File name: | YOU.zip |
Full analysis: | https://app.any.run/tasks/9be56252-b7c5-48df-8141-cc8325f0e78a |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | November 29, 2020, 15:35:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | BC7787B220D1F413B252B09D7FB85AED |
SHA1: | 43634764279F3F75AF3AC6B654745E3EA4BC01CB |
SHA256: | AB3E18635C90E3BEC4078081EAA0C53789E5916E7ECBBA1FAE34C787F57E2D41 |
SSDEEP: | 49152:nEChIYYv9Zxb0YVNl/wIVqNkYstbhBLStOmjleghLXIIr2oZ+:nThIYYkYV0IXtbvSOwIglvZ+ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | YOU/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2020:11:29 12:34:24 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3032 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\YOU.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 Modules
| |||||||||||||||
1488 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa3032.48912\bible.torrent | C:\Windows\system32\rundll32.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3128 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3032.49290\YOU\uTorrent.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3032.49290\YOU\uTorrent.exe | WinRAR.exe | ||||||||||||
User: admin Company: BitTorrent Inc. Integrity Level: MEDIUM Description: µTorrent Exit code: 0 Version: 3.5.5.45826 Modules
| |||||||||||||||
2544 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3032.49290\YOU\uTorrent.exe" /HYDRA_PERMISSIONS_RESTART /HYDRA_LOG "C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\index.hta.log" /HYDRA_HTADIR "C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\HTA" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3032.49290\YOU\uTorrent.exe | uTorrent.exe | ||||||||||||
User: admin Company: BitTorrent Inc. Integrity Level: HIGH Description: µTorrent Exit code: 0 Version: 3.5.5.45826 Modules
| |||||||||||||||
2504 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\HTA\index.hta?utorrent" "C:\Users\admin\AppData\Local\Temp\Rar$EXa3032.49290\YOU\uTorrent.exe" /LOG "C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\index.hta.log" /PID "2544" /CID "cPc5QonMOz2f4_3f" /VERSION "111850242" /BUCKET "0" /SSB "2" /COUNTRY "US" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe,\"C:\Program Files\Opera\Opera.exe\"" /ARCHITECTURE "32" /LANG "en" /USERNAME "admin" /SID "S-1-5-21-1302019708-1500728564-335382590-1000" /CLIENT "utorrent" | C:\Windows\System32\mshta.exe | uTorrent.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2868 | "C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js" | C:\Windows\System32\cscript.exe | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 99 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2904 | "C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500 | C:\Windows\System32\PING.EXE | — | mshta.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1144 | "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjI1NDQiLCJoIjoiY1BjNVFvbk1PejJmNF8zZiIsInYiOiIxMTE4NTAyNDIiLCJiIjo0NTgyNiwiY2wiOiJ1VG9ycmVudCIsIm9zYSI6IjMyIiwic2xuZyI6ImVuIiwiZGIiOiJJbnRlcm5ldCBFeHBsb3JlciIsImRidiI6IjExLjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjY4LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNzUuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJJbnRlcm5ldCBFeHBsb3JlciIsInZlcnNpb24iOiIxMS4wIiwiZXhlTmFtZSI6ImlleHBsb3JlIn0seyJuYW1lIjoiT3BlcmEgSW50ZXJuZXQgQnJvd3NlciIsInZlcnNpb24iOiIxMi4xNSIsImV4ZU5hbWUiOiJvcGVyYSJ9XSwiaXAiOiI0NS44Ni4yMDEuNDQiLCJjbiI6Ik5ldGhlcmxhbmRzIiwicGFja2lkIjoiZGVmYXVsdCJ9" | C:\Windows\System32\cscript.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2008 | "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFTdWNjZXNzIiwicGlkIjoiMjU0NCIsImgiOiJjUGM1UW9uTU96MmY0XzNmIiwidiI6IjExMTg1MDI0MiIsImIiOjQ1ODI2LCJjbCI6InVUb3JyZW50Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IkludGVybmV0IEV4cGxvcmVyIiwiZGJ2IjoiMTEuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiNjguMCIsImV4ZU5hbWUiOiJmaXJlZm94In0seyJuYW1lIjoiR29vZ2xlIENocm9tZSIsInZlcnNpb24iOiI3NS4wIiwiZXhlTmFtZSI6ImNocm9tZSJ9LHsibmFtZSI6IkludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjExLjAiLCJleGVOYW1lIjoiaWV4cGxvcmUifSx7Im5hbWUiOiJPcGVyYSBJbnRlcm5ldCBCcm93c2VyIiwidmVyc2lvbiI6IjEyLjE1IiwiZXhlTmFtZSI6Im9wZXJhIn1dLCJpcCI6IjQ1Ljg2LjIwMS40NCIsImNuIjoiTmV0aGVybGFuZHMiLCJwYWNraWQiOiJkZWZhdWx0In0=" | C:\Windows\System32\cscript.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3788 | "C:\Users\admin\AppData\Roaming\uTorrent\uTorrent.exe" | C:\Users\admin\AppData\Roaming\uTorrent\uTorrent.exe | explorer.exe | ||||||||||||
User: admin Company: BitTorrent Inc. Integrity Level: MEDIUM Description: µTorrent Version: 3.5.5.45826 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3128 | uTorrent.exe | C:\Users\admin\AppData\Local\Temp\uttF66D.tmp | — | |
MD5:— | SHA256:— | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Roaming\uTorrent\settings.dat.new | — | |
