analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

r20_files.zip

Full analysis: https://app.any.run/tasks/22908b7b-d1b7-4831-b259-8541ee0abfb9
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 20:13:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trickbot
trojan
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

40821D62F8B272AEEB52DAFDCDF10B83

SHA1:

C5258F2C6FBE8BD7FF9B5DFFE798F243EEC7F3CF

SHA256:

8B7E41572B6FA43922ACF5169CDB0BBAC7F799AFF79A72F62B597C680BA9402F

SSDEEP:

1536:QVf57ZfijyDmjLoV6UwxqQxausvpcbYkDCin9+JFLpM0l+E:greHoAxfxa5AVn98F9PoE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • E346.exe (PID: 2208)
      • Preview Document.exe (PID: 2344)
      • E348.exe (PID: 2280)
      • E348.exe (PID: 2416)

    • TRICKBOT was detected

      • E346.exe (PID: 2208)

    • Loads the Task Scheduler COM API

      • E346.exe (PID: 2208)

    • Connects to CnC server

      • E346.exe (PID: 2208)

    • Known privilege escalation attack

      • DllHost.exe (PID: 3752)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Preview Document.exe (PID: 2344)
      • WinRAR.exe (PID: 2576)
      • E346.exe (PID: 2208)

    • Creates files in the user directory

      • Preview Document.exe (PID: 2344)
      • E346.exe (PID: 2208)

    • Checks for external IP

      • E346.exe (PID: 2208)

    • Executed via Task Scheduler

      • E348.exe (PID: 2280)

    • Executed via COM

      • DllHost.exe (PID: 3752)

  • INFO

    • Manual execution by user

      • iexplore.exe (PID: 2604)

    • Application launched itself

      • iexplore.exe (PID: 2604)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3840)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3840)

    • Changes internet zones settings

      • iexplore.exe (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2019:12:06 16:59:02
ZipCRC: 0x2bab726a
ZipCompressedSize: 65487
ZipUncompressedSize: 104672
ZipFileName: r20.rs6.net/Preview Document.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe preview document.exe #TRICKBOT e346.exe iexplore.exe iexplore.exe no specs e348.exe no specs CMSTPLUA no specs e348.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\r20_files.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2344"C:\Users\admin\AppData\Local\Temp\Rar$EXb2576.21102\r20.rs6.net\Preview Document.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2576.21102\r20.rs6.net\Preview Document.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
2208C:\Users\admin\AppData\Local\Temp\E346.exeC:\Users\admin\AppData\Local\Temp\E346.exe
Preview Document.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MDI_Notepad MFC Application
Version:
1, 0, 0, 1
2604"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3840"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2280C:\Users\admin\AppData\Roaming\syshealth\E348.exe C:\Users\admin\AppData\Roaming\syshealth\E348.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MDI_Notepad MFC Application
Exit code:
0
Version:
1, 0, 0, 1
3752C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2416"C:\Users\admin\AppData\Roaming\syshealth\E348.exe" C:\Users\admin\AppData\Roaming\syshealth\E348.exeDllHost.exe
User:
admin
Integrity Level:
HIGH
Description:
MDI_Notepad MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Total events
1 215
Read events
1 106
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
5
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
2208E346.exeC:\Users\admin\AppData\Local\Temp\Cab7C6.tmp
MD5:
SHA256:
2208E346.exeC:\Users\admin\AppData\Local\Temp\Tar7C7.tmp
MD5:
SHA256:
2208E346.exeC:\Users\admin\AppData\Local\Temp\Cab7D7.tmp
MD5:
SHA256:
2208E346.exeC:\Users\admin\AppData\Local\Temp\Tar7D8.tmp
MD5:
SHA256:
2604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
2604iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2208E346.exeC:\Users\admin\AppData\Local\Temp\Cab885.tmp
MD5:
SHA256:
2208E346.exeC:\Users\admin\AppData\Local\Temp\Tar896.tmp
MD5:
SHA256:
2576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2576.21102\r20.rs6.net\Preview Document.exeexecutable
MD5:8FA81949277DDC1D741EE60537CE0E7A
SHA256:23C6BB1362350CC1BD0528C404B9B159DD4750BF369C9037FE0D6B41E2E80345
2344Preview Document.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ajeetsinghbaddan[1].txttext
MD5:1AF0B7B50B1A10C82313CFAA876EA887
SHA256:222E483A5A6D28FA2EBACE97C410C532812188E9D6BCD37D4BD05177ECFC24AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2208
E346.exe
GET
200
34.236.80.17:80
http://checkip.amazonaws.com/
US
text
16 b
shared
2208
E346.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.4 Kb
whitelisted
2604
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2604
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2344
Preview Document.exe
104.27.175.75:443
ajeetsinghbaddan.com
Cloudflare Inc
US
suspicious
2208
E346.exe
185.205.210.121:443
BelCloud Hosting Corporation
BG
malicious
2208
E346.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2208
E346.exe
34.236.80.17:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
ajeetsinghbaddan.com
  • 104.27.175.75
  • 104.27.174.75
suspicious
www.ajeetsinghbaddan.com
  • 104.27.175.75
  • 104.27.174.75
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
checkip.amazonaws.com
  • 34.236.80.17
  • 3.224.145.145
  • 34.224.0.116
  • 18.211.58.73
  • 52.55.255.113
  • 34.196.181.158
  • 52.44.169.135
  • 18.213.79.189
shared

Threats

PID
Process
Class
Message
2208
E346.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
2208
E346.exe
A Network Trojan was detected
ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)
2208
E346.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklist SSL certificate detected (Trickbot)
2208
E346.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection
2208
E346.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrickBot.Spy SSL connection
2208
E346.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL Connection
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
r20_files.zip