download: | setup.zip |
Full analysis: | https://app.any.run/tasks/7e88342e-9f8e-46c4-b01a-c6093cf3be4c |
Verdict: | Malicious activity |
Threats: | Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. |
Analysis date: | November 14, 2018, 16:20:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 48C7123DA4B7F1AEECF919467FE0D2F7 |
SHA1: | 0FF98B5E4EBEA10BE2C18C559FB2412588E75360 |
SHA256: | A53CD54469AB729DFBC0EBFB55989F207A3A4569181CDA8083984AE7D106D492 |
SSDEEP: | 49152:9ImNufM7B8YBjvfOvM6WwxxX5GX3Eu0hAdPwi+:9HH1vzyMseEuwp |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2016:08:15 00:16:06 |
ZipCRC: | 0xec58f35f |
ZipCompressedSize: | 198276 |
ZipUncompressedSize: | 368016 |
ZipFileName: | RarExt.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2296 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\setup.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
716 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3224 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
184 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
844 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
1764 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
2540 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
3344 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
3148 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
2248 | "C:\Users\admin\Desktop\setup.exe" | C:\Users\admin\Desktop\setup.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2296.48326\RarExt.dll | — | |
MD5:— | SHA256:— | |||
2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2296.48326\RarLng.dll | — | |
MD5:— | SHA256:— | |||
2296 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2296.48326\setup.exe | — | |
MD5:— | SHA256:— | |||
3224 | setup.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@moneywayppstealer13[1].txt | — | |
MD5:— | SHA256:— | |||
3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Information.txt | — | |
MD5:— | SHA256:— | |||
3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\passwords.txt | — | |
MD5:— | SHA256:— | |||
3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\forms.txt | — | |
MD5:— | SHA256:— | |||
184 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Information.txt | — | |
MD5:— | SHA256:— | |||
3224 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\Actions.txt | — | |
MD5:— | SHA256:— | |||
184 | setup.exe | C:\Users\admin\AppData\Roaming\ptst2y8s2x8q0w2y8s2x8q0w\General\passwords.txt | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
184 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
2540 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
2540 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
2248 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
844 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
3344 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/download.get | RU | text | 59 b | malicious |
3344 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
1764 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
184 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
3224 | setup.exe | GET | 200 | 81.177.135.41:80 | http://moneywayppstealer13.ru/api/info.get | RU | text | 59 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3224 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
184 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
3148 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
2540 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
844 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
1764 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
3344 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
884 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
2248 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
1368 | setup.exe | 81.177.135.41:80 | moneywayppstealer13.ru | JSC RTComm.RU | RU | malicious |
Domain | IP | Reputation |
---|---|---|
moneywayppstealer13.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3224 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
3224 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
844 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
844 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
1764 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
1764 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
3148 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
3148 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
884 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
884 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |
Process | Message |
---|---|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
setup.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|