MD5:— | SHA256:— | |||
3032 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3032.48912\bible.torrent | executable | |
MD5:C45F9908ADB0D820A8A7DE7AE626BE4E | SHA256:D177F9B9500D10CAD21896688F3B4E6E3072A05D6BB92335944D3154BFE89925 | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\M4FGS6SV.txt | text | |
MD5:6ADD4C18232A35617F74090886F1D783 | SHA256:6C35D295FF2C8B2CB49BB9A786B4D7CF3E7B87CA871179521042925CBB348884 | |||
3032 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3032.49290\YOU\bible.torrent | executable | |
MD5:C45F9908ADB0D820A8A7DE7AE626BE4E | SHA256:D177F9B9500D10CAD21896688F3B4E6E3072A05D6BB92335944D3154BFE89925 | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Roaming\uTorrent\settings.dat | binary | |
MD5:0DF299CC574810380B7CB864AEBB1175 | SHA256:EDE829E3A7C90B615F5937C67D4FF182091FA04840ABC8CE7E48A6A7226D3E16 | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\1f91d2d17ea675d4c2c3192e241743f9_90059c37-1320-41a4-b58d-2b75a9850d2f | binary | |
MD5:7BBDDFAD75261D232056F6D899EF3503 | SHA256:05AE9F654EB85BB66D101AD06708699C9E74114EEF5537B60FD5CCA3D2DEF3FD | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\HTA\install.1606664165.zip | compressed | |
MD5:B95E97108189F7BABF89539F08186890 | SHA256:52BD756B898A3E7DD1C0EC8D3EF76DB5F68B9FC5953CA61C493DF01EEC61CA12 | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\HTA\i18n\en.json | html | |
MD5:4417DBFA9FCE94752A5A2DFDC823CB92 | SHA256:2381252B689D7EF2A8E1DCEA6B7366C0436E70FF29E9B63F3AE34BCC5C60AAF5 | |||
3128 | uTorrent.exe | C:\Users\admin\AppData\Local\Temp\HYDF768.tmp.1606664165\HTA\i18n\br.json | html | |
MD5:F12764DFC1ADE6DB8FBAC38762A53911 | SHA256:968738E0C8C5413C4CD516E04D2FC43F9FB6449C1BF44B2010E84176E462514A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3128 | uTorrent.exe | GET | 200 | 67.215.238.66:80 | http://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/beta/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/111850242/ | US | compressed | 743 Kb | whitelisted |
2504 | mshta.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/json?callback=jQuery19105113366027372368_1606664168039&_=1606664168040 | unknown | text | 345 b | shared |
3128 | uTorrent.exe | POST | 200 | 23.21.43.186:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
3128 | uTorrent.exe | POST | 200 | 107.22.246.37:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
2544 | uTorrent.exe | POST | 200 | 107.22.246.37:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
3128 | uTorrent.exe | POST | 200 | 107.22.246.37:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
3128 | uTorrent.exe | POST | 200 | 23.21.43.186:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
2504 | mshta.exe | GET | 200 | 67.215.246.203:80 | http://update.utorrent.com/featuredcontent.php?w=6.1 | US | text | 21 b | whitelisted |
2544 | uTorrent.exe | POST | 200 | 107.22.246.37:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
3128 | uTorrent.exe | POST | 200 | 107.22.246.37:80 | http://i-50.b-000.xyz.bench.utorrent.com/e?i=50 | US | text | 21 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2504 | mshta.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
3128 | uTorrent.exe | 54.235.208.27:80 | i-50.b-000.xyz.bench.utorrent.com | Amazon.com, Inc. | US | whitelisted |
2504 | mshta.exe | 67.215.246.203:80 | update.utorrent.com | QuadraNet, Inc | US | suspicious |
— | — | 107.22.246.37:80 | i-50.b-000.xyz.bench.utorrent.com | Amazon.com, Inc. | US | suspicious |
3128 | uTorrent.exe | 23.21.43.186:80 | i-50.b-000.xyz.bench.utorrent.com | Amazon.com, Inc. | US | malicious |
3128 | uTorrent.exe | 67.215.238.66:80 | download-lb.utorrent.com | QuadraNet, Inc | US | suspicious |
2544 | uTorrent.exe | 98.143.146.7:80 | utorrent.com | QuadraNet, Inc | US | suspicious |
2544 | uTorrent.exe | 178.79.242.16:80 | www.utorrent.com | Limelight Networks, Inc. | DE | suspicious |
2008 | cscript.exe | 107.22.246.37:80 | i-50.b-000.xyz.bench.utorrent.com | Amazon.com, Inc. | US | suspicious |
1144 | cscript.exe | 107.22.246.37:80 | i-50.b-000.xyz.bench.utorrent.com | Amazon.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
router.bittorrent.com |
| shared |
router.utorrent.com |
| whitelisted |
i-50.b-000.xyz.bench.utorrent.com |
| whitelisted |
download-lb.utorrent.com |
| whitelisted |
ip-api.com |
| shared |
update.utorrent.com |
| whitelisted |
utorrent.com |
| whitelisted |
www.utorrent.com |
| whitelisted |
i-21.b-45826.ut.bench.utorrent.com |
| suspicious |
apps.bittorrent.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] P2P uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] P2P uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] P2P uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |
3128 | uTorrent.exe | Misc activity | APP [PTsecurity] uTorrent Hydra Client |