analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

uc

Full analysis: https://app.any.run/tasks/7f5bce66-806c-49bb-a7d0-27180e13e863
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 22:10:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
dunihi
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

7EBB32D2A02E8CA090B9FFD527549AFC

SHA1:

A365454CD89CAB4513854AD99C87FE7FC91DC197

SHA256:

A2AC417D211E662B4A6FD673D07C7132AFA2D2A16845DB5C184B9D57AFB0F681

SSDEEP:

384:8APfjN7lRGKyczjz6QML5jXhfTOx5F22Rapo450IYXY/d2F8cYvTpN+XoMf:fBKFcz691D1Cx5F2IqoujYXQdCtBXXf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 1528)
      • wscript.exe (PID: 596)
      • wscript.exe (PID: 2564)

    • Changes the autorun value in the registry

      • WScript.exe (PID: 1528)
      • wscript.exe (PID: 596)
      • wscript.exe (PID: 2564)

    • Connects to CnC server

      • wscript.exe (PID: 2564)

    • DUNIHI was detected

      • wscript.exe (PID: 2564)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 1476)
      • WScript.exe (PID: 1528)
      • wscript.exe (PID: 2564)

    • Creates files in the user directory

      • wscript.exe (PID: 596)
      • WScript.exe (PID: 1528)

    • Application launched itself

      • WScript.exe (PID: 1528)
      • wscript.exe (PID: 2564)

    • Connects to unusual port

      • wscript.exe (PID: 596)
      • wscript.exe (PID: 2564)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 23358
UncompressedSize: 57017
OperatingSystem: Win32
ModifyDate: 2019:03:21 10:55:26
PackingMethod: Normal
ArchivedFileName: copia en PDF del ESTADO N? 11 del 21 de marzo del 2019.vbs
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe #DUNIHI wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\uc.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1528"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1476.23892\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
596"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2564"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3116"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
906
Read events
822
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1528WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:CEDB78992E3A99781FDC4B91A5C99CD5
SHA256:55011FC8CE7CA9E7D72ACAB2C343C01D3FE89347DE8256EA19662580FF73BFDD
1528WScript.exeC:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbstext
MD5:263C3F70EA71860CAEB502ED9614DE92
SHA256:DEC8AF07250D4C8D7FDA51EBF825EF282225F946CEC113BDD4E98F313DAF1CB7
596wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hiPtwUXMlP.vbstext
MD5:263C3F70EA71860CAEB502ED9614DE92
SHA256:DEC8AF07250D4C8D7FDA51EBF825EF282225F946CEC113BDD4E98F313DAF1CB7
2564wscript.exeC:\Users\admin\AppData\Roaming\hiPtwUXMlP.vbstext
MD5:263C3F70EA71860CAEB502ED9614DE92
SHA256:DEC8AF07250D4C8D7FDA51EBF825EF282225F946CEC113BDD4E98F313DAF1CB7
1476WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1476.23892\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:CEDB78992E3A99781FDC4B91A5C99CD5
SHA256:55011FC8CE7CA9E7D72ACAB2C343C01D3FE89347DE8256EA19662580FF73BFDD
1528WScript.exeC:\Users\admin\AppData\Local\Temp\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:CEDB78992E3A99781FDC4B91A5C99CD5
SHA256:55011FC8CE7CA9E7D72ACAB2C343C01D3FE89347DE8256EA19662580FF73BFDD
2564wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\copia en PDF del ESTADO Nº 11 del 21 de marzo del 2019.vbstext
MD5:CEDB78992E3A99781FDC4B91A5C99CD5
SHA256:55011FC8CE7CA9E7D72ACAB2C343C01D3FE89347DE8256EA19662580FF73BFDD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
2564
wscript.exe
POST
200
186.85.86.77:2012
http://marzo12.duckdns.org:2012/is-ready
CO
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
wscript.exe
186.85.86.77:2012
marzo12.duckdns.org
Telmex Colombia S.A.
CO
malicious
596
wscript.exe
194.5.98.150:7789
brothersjoy.nl
FR
malicious

DNS requests

Domain
IP
Reputation
marzo12.duckdns.org
  • 186.85.86.77
malicious
brothersjoy.nl
  • 194.5.98.150
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2564
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2564
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2564
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
2564
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2564
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2564
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
2564
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2564
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2564
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
uc