analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| download: | setup.zip |
| Full analysis: | https://app.any.run/tasks/7e88342e-9f8e-46c4-b01a-c6093cf3be4c |
| Verdict: | Malicious activity |
| Threats: | Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. |
| Analysis date: | November 14, 2018, 16:20:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 48C7123DA4B7F1AEECF919467FE0D2F7 |
| SHA1: | 0FF98B5E4EBEA10BE2C18C559FB2412588E75360 |
| SHA256: | A53CD54469AB729DFBC0EBFB55989F207A3A4569181CDA8083984AE7D106D492 |
| SSDEEP: | 49152:9ImNufM7B8YBjvfOvM6WwxxX5GX3Eu0hAdPwi+:9HH1vzyMseEuwp |
MALICIOUS
Application was dropped or rewritten from another process
- setup.exe (PID: 3224)
- setup.exe (PID: 184)
- setup.exe (PID: 844)
- setup.exe (PID: 1764)
- setup.exe (PID: 2540)
- setup.exe (PID: 3344)
- setup.exe (PID: 884)
- setup.exe (PID: 2860)
- setup.exe (PID: 3148)
- setup.exe (PID: 2692)
- setup.exe (PID: 2248)
- setup.exe (PID: 2096)
- setup.exe (PID: 2944)
- setup.exe (PID: 1368)
- setup.exe (PID: 2616)
- setup.exe (PID: 3748)
- setup.exe (PID: 4092)
- setup.exe (PID: 1428)
- setup.exe (PID: 1308)
- setup.exe (PID: 2476)
- setup.exe (PID: 3032)
- setup.exe (PID: 3332)
- setup.exe (PID: 2648)
- setup.exe (PID: 3836)
- setup.exe (PID: 2280)
- setup.exe (PID: 256)
- setup.exe (PID: 1536)
- setup.exe (PID: 3420)
- setup.exe (PID: 2132)
- setup.exe (PID: 544)
- setup.exe (PID: 3684)
- setup.exe (PID: 1972)
- setup.exe (PID: 3560)
- setup.exe (PID: 3300)
- setup.exe (PID: 4060)
- setup.exe (PID: 904)
- setup.exe (PID: 2100)
- setup.exe (PID: 2224)
- setup.exe (PID: 3496)
- setup.exe (PID: 3468)
- setup.exe (PID: 3516)
- setup.exe (PID: 704)
- setup.exe (PID: 2652)
- setup.exe (PID: 1028)
- setup.exe (PID: 2700)
- setup.exe (PID: 2416)
- setup.exe (PID: 1484)
- setup.exe (PID: 2456)
- setup.exe (PID: 3740)
- setup.exe (PID: 640)
- setup.exe (PID: 312)
- setup.exe (PID: 3160)
- setup.exe (PID: 3164)
- setup.exe (PID: 3372)
- setup.exe (PID: 2196)
- setup.exe (PID: 3532)
- setup.exe (PID: 2572)
- setup.exe (PID: 2128)
- setup.exe (PID: 3524)
- setup.exe (PID: 1404)
- setup.exe (PID: 3076)
- setup.exe (PID: 1664)
- setup.exe (PID: 236)
- setup.exe (PID: 1416)
- setup.exe (PID: 2564)
- setup.exe (PID: 3720)
- setup.exe (PID: 3888)
- setup.exe (PID: 2060)
- setup.exe (PID: 1836)
- setup.exe (PID: 2496)
- setup.exe (PID: 2072)
- setup.exe (PID: 1020)
- setup.exe (PID: 3852)
- setup.exe (PID: 2964)
- setup.exe (PID: 1176)
- setup.exe (PID: 3000)
- setup.exe (PID: 3936)
- setup.exe (PID: 3912)
- setup.exe (PID: 1968)
- setup.exe (PID: 2776)
- setup.exe (PID: 2600)
- setup.exe (PID: 3776)
- setup.exe (PID: 3172)
- setup.exe (PID: 2372)
- setup.exe (PID: 2412)
- setup.exe (PID: 1460)
- setup.exe (PID: 124)
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 716)
Stealing of credential data
- setup.exe (PID: 3224)
- setup.exe (PID: 2540)
- setup.exe (PID: 4092)
- setup.exe (PID: 2692)
- setup.exe (PID: 844)
- setup.exe (PID: 3420)
- setup.exe (PID: 2860)
- setup.exe (PID: 2944)
- setup.exe (PID: 3148)
- setup.exe (PID: 3332)
- setup.exe (PID: 3684)
- setup.exe (PID: 2248)
- setup.exe (PID: 3560)
- setup.exe (PID: 4060)
- setup.exe (PID: 884)
- setup.exe (PID: 1416)
- setup.exe (PID: 2572)
- setup.exe (PID: 3516)
- setup.exe (PID: 1836)
- setup.exe (PID: 2096)
- setup.exe (PID: 640)
- setup.exe (PID: 2652)
- setup.exe (PID: 1020)
