File name: | Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.tar.Z |
Full analysis: | https://app.any.run/tasks/a162a0ea-bd33-42f4-925e-64225c894bba |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 12:51:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | 6FAFF4F73309C2C67811B3A0ECDF57EF |
SHA1: | C922D23C26C2078858BF499BDC574F89786E6EC3 |
SHA256: | A93523980BDF19A7E66CA009A6AD8940A2F6D55A02CCAECC1772147A8FFA289C |
SSDEEP: | 3072:l/ty0Ssd6mRHH7VwN6EahKtSs5nzOQDHPwyLPyeP7J6n+5rROXIOLqnCIxNxeVHF:l/tQKEZ5EsxqIIoycnXXZxNqF |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2019:07:10 23:14:04 |
OperatingSystem: | Win32 |
UncompressedSize: | 307712 |
CompressedSize: | 197280 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2892 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.tar.Z.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3776 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.6111\Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.6111\Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
3648 | "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\admin\startupname.vbs | C:\Windows\System32\cscript.exe | Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2972 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2892 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2892.6111\Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe | executable | |
MD5:8E59F4F84BC3085AB01BC57760F578D2 | SHA256:91ACF6B5B1EBF6886EC12162AF34781C45E04BC72AA10A86F28FCAD6B6C905D4 | |||
3776 | Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe | C:\Users\admin\startupname.vbs | text | |
MD5:429BA177498650DE9542CC0EDA0923F0 | SHA256:27D7221795755CB0D2BB612E1C5509328BE31098EE3C6067A56A79E6E421A068 | |||
3648 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startupname.Lnk | lnk | |
MD5:CFAE7A5B94715392D60B3F9AE6D5C8F6 | SHA256:81949185A77A4266FB9FBFB500C2FF3E3745BA5A96249407BD55719C5FC66C95 | |||
3776 | Recibo_oficial_transferencia_realizada_debito_bancario_certifiacion_movimientoDocPDF.exe | C:\Users\admin\Chrome.exe | executable | |
MD5:8E59F4F84BC3085AB01BC57760F578D2 | SHA256:91ACF6B5B1EBF6886EC12162AF34781C45E04BC72AA10A86F28FCAD6B6C905D4 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 186.82.242.6:2093 | dominoduck2064.duckdns.org | Telmex Colombia S.A. | CO | malicious |
2972 | RegAsm.exe | 186.82.242.6:2093 | dominoduck2064.duckdns.org | Telmex Colombia S.A. | CO | malicious |
Domain | IP | Reputation |
---|---|---|
dominoduck2064.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |