analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://pastebin.com

Full analysis: https://app.any.run/tasks/f96bcc26-5078-4844-8a4a-01d6d487bf04
Verdict: Malicious activity
Analysis date: February 22, 2020, 00:28:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

BFFB75A18F97A7C0E82BD3466FB4BCD9

SHA1:

5E0B147D42B45C592A4958CE9166535B70D8FB0D

SHA256:

8B4E56B3A474A3071037C8CDC57BE4209238FDA6670C36384E92CBFE05407F77

SSDEEP:

3:N1KOEWRiMLZI:CO/V2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Disables Form Suggestion in IE

      • iexplore.exe (PID: 1440)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 1440)
      • iexplore.exe (PID: 3592)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1440)
      • iexplore.exe (PID: 3592)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3592)

    • Changes internet zones settings

      • iexplore.exe (PID: 1440)

    • Application launched itself

      • iexplore.exe (PID: 1440)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3592)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1440)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1440)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1440"C:\Program Files\Internet Explorer\iexplore.exe" "http://pastebin.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3592"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1440 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
6 227
Read events
902
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
230
Text files
199
Unknown types
105

Dropped files

PID
Process
Filename
Type
3592iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6DF5.tmp
MD5:
SHA256:
3592iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6DF6.tmp
MD5:
SHA256:
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\select2.min[1].csstext
MD5:D8E0F13D36D91E52D7B87CB9FBDE723C
SHA256:6825F2517A695B2FC21140D7535076290907CBEAC447008FB598EFEBB10D38C3
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\pastebin.min.v9[1].csstext
MD5:FDD3D0473B42F929647BBF72CFF13DE2
SHA256:7DADE2284672187803E336A94AB7FC86626411D95BC6E5E6E85D9A0BAD66F73A
3592iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1binary
MD5:02655204CC78B87149892B48DF911327
SHA256:E8D6EB5A93F0659A3774616640BAB7EE7240147A13FE1FC9FC8012717745A30D
3592iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:E550DA03AEE5B546B436CD553D3233B9
SHA256:9ABFD4E29B96CCA442502B1DE6071FE0293455DF22B4EFF19FA3E6DF060947E7
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:CDA584C5EAD2FF0ADCC7206661B0BB9C
SHA256:687E80DD3E94709D21A87D181EC178417DF265A7BBD6C6DD398D98136A8C7F75
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\select2.min[1].jstext
MD5:20B2763C0B177FE852309949CADD2A88
SHA256:4598A43124DCF116A169DFE92AA176F552ED3DCDF7B2493C719A76A4F65CF377
3592iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\453HF2UZ.htmhtml
MD5:45D338CB0BE582125BE6B478F550F99C
SHA256:37BCDC6C6DF4F6AA7773D0E8C2F4EB4DEF7C5BF1B95CA5BE47D9C4BEF24074AF
3592iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:3352E8A813799DA2DD08E883B8A39C0B
SHA256:F34FCA26E534172BEF76EDD4BB2D28FF013A21F948090458AD6080CEBA24DDD5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
119
TCP/UDP connections
240
DNS requests
99
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
iexplore.exe
GET
301
104.23.98.190:80
http://pastebin.com/
US
shared
3592
iexplore.exe
GET
200
216.58.210.3:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCgdZM8AVzzKAgAAAAALnDU
US
der
472 b
whitelisted
3592
iexplore.exe
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3592
iexplore.exe
GET
200
216.58.210.3:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3592
iexplore.exe
GET
200
216.58.210.3:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3592
iexplore.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3592
iexplore.exe
GET
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgTKD08ug1ewuLziNIDJxgY4sg%3D%3D
unknown
der
527 b
whitelisted
3592
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
312 b
whitelisted
3592
iexplore.exe
GET
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgTKD08ug1ewuLziNIDJxgY4sg%3D%3D
unknown
der
527 b
whitelisted
3592
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
312 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3592
iexplore.exe
104.23.98.190:443
Cloudflare Inc
US
malicious
3592
iexplore.exe
74.117.181.81:443
aj2073.online
WZ Communications Inc.
US
unknown
3592
iexplore.exe
104.26.14.238:443
services.vlitag.com
Cloudflare Inc
US
suspicious
3592
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3592
iexplore.exe
172.217.22.40:443
www.googletagmanager.com
Google Inc.
US
whitelisted
3592
iexplore.exe
104.23.98.190:80
Cloudflare Inc
US
malicious
3592
iexplore.exe
216.58.210.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3592
iexplore.exe
216.58.205.238:443
www.google-analytics.com
Google Inc.
US
whitelisted
3592
iexplore.exe
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
3592
iexplore.exe
151.139.128.14:80
ocsp.trust-provider.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.googletagmanager.com
  • 172.217.22.40
whitelisted
services.vlitag.com
  • 104.26.14.238
  • 104.26.15.238
shared
aj2073.online
  • 74.117.181.81
unknown
ocsp.pki.goog
  • 216.58.210.3
whitelisted
tag.vlitag.com
  • 104.26.14.238
  • 104.26.15.238
whitelisted
www.google-analytics.com
  • 216.58.205.238
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.11
  • 2.16.186.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://pastebin.com