- setup.exe (PID: 3912)
- setup.exe (PID: 3720)
- setup.exe (PID: 2060)
- setup.exe (PID: 236)
- setup.exe (PID: 2416)
- setup.exe (PID: 3852)
- setup.exe (PID: 3300)
PREDATOR was detected
- setup.exe (PID: 3224)
- setup.exe (PID: 844)
- setup.exe (PID: 1764)
- setup.exe (PID: 3148)
- setup.exe (PID: 884)
- setup.exe (PID: 1368)
- setup.exe (PID: 4092)
- setup.exe (PID: 2096)
- setup.exe (PID: 2860)
- setup.exe (PID: 2648)
- setup.exe (PID: 2616)
- setup.exe (PID: 2476)
- setup.exe (PID: 3748)
- setup.exe (PID: 3032)
- setup.exe (PID: 3332)
- setup.exe (PID: 2944)
- setup.exe (PID: 3684)
- setup.exe (PID: 2280)
- setup.exe (PID: 1536)
- setup.exe (PID: 2132)
- setup.exe (PID: 3836)
- setup.exe (PID: 544)
- setup.exe (PID: 1836)
- setup.exe (PID: 3532)
- setup.exe (PID: 3420)
- setup.exe (PID: 2100)
- setup.exe (PID: 2572)
- setup.exe (PID: 2224)
- setup.exe (PID: 3000)
- setup.exe (PID: 3560)
- setup.exe (PID: 256)
- setup.exe (PID: 1416)
- setup.exe (PID: 4060)
- setup.exe (PID: 2496)
- setup.exe (PID: 3076)
- setup.exe (PID: 2776)
- setup.exe (PID: 2128)
- setup.exe (PID: 1176)
- setup.exe (PID: 640)
- setup.exe (PID: 2652)
- setup.exe (PID: 3160)
- setup.exe (PID: 3516)
- setup.exe (PID: 904)
- setup.exe (PID: 3468)
- setup.exe (PID: 3720)
- setup.exe (PID: 1972)
- setup.exe (PID: 2600)
- setup.exe (PID: 3936)
- setup.exe (PID: 3740)
- setup.exe (PID: 3164)
- setup.exe (PID: 2700)
- setup.exe (PID: 704)
- setup.exe (PID: 3852)
- setup.exe (PID: 3912)
- setup.exe (PID: 3524)
- setup.exe (PID: 236)
- setup.exe (PID: 1484)
- setup.exe (PID: 2564)
- setup.exe (PID: 1664)
Connects to CnC server
- setup.exe (PID: 3224)
- setup.exe (PID: 844)
- setup.exe (PID: 1764)
- setup.exe (PID: 3148)
- setup.exe (PID: 884)
- setup.exe (PID: 1368)
- setup.exe (PID: 2096)
- setup.exe (PID: 4092)
- setup.exe (PID: 2860)
- setup.exe (PID: 2648)
- setup.exe (PID: 2616)
- setup.exe (PID: 2476)
- setup.exe (PID: 3748)
- setup.exe (PID: 3032)
- setup.exe (PID: 2944)
- setup.exe (PID: 3332)
- setup.exe (PID: 3684)
- setup.exe (PID: 1536)
- setup.exe (PID: 2280)
- setup.exe (PID: 2132)
- setup.exe (PID: 1836)
- setup.exe (PID: 3836)
- setup.exe (PID: 544)
- setup.exe (PID: 3532)
- setup.exe (PID: 2572)
- setup.exe (PID: 2100)
- setup.exe (PID: 3420)
- setup.exe (PID: 3560)
- setup.exe (PID: 2224)
- setup.exe (PID: 3000)
- setup.exe (PID: 4060)
- setup.exe (PID: 256)
- setup.exe (PID: 1416)
- setup.exe (PID: 3076)
- setup.exe (PID: 1176)
- setup.exe (PID: 640)
- setup.exe (PID: 2496)
- setup.exe (PID: 2776)
- setup.exe (PID: 2128)
- setup.exe (PID: 3160)
- setup.exe (PID: 2652)
- setup.exe (PID: 904)
- setup.exe (PID: 3468)
- setup.exe (PID: 3720)
- setup.exe (PID: 3936)
- setup.exe (PID: 1972)
- setup.exe (PID: 3516)
- setup.exe (PID: 2600)
- setup.exe (PID: 3740)
- setup.exe (PID: 704)
- setup.exe (PID: 3164)
- setup.exe (PID: 3852)
- setup.exe (PID: 2700)
- setup.exe (PID: 3912)
- setup.exe (PID: 3524)
- setup.exe (PID: 236)
- setup.exe (PID: 1484)
- setup.exe (PID: 2564)
- setup.exe (PID: 1664)
SUSPICIOUS
Reads the cookies of Google Chrome
- setup.exe (PID: 3224)
- setup.exe (PID: 184)
- setup.exe (PID: 844)
- setup.exe (PID: 1764)
- setup.exe (PID: 3344)
- setup.exe (PID: 2248)
- setup.exe (PID: 3148)
- setup.exe (PID: 1368)
- setup.exe (PID: 884)
- setup.exe (PID: 2096)
- setup.exe (PID: 2692)
- setup.exe (PID: 3032)
- setup.exe (PID: 2944)
- setup.exe (PID: 2648)
