analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

libya_ncb.zip

Full analysis: https://app.any.run/tasks/e99a9af2-474d-4d6c-aac9-5a5b90970c71
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: March 21, 2019, 10:37:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FE10BFC59A2D9C9335B3FD2BC8B898B4

SHA1:

04667F8993C2386807CB7B56B7A49C84B3D12FBA

SHA256:

A2B0BA375685973B7CF998EA385CD9E7B37C145D963E74E377B223D6541A09D7

SSDEEP:

12288:AYsCurbHN9fzNwGo0QYT2FBn9l2Kds/TjMgoGjp6LWuQSYN3HZvFu5f:wXbHN9fCG2umsZoGjp6w3HZg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gioreygeyg8.exe (PID: 3820)
      • libya_wolrd.exe (PID: 2296)
      • libya_wolrd.exe (PID: 2736)
      • gioreygeyg8.exe (PID: 1672)
    • Stealing of credential data

      • gioreygeyg8.exe (PID: 3820)
    • Loads dropped or rewritten executable

      • gioreygeyg8.exe (PID: 3820)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • libya_wolrd.exe (PID: 2296)
      • WinRAR.exe (PID: 3580)
    • Loads DLL from Mozilla Firefox

      • gioreygeyg8.exe (PID: 3820)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:03:17 22:07:17
ZipCRC: 0x49581772
ZipCompressedSize: 637032
ZipUncompressedSize: 696320
ZipFileName: libya_wolrd.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe libya_wolrd.exe gioreygeyg8.exe libya_wolrd.exe no specs gioreygeyg8.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3580"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\libya_ncb.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2296"C:\Users\admin\AppData\Local\Temp\Rar$EXa3580.17750\libya_wolrd.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3580.17750\libya_wolrd.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
3820"C:\Users\admin\AppData\Local\Temp\gioreygeyg8.exe"C:\Users\admin\AppData\Local\Temp\gioreygeyg8.exe
libya_wolrd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
system_bank_libya
Exit code:
0
Version:
11.1.3.522
2736"C:\Users\admin\AppData\Local\Temp\Rar$EXa3580.19147\libya_wolrd.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3580.19147\libya_wolrd.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
1672"C:\Users\admin\AppData\Local\Temp\gioreygeyg8.exe"C:\Users\admin\AppData\Local\Temp\gioreygeyg8.exelibya_wolrd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
system_bank_libya
Exit code:
1
Version:
11.1.3.522
Total events
503
Read events
479
Write events
24
Delete events
0

Modification events

(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3580) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\libya_ncb.zip
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3580) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
4
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3820gioreygeyg8.exeC:\Users\admin\AppData\Local\Temp\854381223.syssqlite
MD5:7ED7E7FFE1DC4EAAEE2EDAFDD4815A47
SHA256:BD7D82BAB01903699A91783F35D7E1EBF2BA8AEDC1023F09C0E6934B1B0651C3
3820gioreygeyg8.exeC:\Users\admin\AppData\Local\Temp\885381262.syssqlite
MD5:C394A5F8DD1C20D9E22FA71C8C15CD6F
SHA256:806949F008F012CF228BBE536809DB014C0CDE3C1F2A6DF1558BFAC19B088F22
3580WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3580.19147\libya_wolrd.exeexecutable
MD5:BB9745989C3C275057E5218CCE9712A0
SHA256:FF01F51B23AD25978843AF0015598C4AEF86B28A820446C60A553091EC00C6E2
2296libya_wolrd.exeC:\Users\admin\AppData\Local\Temp\sqlite3_x86.dllexecutable
MD5:49CC557CE7F4D60DB076C82E9279F6B2
SHA256:5223586153E70F15D846C24C4C8C2CAFCFBC97253F0978AD28DBC28C52035528
3580WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3580.17750\libya_wolrd.exeexecutable
MD5:BB9745989C3C275057E5218CCE9712A0
SHA256:FF01F51B23AD25978843AF0015598C4AEF86B28A820446C60A553091EC00C6E2
2296libya_wolrd.exeC:\Users\admin\AppData\Local\Temp\gioreygeyg8.exeexecutable
MD5:C75A661CFF1F4928DBBE8D7B998B991B
SHA256:D309359092628DD97F3329D5125D2F8A4CB7D2898F8DDD5FABECB11ED987E487
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3820
gioreygeyg8.exe
POST
200
142.11.193.208:80
http://tarhona-libya.com/loro_4.php
US
malicious
3820
gioreygeyg8.exe
POST
200
142.11.193.208:80
http://tarhona-libya.com/loro_4.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3820
gioreygeyg8.exe
142.11.193.208:80
tarhona-libya.com
Hostwinds LLC.
US
malicious

DNS requests

Domain
IP
Reputation
tarhona-libya.com
  • 142.11.193.208
unknown

Threats

No threats detected
No debug info