URL: | https://web.utorrent.com/update/ |
Full analysis: | https://app.any.run/tasks/445c8cd6-92c5-45b5-b900-ac70bfd31189 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 20, 2019, 09:45:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | AF35A32133F35D8F5C0D93DBCE07B233 |
SHA1: | 467E30D1FA8094BFB564060BD19B8D1AD09D9A30 |
SHA256: | A23BC55FC4CEA6EDEC8239496F40B566E722FC822BA3E3879150120AC00359FE |
SSDEEP: | 3:N8RERKORLKUmK:2SBRL39 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2568 | "C:\Program Files\Opera\opera.exe" https://web.utorrent.com/update/ | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748 | ||||
3496 | "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\utweb_installer.exe" | C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\utweb_installer.exe | opera.exe | |
User: admin Company: BitTorrent, Inc. Integrity Level: MEDIUM Description: uTorrent Web Exit code: 0 Version: 0.22.0.1094 | ||||
2128 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8AD21014\installer.exe | utweb_installer.exe | |
User: admin Company: adaware Integrity Level: MEDIUM Description: uTorrent Web Exit code: 0 Version: 2.8.3.1680 | ||||
2744 | "C:\Users\admin\AppData\Local\Temp\7zS8AD21014\GenericSetup.exe" C:\Users\admin\AppData\Local\Temp\7zS8AD21014\GenericSetup.exe | C:\Users\admin\AppData\Local\Temp\7zS8AD21014\GenericSetup.exe | installer.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: uTorrent Web Exit code: 0 Version: 2.8.3.1680 | ||||
2572 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\7zS8AD21014\Carrier.exe" /S " | C:\Windows\system32\cmd.exe | — | GenericSetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2524 | "C:\Users\admin\AppData\Local\Temp\7zS8AD21014\Carrier.exe" /S | C:\Users\admin\AppData\Local\Temp\7zS8AD21014\Carrier.exe | cmd.exe | |
User: admin Company: BitTorrent, Inc. Integrity Level: HIGH Description: uTorrent Web Exit code: 0 Version: 0.22.0.1094 | ||||
2424 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\bwmnhjdu.34f.exe" --silent --otd="utm.medium:pb,utm.source:lavasoft,utm.campaign:VSW_Opera_5b9825e398faa4986df2423f"" | C:\Windows\system32\cmd.exe | — | GenericSetup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2304 | "C:\Users\admin\AppData\Local\Temp\bwmnhjdu.34f.exe" --silent --otd="utm.medium:pb,utm.source:lavasoft,utm.campaign:VSW_Opera_5b9825e398faa4986df2423f" | C:\Users\admin\AppData\Local\Temp\bwmnhjdu.34f.exe | cmd.exe | |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 60.0.3255.95 | ||||
2748 | C:\Users\admin\AppData\Local\Temp\bwmnhjdu.34f.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=60.0.3255.95 --initial-client-data=0xdc,0xe4,0xe8,0xe0,0xec,0x6650ce60,0x6650ce70,0x6650ce7c | C:\Users\admin\AppData\Local\Temp\bwmnhjdu.34f.exe | bwmnhjdu.34f.exe | |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 60.0.3255.95 | ||||
3876 | "C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\bwmnhjdu.34f.exe" --version | C:\Users\admin\AppData\Local\Temp\Opera Installer Temp\bwmnhjdu.34f.exe | — | bwmnhjdu.34f.exe |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 60.0.3255.95 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr3897.tmp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr38A8.tmp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr38F7.tmp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TPU5LYQP5UV6Q3WZ4RGA.temp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr476F.tmp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr5981.tmp | — | |
MD5:— | SHA256:— | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:BE40B5A7AEF8C167271602A2B49D4E31 | SHA256:22755800E796F0A02D002FFAA541C2043737DD190A8CEFC109AC143FBF5F4A13 | |||
2568 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:A6FCF1A2844A8002E20BA5B82E0158C0 | SHA256:81102B5C66BC043AB6994FB8ABF4250524937FFC021481156CD4A3CC7169338C | |||
2568 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\icons\web.utorrent.com.idx | text | |
MD5:014A8807E42CF41B059F255E9868426A | SHA256:E8382A5B0E809565BB78CED0FFC15DC2DDC823D995ACE5F0FC7388904BDBF911 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2568 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 543 b | whitelisted |