- setup.exe (PID: 2280)
- setup.exe (PID: 1428)
- setup.exe (PID: 3684)
- setup.exe (PID: 544)
- setup.exe (PID: 1536)
- setup.exe (PID: 3332)
- setup.exe (PID: 3420)
- setup.exe (PID: 3560)
- setup.exe (PID: 3372)
- setup.exe (PID: 2132)
- setup.exe (PID: 3532)
- setup.exe (PID: 2572)
- setup.exe (PID: 1664)
- setup.exe (PID: 1416)
- setup.exe (PID: 2224)
- setup.exe (PID: 3000)
- setup.exe (PID: 2776)
- setup.exe (PID: 1176)
- setup.exe (PID: 2496)
- setup.exe (PID: 2652)
- setup.exe (PID: 640)
- setup.exe (PID: 3076)
- setup.exe (PID: 3160)
- setup.exe (PID: 904)
- setup.exe (PID: 2700)
- setup.exe (PID: 3936)
- setup.exe (PID: 3468)
- setup.exe (PID: 3164)
- setup.exe (PID: 3740)
- setup.exe (PID: 3720)
- setup.exe (PID: 2416)
- setup.exe (PID: 2600)
- setup.exe (PID: 1460)
- setup.exe (PID: 1020)
- setup.exe (PID: 3852)
- setup.exe (PID: 3300)
- setup.exe (PID: 2060)
- setup.exe (PID: 236)
- setup.exe (PID: 2372)
- setup.exe (PID: 2964)
- setup.exe (PID: 3496)
- setup.exe (PID: 2196)
- setup.exe (PID: 3172)
- setup.exe (PID: 1404)
- setup.exe (PID: 2456)
- setup.exe (PID: 2072)
- setup.exe (PID: 2564)
- setup.exe (PID: 312)
- setup.exe (PID: 3888)
- setup.exe (PID: 1028)
- setup.exe (PID: 1968)
- setup.exe (PID: 3776)
- setup.exe (PID: 2412)
Creates files in the user directory
- setup.exe (PID: 3224)
- setup.exe (PID: 184)
- setup.exe (PID: 844)
- setup.exe (PID: 1764)
- setup.exe (PID: 2540)
- setup.exe (PID: 2248)
- setup.exe (PID: 884)
- setup.exe (PID: 3344)
- setup.exe (PID: 4092)
- setup.exe (PID: 2096)
- setup.exe (PID: 2944)
- setup.exe (PID: 3032)
- setup.exe (PID: 2860)
- setup.exe (PID: 3332)
- setup.exe (PID: 3420)
- setup.exe (PID: 2280)
- setup.exe (PID: 1368)
- setup.exe (PID: 3148)
- setup.exe (PID: 1972)
- setup.exe (PID: 1428)
- setup.exe (PID: 1416)
- setup.exe (PID: 2692)
- setup.exe (PID: 2100)
- setup.exe (PID: 3000)
- setup.exe (PID: 2648)
- setup.exe (PID: 3560)
- setup.exe (PID: 3516)
- setup.exe (PID: 2132)
- setup.exe (PID: 2572)
- setup.exe (PID: 2616)
- setup.exe (PID: 2476)
- setup.exe (PID: 2128)
- setup.exe (PID: 3684)
- setup.exe (PID: 640)
- setup.exe (PID: 904)
- setup.exe (PID: 3468)
- setup.exe (PID: 3740)
- setup.exe (PID: 3836)
- setup.exe (PID: 3720)
- setup.exe (PID: 2700)
- setup.exe (PID: 3524)
- setup.exe (PID: 1536)
- setup.exe (PID: 704)
- setup.exe (PID: 544)
- setup.exe (PID: 1020)
- setup.exe (PID: 256)
- setup.exe (PID: 1460)
- setup.exe (PID: 3164)
- setup.exe (PID: 2060)
- setup.exe (PID: 4060)
- setup.exe (PID: 2372)
- setup.exe (PID: 3496)
- setup.exe (PID: 3912)
- setup.exe (PID: 124)
- setup.exe (PID: 1836)
- setup.exe (PID: 2776)
- setup.exe (PID: 2496)
- setup.exe (PID: 2652)
- setup.exe (PID: 3936)
- setup.exe (PID: 3160)
- setup.exe (PID: 2600)
- setup.exe (PID: 3852)
- setup.exe (PID: 236)
- setup.exe (PID: 2416)
- setup.exe (PID: 3300)
- setup.exe (PID: 2196)
- setup.exe (PID: 2456)
- setup.exe (PID: 1484)
- setup.exe (PID: 2412)
Reads Internet Cache Settings
- setup.exe (PID: 3224)
- setup.exe (PID: 184)
- setup.exe (PID: 844)
- setup.exe (PID: 3344)
- setup.exe (PID: 1764)
- setup.exe (PID: 2540)
- setup.exe (PID: 3148)
- setup.exe (PID: 2248)
- setup.exe (PID: 884)
- setup.exe (PID: 2860)
- setup.exe (PID: 2692)
- setup.exe (PID: 4092)
- setup.exe (PID: 2096)
- setup.exe (PID: 2944)
- setup.exe (PID: 1308)
- setup.exe (PID: 2648)
- setup.exe (PID: 2616)
- setup.exe (PID: 1428)
