analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Order No.179989.zip

Full analysis: https://app.any.run/tasks/214a4e57-613b-40f9-b211-aa4bcc92da6a
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 11:25:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
keylogger
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E3C0DB42AF6BBD5B7935281E542E1C4D

SHA1:

D5F1545A674249A1616F86B3F2C5EDDF12DEB3BD

SHA256:

92B35206BEE9013D26927B885DA16E9DB7C89D91268BC9727AF2796FA79466D8

SSDEEP:

6144:U8t2rj9msp8k0+VAfpEA8fP8Bo8lK1LGK4Dw9MsorLZwacOLOq3lIz+5DQ7QLf0u:oAmE2AfyNfLuDw9MXhwO13C9vMdE6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Order No.179989.exe (PID: 3828)

    • Changes the autorun value in the registry

      • Order No.179989.exe (PID: 3828)

    • REMCOS was detected

      • TapiUnattend.exe (PID: 3416)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2756)
      • Order No.179989.exe (PID: 3828)

    • Reads Internet Cache Settings

      • Order No.179989.exe (PID: 3828)

    • Creates files in the user directory

      • TapiUnattend.exe (PID: 3416)

    • Writes files like Keylogger logs

      • TapiUnattend.exe (PID: 3416)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Order No.179989.exe
ZipUncompressedSize: 938496
ZipCompressedSize: 401703
ZipCRC: 0x137e6c80
ZipModifyDate: 2020:09:30 09:01:02
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe order no.179989.exe #REMCOS tapiunattend.exe

Process information

PID
CMD
Path
Indicators
Parent process
2756"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Order No.179989.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3828"C:\Users\admin\AppData\Local\Temp\Rar$EXa2756.1743\Order No.179989.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2756.1743\Order No.179989.exe
WinRAR.exe
User:
admin
Company:
T__23839c0U
Integrity Level:
MEDIUM
Description:
T__23839c0U
Exit code:
0
Version:
20.0.14.1085
3416C:\Windows\System32\TapiUnattend.exeC:\Windows\System32\TapiUnattend.exe
Order No.179989.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Windows(TM) Telephony Unattend Action
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
470
Read events
445
Write events
25
Delete events
0

Modification events

(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2756) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Order No.179989.zip
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2756) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
2
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3828Order No.179989.exeC:\Users\admin\AppData\Local\wwyJ.urltext
MD5:D8C143A43C7BED65D5E12B7C1A6EC25D
SHA256:9668E0D709E7962704AC0B84909D9F173CA8E1A3CD3E9F93E1E12C24A15AB9B0
2756WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2756.1743\Order No.179989.exeexecutable
MD5:A49FA085310219916988F86F3CE69957
SHA256:6248E588A8555FA3F30478A577F16A2823C16277EF4E1D7EF7A4C44499F2B211
3828Order No.179989.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Jywwnek.exeexecutable
MD5:A49FA085310219916988F86F3CE69957
SHA256:6248E588A8555FA3F30478A577F16A2823C16277EF4E1D7EF7A4C44499F2B211
3416TapiUnattend.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:8B9AB10461D9079FCF619714A4023632
SHA256:D5C162083CD3C7E86240D7FBE47F32020059B074A3301941E81AE0B91083CC09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
54
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3828
Order No.179989.exe
2.21.38.54:443
www.microsoft.com
GTT Communications Inc.
FR
malicious
3828
Order No.179989.exe
162.159.134.233:443
cdn.discordapp.com
Cloudflare Inc
shared
3416
TapiUnattend.exe
79.134.225.83:8638
incidencias6645.ddns.net
Andreas Fink trading as Fink Telecom Services
CH
malicious
79.134.225.83:8638
incidencias6645.ddns.net
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 2.21.38.54
whitelisted
cdn.discordapp.com
  • 162.159.134.233
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.135.233
  • 162.159.130.233
shared
incidencias6645.ddns.net
  • 79.134.225.83
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Order No.179989.zip