2568 | opera.exe | GET | 200 | 93.184.220.29:80 | http://status.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSFvn094QJ%2BcWGTwWWEy%2BBXPZkW8AQUo8heZVTlMHjBBeoHCmpZzLn%2B3loCEAp5FymMEbmBiJidWot7PQs%3D | US | der | 471 b | whitelisted |
2568 | opera.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEBQZr8DeSFN%2FkpmVCws6msc%3D | US | der | 471 b | whitelisted |
2568 | opera.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDJ%2BbiZYJROiISCOfH68sRM%3D | US | der | 471 b | whitelisted |
2568 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 581 b | whitelisted |
2568 | opera.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEFGEgT%2BxPPudtuEfsn%2FMzeM%3D | US | der | 471 b | whitelisted |
2568 | opera.exe | GET | 200 | 151.139.128.14:80 | http://crl.usertrust.com/AddTrustExternalCARoot.crl | US | der | 673 b | whitelisted |
2568 | opera.exe | GET | 200 | 172.217.16.131:80 | http://crl.pki.goog/gsr2/gsr2.crl | US | der | 546 b | whitelisted |
2568 | opera.exe | GET | 200 | 151.139.128.14:80 | http://crl.comodoca.com/COMODORSACertificationAuthority.crl | US | der | 812 b | whitelisted |
2568 | opera.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEB80oLaeU1vhpYbVfJsgxYg%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2568 | opera.exe | 205.185.208.52:443 | code.jquery.com | Highwinds Network Group, Inc. | US | unknown |
2568 | opera.exe | 185.26.182.112:443 | sitecheck2.opera.com | Opera Software AS | — | malicious |
2568 | opera.exe | 93.184.220.29:80 | crl3.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2568 | opera.exe | 209.197.3.15:443 | netdna.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
2568 | opera.exe | 54.230.93.234:443 | web.utorrent.com | Amazon.com, Inc. | US | unknown |
2568 | opera.exe | 185.26.182.94:443 | sitecheck2.opera.com | Opera Software AS | — | whitelisted |
2568 | opera.exe | 185.26.182.93:443 | sitecheck2.opera.com | Opera Software AS | — | whitelisted |
2568 | opera.exe | 87.248.222.180:443 | www.utorrent.com | Limelight Networks, Inc. | IT | suspicious |
2568 | opera.exe | 104.19.196.151:443 | cdnjs.cloudflare.com | Cloudflare Inc | US | shared |
2568 | opera.exe | 172.217.22.74:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
web.utorrent.com |
| shared |
sitecheck2.opera.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
status.thawte.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
www.utorrent.com |
| whitelisted |
netdna.bootstrapcdn.com |
| whitelisted |
code.jquery.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2128 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
2744 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2744 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2744 | GenericSetup.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2524 | Carrier.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
2524 | Carrier.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
2744 | GenericSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2744 | GenericSetup.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2744 | GenericSetup.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
— | — | Potential Corporate Privacy Violation | ET P2P BitTorrent DHT ping request |
Process | Message |
---|---|
WebCompanionInstaller.exe | Detecting windows culture
|
WebCompanionInstaller.exe | 5/20/2019 10:46:44 AM :-> Starting installer 4.7.1987.3881 with: .\WebCompanionInstaller.exe --partner=BT171001 --version=4.7.1987.3881 --prod --silent --homepage=1 --search=1 --partner=BT171001, Run as admin: True
|
WebCompanionInstaller.exe | Preparing for installing Web Companion
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> Generating Machine and Install Id ...
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> Machine Id and Install Id has been generated
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> Checking prerequisites ...
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> Antivirus not detected
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> vm_check False
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> reg_check :False
|
WebCompanionInstaller.exe | 5/20/2019 10:46:46 AM :-> Installed .Net framework is V40
|