- setup.exe (PID: 3748)
- setup.exe (PID: 3332)
- setup.exe (PID: 544)
- setup.exe (PID: 256)
- setup.exe (PID: 3420)
- setup.exe (PID: 3516)
- setup.exe (PID: 3560)
- setup.exe (PID: 1972)
- setup.exe (PID: 3372)
- setup.exe (PID: 3532)
- setup.exe (PID: 1836)
- setup.exe (PID: 2572)
- setup.exe (PID: 2224)
- setup.exe (PID: 2776)
- setup.exe (PID: 640)
- setup.exe (PID: 3740)
- setup.exe (PID: 3468)
- setup.exe (PID: 3720)
- setup.exe (PID: 3164)
- setup.exe (PID: 2416)
- setup.exe (PID: 1460)
- setup.exe (PID: 3300)
- setup.exe (PID: 2060)
- setup.exe (PID: 2372)
- setup.exe (PID: 2964)
- setup.exe (PID: 3496)
- setup.exe (PID: 2196)
- setup.exe (PID: 3172)
- setup.exe (PID: 124)
- setup.exe (PID: 2456)
- setup.exe (PID: 2564)
- setup.exe (PID: 2412)
- setup.exe (PID: 1404)
- setup.exe (PID: 3776)
- setup.exe (PID: 1028)
Reads the cookies of Mozilla Firefox
- setup.exe (PID: 184)
- setup.exe (PID: 3224)
- setup.exe (PID: 844)
- setup.exe (PID: 3148)
- setup.exe (PID: 2248)
- setup.exe (PID: 1368)
- setup.exe (PID: 2692)
- setup.exe (PID: 2860)
- setup.exe (PID: 4092)
- setup.exe (PID: 884)
- setup.exe (PID: 2944)
- setup.exe (PID: 2648)
- setup.exe (PID: 3748)
- setup.exe (PID: 3032)
- setup.exe (PID: 1428)
- setup.exe (PID: 3332)
- setup.exe (PID: 2616)
- setup.exe (PID: 1536)
- setup.exe (PID: 544)
- setup.exe (PID: 3836)
- setup.exe (PID: 4060)
- setup.exe (PID: 256)
- setup.exe (PID: 3684)
- setup.exe (PID: 3516)
- setup.exe (PID: 1972)
- setup.exe (PID: 2132)
- setup.exe (PID: 3372)
- setup.exe (PID: 1416)
- setup.exe (PID: 1664)
- setup.exe (PID: 3532)
- setup.exe (PID: 1836)
- setup.exe (PID: 3000)
- setup.exe (PID: 2100)
- setup.exe (PID: 2224)
- setup.exe (PID: 2776)
- setup.exe (PID: 1176)
- setup.exe (PID: 2128)
- setup.exe (PID: 2496)
- setup.exe (PID: 2652)
- setup.exe (PID: 640)
- setup.exe (PID: 3076)
- setup.exe (PID: 904)
- setup.exe (PID: 3936)
- setup.exe (PID: 2700)
- setup.exe (PID: 3468)
- setup.exe (PID: 3740)
- setup.exe (PID: 3164)
- setup.exe (PID: 3524)
- setup.exe (PID: 3720)
- setup.exe (PID: 2416)
- setup.exe (PID: 2600)
- setup.exe (PID: 704)
- setup.exe (PID: 1020)
- setup.exe (PID: 3852)
- setup.exe (PID: 3912)
- setup.exe (PID: 1460)
- setup.exe (PID: 3300)
- setup.exe (PID: 2372)
- setup.exe (PID: 236)
- setup.exe (PID: 2196)
- setup.exe (PID: 3496)
- setup.exe (PID: 2964)
- setup.exe (PID: 124)
- setup.exe (PID: 2456)
- setup.exe (PID: 2564)
- setup.exe (PID: 1404)
- setup.exe (PID: 2072)
- setup.exe (PID: 1484)
- setup.exe (PID: 1028)
- setup.exe (PID: 2412)
- setup.exe (PID: 3888)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2016:08:15 00:16:06 |
| ZipCRC: | 0xec58f35f |
| ZipCompressedSize: | 198276 |
| ZipUncompressedSize: | 368016 |
| ZipFileName: | RarExt.dll |
Total processes
119
Monitored processes
89
Malicious processes
86
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2296 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\setup.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 716 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
| 3224 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 184 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 844 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 1764 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 2540 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 3344 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 3148 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
