analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/5b8eb82f-c556-462b-a8d9-59788ffebc88
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 06:24:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
qealler
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

17F48AFE2C07E1D916992B182D7B3025

SHA1:

A7880ACB112A2CADCE3329F8AF2FA550BA45256B

SHA256:

A2C344B1BACA8CA3F156EC86DD0911D7D1244C665BE5A02E16CA8E88CA79A9A7

SSDEEP:

12288:h0x60KjkZRDwaC6NHDh+aSucBEGdRUl4BmnY:O/DtRNHDd2awS4BWY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2856)

    • QEALLER was detected

      • javaw.exe (PID: 2728)

    • Actions looks like stealing of personal data

      • javaw.exe (PID: 2728)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 2728)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 2856)

    • Creates files in the user directory

      • javaw.exe (PID: 2728)
      • powershell.exe (PID: 2472)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 2728)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 2728)

  • INFO

    • Manual execution by user

      • chrome.exe (PID: 4052)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2900)

    • Reads the hosts file

      • chrome.exe (PID: 4052)
      • chrome.exe (PID: 2900)

    • Application launched itself

      • chrome.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 83
ZipCompressedSize: 81
ZipCRC: 0x61b930f3
ZipModifyDate: 2020:10:19 08:34:06
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
14
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #QEALLER javaw.exe cmd.exe no specs chcp.com no specs powershell.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2728"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\index.html.zip"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2856cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -C:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1936chcp 1252 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2472powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4052"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3884"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6c84a9d0,0x6c84a9e0,0x6c84a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3844"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=4048 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3200"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,16057527522403655075,8523565896663574745,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16737065730175830183 --mojo-platform-channel-handle=1036 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
2900"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,16057527522403655075,8523565896663574745,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=10458130486418675019 --mojo-platform-channel-handle=1636 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3556"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,16057527522403655075,8523565896663574745,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=4498086146686510451 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
744
Read events
657
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
13
Text files
44
Unknown types
1

Dropped files

PID
Process
Filename
Type
2728javaw.exeC:\Users\admin\AppData\Local\Temp\tmp403855395666\4038554104576821087638985595011.tmp
MD5:
SHA256:
2472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OEERIDCA587V2CTG1ZZW.temp
MD5:
SHA256:
4052chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F8E82EE-FD4.pma
MD5:
SHA256:
4052chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\95de6182-1912-44ad-b71f-a031ea2358a3.tmp
MD5:
SHA256:
2472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:D6EE8C34E4C28999F00E385C8808E7DE
SHA256:39D598C410E9903C046FC3390F746643C2FDADA6A544E378311F5DC2EA26DFCB
2728javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:D4909A7B2D7E437EAF18D411DA835E5B
SHA256:10F56572730332673CD2BA9B9E53295C7AB1C4DE8356EF71B79113BA18A099CB
4052chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:1C97B70A4BAD7C026F79467C7D496AFA
SHA256:C5A02E4984DE3F30DADFC0A89A93F45418C06653C3962EAA94C93909E51D272D
2728javaw.exeC:\Users\admin\AppData\Local\Temp\sqlite-3.8.11.2-afdc2d74-0c52-4b61-9761-94f3942bbacd-sqlitejdbc.dllexecutable
MD5:A4E510D903F05892D77741C5F4D95B5D
SHA256:A3FBDF4FBDF56AC6A2EBEB4C131C5682F2E2EADABC758CFE645989C311648506
4052chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF2e1608.TMPtext
MD5:FB5B20517A0D1F7DAD485989565BEE5E
SHA256:99405F66EDBEB2306F4D0B4469DCADFF5293B5E1549C588CCFACEA439BB3B101
4052chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2900
chrome.exe
172.217.22.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2900
chrome.exe
172.217.22.67:443
fonts.gstatic.com
Google Inc.
US
whitelisted
2900
chrome.exe
216.58.212.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2728
javaw.exe
179.43.141.91:80
Private Layer INC
CH
malicious
2900
chrome.exe
172.217.23.99:443
www.gstatic.com
Google Inc.
US
whitelisted
2900
chrome.exe
216.58.206.4:443
www.google.com
Google Inc.
US
whitelisted
2900
chrome.exe
216.58.207.77:443
accounts.google.com
Google Inc.
US
whitelisted
2900
chrome.exe
216.58.210.14:443
apis.google.com
Google Inc.
US
whitelisted
2900
chrome.exe
172.217.21.238:443
ogs.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
accounts.google.com
  • 216.58.207.77
shared
www.google.com
  • 216.58.206.4
whitelisted
fonts.googleapis.com
  • 216.58.212.170
whitelisted
www.gstatic.com
  • 172.217.23.99
whitelisted
fonts.gstatic.com
  • 172.217.22.67
whitelisted
apis.google.com
  • 216.58.210.14
whitelisted
ogs.google.com
  • 172.217.21.238
whitelisted

Threats

PID
Process
Class
Message
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
2728
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html