File name:	oftendesignpro.zip
Full analysis:	https://app.any.run/tasks/e1ddd498-78ba-4a32-9cd8-9d0d54ccb44e
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. PureLogs is a stealer that collects a wide range of data from infected systems, including browser data, crypto wallets, PC configuration details, etc. It is delivered by PureCrypter, another malware that belongs to the Pure malware family. PureLogs is distributed based on a subscription model, allowing any threat actor to utilize it in their attacks. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 09, 2024, 05:45:24
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec opendir rat asyncrat remote stealer purecrypter netreactor purelogs exfiltration purehvnc
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	E5F783E5D5924CA35B54BEAB212DFD4B
SHA1:	BF53426BEE1D8F4D087ECE7F270D1B0CAF4D2869
SHA256:	99A88D463CB08F6198DC45A3793EF0BDA999A314023EF2784C2CD6F5B937EC94
SSDEEP:	98304:uPNz/a1BxKIiYAiahaJYa0I3EcJmNCyW8KtVvGT+flHQjSBqZt15NnZC1H4kgfyR:6MQwrpMfFXPe

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:12:08 07:23:08
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	oftendesignpro/


(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\oftendesignpro.zip
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3532) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4708) oftendesign.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oftendesign_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4708) oftendesign.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\oftendesign_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

PID	Process	Filename		Type
5572	oftendesignpropre.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\offtendesign.exe		executable
		MD5:85C8006A42A12B496E1A65E2198F0A49	SHA256:C3D81F54C4F75FF0A42B0DC356B323BEEFD945B6891C8F1C7FD83FD62084B4BF
5888	oftendesignpro.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\oftendesignpropre.exe		executable
		MD5:490864B581CFD93592B1D47E7C0B7C8F	SHA256:3DDEC7574B24A9D26A450C8CC725B347606FF33B9346A812D3012EB6F359D5F9
5888	oftendesignpro.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\everyonetechnollogyovlres.exe		executable
		MD5:1903D7D11D73AFA8DD27D21BF148FC2A	SHA256:389259EDAFB04ED410E74813E0378910C4EEC9CA066A9C4B3E9928AA50B18136
836	everyonetechnollogyovlres.exe	C:\Users\admin\AppData\Local\Temp\Tmp74D5.tmp		der
		MD5:CBC6B2AD4BF883EA7ECB41D8D86B0964	SHA256:C8844BA7CA7DF3C75532044792065C3D2B742C389FC9FA1A6E2776ED425917AF
4708	oftendesign.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvchost.vbs		text
		MD5:388B9D6488E0D6999A6F9D1DEC8DD729	SHA256:7404B936F50F23AD5D699072FD142DD23788F7CC7DDB164AC4CC67E8CDF0BA5B
4672	MpCmdRun.exe	C:\Users\admin\AppData\Local\Temp\MpCmdRun.log		text
		MD5:C08F5A10AC184375F5EC894711325F83	SHA256:6EBEBA252F79077F70D52A28FDEF7A2C30594C73911891EB5626E1CA062D9204
3532	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3532.45605\oftendesignpro.zip\oftendesignpro\oftendesignpro.exe		executable
		MD5:3A11B7A8FBF64B684369AEEA7CD08E17	SHA256:CCACAF0BD975EA2B7CB9E03986419EF04947ED39BFE3B18BAE3577A3890DDADA
5572	oftendesignpropre.exe	C:\Users\admin\AppData\Local\Temp\IXP001.TMP\oftendesign.exe		executable
		MD5:0F4BC1FB5D736A617A8733F62266945B	SHA256:C8222B9D3F4E6D8E2B9D9FC7A027BAC9D826572DA7F05ECC8AE8BA8E00F7CE91
4624	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xhakxo3r.4hk.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3532	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$VR3532.1763\Rar$Scan70966.bat		text
		MD5:F8DD588179F341A4F3B9B2759BDCF560	SHA256:9DCBFA62FA80DAD6B6F70EA485FA43E2E4F6EDEE216B9346517B63BBEF6DA94C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3220	svchost.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5208	RUXIMICS.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5208	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4708	oftendesign.exe	GET	200	185.226.181.36:80	http://185.226.181.36/count/Curbjjrrn.vdf	unknown	—	—	unknown
556	offtendesign.exe	GET	200	185.226.181.36:80	http://185.226.181.36/count/Rgfbp.vdf	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3220	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5208	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3220	svchost.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
4712	MoUsoCoreWorker.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
5208	RUXIMICS.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
3220	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	2.20.245.138 2.20.245.137	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	52.168.117.170	whitelisted

PID	Process	Class	Message
4136	InstallUtil.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT Style SSL Cert
4136	InstallUtil.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] AsyncRAT Successful Connection
4580	InstallUtil.exe	A Network Trojan was detected	LOADER [ANY.RUN] PureLogs Download Attempt (LOAD)
4580	InstallUtil.exe	A Network Trojan was detected	STEALER [ANY.RUN] PureLogs Stealer Exfiltration

General Info

oftendesignpro.zip

E5F783E5D5924CA35B54BEAB212DFD4B

BF53426BEE1D8F4D087ECE7F270D1B0CAF4D2869

99A88D463CB08F6198DC45A3793EF0BDA999A314023EF2784C2CD6F5B937EC94

98304:uPNz/a1BxKIiYAiahaJYa0I3EcJmNCyW8KtVvGT+flHQjSBqZt15NnZC1H4kgfyR:6MQwrpMfFXPe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Antivirus name has been found in the command line (generic signature)

Create files in the Startup directory

PURECRYPTER has been detected (YARA)

ASYNCRAT has been detected (SURICATA)

Actions looks like stealing of personal data

PUREHVNC has been detected (YARA)

PURECRYPTER has been detected (SURICATA)

Connects to the CnC server

Steals credentials from Web Browsers

Scans artifacts that could help determine the target

PURELOGS has been detected (SURICATA)

SUSPICIOUS

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

Process drops legitimate windows executable

Connects to the server without a host name

Executing commands from a ".bat" file

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

The process creates files with name similar to system file names

Contacting a server suspected of hosting an CnC

Connects to unusual port

Removes files via Powershell

PowerShell delay command usage (probably sleep evasion)

Starts POWERSHELL.EXE for commands execution

INFO

Manual execution by a user

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

Reads the computer name

Disables trace logs

Checks proxy server information

Executable content was dropped or overwritten

The process uses the downloaded file

.NET Reactor protector has been detected

Creates files or folders in the user directory

Reads the software policy settings

Reads Microsoft Office registry keys

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information