analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-148096413-10162020.zip

Full analysis: https://app.any.run/tasks/c65cee71-e2cf-4c3d-9f05-07bb97661fcd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: October 20, 2020, 01:20:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

09DB3C33CB56E7046171D0CFC050DF7E

SHA1:

FDEABFDAD30F9DE295746EEF2621C32CF5B9DB4B

SHA256:

AC7DA4E39A31EEB823DBBB26B2D3AA19DD9CBC24EC15DF7A3C5CECF1B523EBF0

SSDEEP:

384:onSDgd613PFAupuLMuvkT/U1vs6xeAwfPDghre2SEuUuHLgojLir:kr6ZPH4MCkzyvReAwDg8BMyE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ytfovlym.exe (PID: 4036)
      • nosto.exe (PID: 3948)
      • nosto.exe (PID: 1396)
      • ytfovlym.exe (PID: 2228)
    • QBOT was detected

      • nosto.exe (PID: 1396)
    • Downloads executable files with a strange extension

      • EXCEL.EXE (PID: 576)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 576)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 584)
    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 576)
    • Requests a remote executable file from MS Office

      • EXCEL.EXE (PID: 576)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 1396)
    • Executable content was dropped or overwritten

      • nosto.exe (PID: 1396)
      • cmd.exe (PID: 584)
    • Application launched itself

      • ytfovlym.exe (PID: 4036)
      • nosto.exe (PID: 1396)
    • Starts itself from another location

      • nosto.exe (PID: 1396)
    • Creates files in the user directory

      • nosto.exe (PID: 1396)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2516)
  • INFO

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 576)
    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 576)
    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Calculation-148096413-10162020.xlsb
ZipUncompressedSize: 26674
ZipCompressedSize: 21418
ZipCRC: 0x59261b45
ZipModifyDate: 2020:10:19 16:24:18
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2516"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-148096413-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
576"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
1396"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
3948C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
4036C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
584"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2528ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2228C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2868C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 149
Read events
1 083
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
576EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR579A.tmp.cvr
MD5:
SHA256:
2516WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2516.14947\Calculation-148096413-10162020.xlsbdocument
MD5:36F2552242C21118B512592EAF82066F
SHA256:6C80A730791CA85B3C54DFEC288B990826A86D258846BA252F7DA95CEDEC1804
1396nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:F6B84ACF5E4D38260523FDE505AB082B
SHA256:2D4F104170BD865A2E3DA7BE2310B9CF88BD1EE9FDA91FF33F64E124CFDC375E
2868explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:0E167D6CAE67C39F6D6685D347424D53
SHA256:4017AF48315A43D01D95FD192DC93ED2CC1C281D9B1196BE50DAD73A7C13D0A0
576EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:F6B84ACF5E4D38260523FDE505AB082B
SHA256:2D4F104170BD865A2E3DA7BE2310B9CF88BD1EE9FDA91FF33F64E124CFDC375E
576EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:F6B84ACF5E4D38260523FDE505AB082B
SHA256:2D4F104170BD865A2E3DA7BE2310B9CF88BD1EE9FDA91FF33F64E124CFDC375E
1396nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:B6FB0F17F637FD40746737BC653478F7
SHA256:FA768FB6C925340B6BEF21052A9961FC17FA321C25A52CF508CE2C6D93CCA69A
584cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
576
EXCEL.EXE
GET
200
192.185.91.48:80
http://citycarmen.com/lvhyf/3415201.png
US
executable
222 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
576
EXCEL.EXE
192.185.91.48:80
citycarmen.com
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
citycarmen.com
  • 192.185.91.48
whitelisted

Threats

PID
Process
Class
Message
576
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
576
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
576
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
576
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
576
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
576
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info