File name: | Bitcoin Miner v 3.2.1 BY RH.zip |
Full analysis: | https://app.any.run/tasks/61254b6d-3280-4acf-b8e5-0ed3e167a5e7 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | August 08, 2020, 21:06:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8C16015FEF9B20FDE99881D35AC966F1 |
SHA1: | 8417DBAA2D9B01B348B9F08C173ECD80D8D91E04 |
SHA256: | 9B84D6E343EA589448066ABB6593696EB7476298531DD3A0A7FB67AE00B461AB |
SSDEEP: | 98304:4yhMH0vBFjNmogGRQ/KjP7LXWL6vaqmAlRjece:/v3ko8/KnnvxmAvjfe |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0009 |
ZipCompression: | Unknown (99) |
ZipModifyDate: | 2020:06:13 10:46:18 |
ZipCRC: | 0x1601833c |
ZipCompressedSize: | 3210830 |
ZipUncompressedSize: | 3703296 |
ZipFileName: | Bitcoin Miner v 3.2.1 BY RH.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Bitcoin Miner v 3.2.1 BY RH.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1064 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2952.18375\Bitcoin Miner v 3.2.1 BY RH.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2952.18375\Bitcoin Miner v 3.2.1 BY RH.exe | WinRAR.exe | |
User: admin Company: Thai Kedmanee Keyboard Layout Integrity Level: MEDIUM Description: Упаковщик объектов2 Exit code: 0 Version: 2.3.6.2 | ||||
2508 | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.exe | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.exe | Bitcoin Miner v 3.2.1 BY RH.exe | |
User: admin Company: Thai Kedmanee Keyboard Layout Integrity Level: MEDIUM Description: Упаковщик объектов2 Version: 2.3.6.2 | ||||
3812 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIb2952.19427\RedME.txt | C:\Windows\system32\NOTEPAD.EXE | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3084 | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.module.exe a -y -mx9 -ssw "C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\ENU_6887FE9730D2535E9D41.7z" "C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\ABC\*" | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.module.exe | — | fdWCN.exe |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Reduced Standalone Console Exit code: 0 Version: 16.04 | ||||
2256 | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.exe | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.exe | fdWCN.exe | |
User: admin Company: Thai Kedmanee Keyboard Layout Integrity Level: MEDIUM Description: Упаковщик объектов2 Exit code: 0 Version: 2.3.6.2 | ||||
1376 | attrib +s +h "C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools" | C:\Windows\system32\attrib.exe | — | fdWCN.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\NetworkExplorer.dll,-1 |
Value: Network | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Bitcoin Miner v 3.2.1 BY RH.zip | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2952) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document |
PID | Process | Filename | Type | |
---|---|---|---|---|
1064 | Bitcoin Miner v 3.2.1 BY RH.exe | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\ENU_6887FE9730D2535E9D41 | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Local\Temp\autC20E.tmp | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.sqlite3.module.dll.6 | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Local\Temp\autC357.tmp | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Local\Temp\CabECAA.tmp | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Local\Temp\TarECAB.tmp | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Local\Temp\autEDC5.tmp | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.module.exe.6 | — | |
MD5:— | SHA256:— | |||
2508 | fdWCN.exe | C:\Users\admin\AppData\Roaming\msil_system.diagnostics.tools\fdWCN.module.exe | — | |
MD5:— | SHA256:— | |||
2952 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2952.19427\RedME.txt | text | |
MD5:1EC73A5917A951E3F57199695663B6FE | SHA256:CBD8FA3DD3E04371D9ADF42E11BF60FB0DC2C0B860DEEC8ADAB842B5A6E4B812 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2256 | fdWCN.exe | CONNECT | — | 109.94.211.86:29842 | http://api.telegram.org:443 | unknown | — | — | malicious |
2256 | fdWCN.exe | CONNECT | — | 109.94.211.86:29842 | http://api.telegram.org:443 | unknown | — | — | malicious |
2256 | fdWCN.exe | CONNECT | — | 109.94.211.86:29842 | http://api.telegram.org:443 | unknown | — | — | malicious |
2256 | fdWCN.exe | CONNECT | — | 109.94.211.86:29842 | http://api.telegram.org:443 | unknown | — | — | malicious |
2508 | fdWCN.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAjZnPAxupDjcH%2BcL4VB1TQ%3D | US | der | 280 b | whitelisted |
2508 | fdWCN.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 109.94.211.86:29842 | — | — | — | malicious |
2508 | fdWCN.exe | 104.26.9.44:443 | ipapi.co | Cloudflare Inc | US | malicious |
2256 | fdWCN.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger LLP | GB | malicious |
— | — | 149.154.167.220:443 | api.telegram.org | Telegram Messenger LLP | GB | malicious |
2508 | fdWCN.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2256 | fdWCN.exe | 109.94.211.86:29842 | — | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
ipapi.co |
| shared |
ocsp.digicert.com |
| whitelisted |
api.telegram.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) |
2256 | fdWCN.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2256 | fdWCN.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2256 | fdWCN.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2256 | fdWCN.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2256 | fdWCN.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2256 | fdWCN.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |