directory

      • iexplore.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
86
Malicious processes
36
Suspicious processes
9

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe ouwrj.exe jfhrсав.exe no specs CMSTPLUA no specs jfhrсав.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs winrar.exe no specs wscript.exe ouwrj.exe no specs lfhtсав.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs CMSTPLUA no specs #TRICKBOT ouwrj.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3136"C:\Program Files\Internet Explorer\iexplore.exe" http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3640"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3136 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2648"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\4367890.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2816"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2648.11821\4367890.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2780C:\Users\admin\AppData\Local\Temp\ouwrj.exeC:\Users\admin\AppData\Local\Temp\ouwrj.exe
WScript.exe
User:
admin
Company:
Nozza Software Studios
Integrity Level:
MEDIUM
Description:
NS2K1
Exit code:
0
Version:
1, 0, 0, 1
3864"C:\ProgramData\JFHRсав.exe" C:\ProgramData\JFHRсав.exeouwrj.exe
User:
admin
Company:
Nozza Software Studios
Integrity Level:
MEDIUM
Description:
NS2K1
Exit code:
0
Version:
1, 0, 0, 1
3412C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
308"C:\ProgramData\JFHRсав.exe" C:\ProgramData\JFHRсав.exe
DllHost.exe
User:
admin
Company:
Nozza Software Studios
Integrity Level:
HIGH
Description:
NS2K1
Exit code:
0
Version:
1, 0, 0, 1
3320"C:\Windows\System32\cmd.exe" /c sc stop WinDefendC:\Windows\System32\cmd.exeJFHRсав.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1062
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3624"C:\Windows\System32\cmd.exe" /c sc delete WinDefendC:\Windows\System32\cmd.exeJFHRсав.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
7 006
Read events
5 744
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
34
Text files
14
Unknown types
4

Dropped files

PID
Process
Filename
Type
3136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0E9D5A01EAAB5DE5.TMP
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5D7B07423717F112.TMP
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7EED181F-A411-11E9-B506-5254004A04AF}.dat
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mailinblue[1].txttext
MD5:8AEEAC3ED45EA4005076B575FE1E0453
SHA256:FEDE5529B0EF58DDF99C1CE0F7F0C69BDEFC0A771AA15E12602A4BB4C13EB6C6
3640iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JOHYEJFE\4367890[1].zipcompressed
MD5:5A0667E11886E458A53C201944D8B882
SHA256:D8CD9ECA8B4E0303037F69BF749CAF76987BE86067C64C75230E695F5839E662
3640iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019071120190712\index.datdat
MD5:B452C2F15198DE0DB06D11A28ED20ABA
SHA256:6E5C550390DD3A4888B9B57F37D232166410AAD096B93BEECFB2991920A5A7B3
3640iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\97EQODDJ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2760powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PLZJ689PI76LNE4TJHIB.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2816
WScript.exe
GET
200
67.23.226.159:80
http://bizcraftindia.com/taxReminder.php
US
executable
402 Kb
malicious
3680
WScript.exe
GET
200
67.23.226.159:80
http://altarishelect.com/product_list.php
US
executable
396 Kb
malicious
3640
iexplore.exe
GET
200
104.27.145.180:80
http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773
US
compressed
3.41 Kb
malicious
3136
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2816
WScript.exe
67.23.226.159:80
bizcraftindia.com
HostDime.com, Inc.
US
suspicious
3136
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3640
iexplore.exe
104.27.145.180:80
img.mailinblue.com
Cloudflare Inc
US
shared
3596
LFHTсав.exe
37.44.215.169:443
JSC Mediasoft ekspert
RU
unknown
3680
WScript.exe
67.23.226.159:80
bizcraftindia.com
HostDime.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
img.mailinblue.com
  • 104.27.145.180
  • 104.27.144.180
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
bizcraftindia.com
  • 67.23.226.159
malicious
altarishelect.com
  • 67.23.226.159
malicious

Threats

PID
Process
Class
Message
2816
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2816
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
2816
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2816
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3640
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Suspicious Possible Zip DL containing single VBS script
3680
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3680
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3680
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3680
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773