| 2248 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
Total events
3 654
Read events
3 101
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
47
Text files
200
Unknown types
398
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2296.48326\RarExt.dll | — | |
MD5:— | SHA256:— | |||
| 2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2296.48326\RarLng.dll | — | |
MD5:— | SHA256:— | |||
| 2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2296.48326\setup.exe | — | |
MD5:— | SHA256:— | |||
| 3224 | setup.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@moneywayppstealer13[1].txt | — | |
MD5:— | SHA256:— | |||
| 3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Information.txt | — | |
MD5:— | SHA256:— | |||
| 3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\passwords.txt | — | |
MD5:— | SHA256:— | |||
| 3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\forms.txt | — | |
MD5:— | SHA256:— | |||
| 184 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Information.txt | — | |
MD5:— | SHA256:— | |||
| 3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Actions.txt | — | |
MD5:— | SHA256:— | |||
| 184 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\passwords.txt | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
228
TCP/UDP connections
114
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
184 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
2540 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
2540 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
2248 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
844 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
3344 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
3344 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
1764 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
184 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
3224 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3224 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
184 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
3148 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
2540 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
844 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
1764 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
3344 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
884 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
2248 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
1368 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
moneywayppstealer13.ru |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3224 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
3224 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
844 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
844 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
1764 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
1764 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
3148 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
3148 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
884 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
884 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
119 ETPRO signatures available at the full report
Process | Message |
|---|---|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|