Malware analysis SpyNet2.6.zip Malicious activity | ANY.RUN

Add for printing

File name:	SpyNet2.6.zip
Full analysis:	https://app.any.run/tasks/50d8d7f7-c69a-44fc-9681-df8a8734b247
Verdict:	Malicious activity
Threats:	Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	July 16, 2018, 18:01:40
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan rat quasar evasion
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	A1E7143C1A3353C98C9F6BEB987528A0
SHA1:	9BF3CF3E1FD97C385AEC544F8E2DCB60E483E52D
SHA256:	ACA0C13F2625E2912AA434912C2A6165C4EDE7F0F8C00919F4F8D25985F1BDD4
SSDEEP:	98304:il3QPeWRjYjEym49nQ7KaOumV+LW0DfTHRbqjeaeKNgFqKribswbm4xp9T0i/bS+:mHBBgOt+S+fTHgGKNgF7wq4jiiDdB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
7-Zip 18.01 (18.01)
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.91)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
Steam (2.10.91.91)
VLC media player (2.2.6)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 1012)
- Application was dropped or rewritten from another process
  - SpyNet.exe (PID: 2372)
  - SpyNet.exe (PID: 1588)
  - windefender.exe (PID: 3136)
  - SpyNet 2.6.exe (PID: 3340)
- Changes the autorun value in the registry
  - SpyNet.exe (PID: 1588)
  - windefender.exe (PID: 3136)
SUSPICIOUS
- Executable content was dropped or overwritten
  - 7zG.exe (PID: 3896)
  - SpyNet.exe (PID: 2372)
  - SpyNet 2.6.exe (PID: 3340)
  - SpyNet.exe (PID: 1588)
- Creates files in the user directory
  - SpyNet.exe (PID: 1588)
  - windefender.exe (PID: 3136)
- Starts itself from another location
  - SpyNet.exe (PID: 1588)
- Checks for external IP
  - SpyNet.exe (PID: 1588)
  - windefender.exe (PID: 3136)
- Executes scripts
  - SpyNet 2.6.exe (PID: 3340)
- Connects to unusual port
  - windefender.exe (PID: 3136)
INFO
- Dropped object may contain URL's
  - 7zG.exe (PID: 3896)
  - SpyNet.exe (PID: 2372)
  - SpyNet.exe (PID: 1588)
  - SpyNet 2.6.exe (PID: 3340)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2017:06:21 22:57:01
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	SpyNet2.6/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1012

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1588

"C:\Users\admin\AppData\Local\Temp\SpyNet.exe"

C:\Users\admin\AppData\Local\Temp\SpyNet.exe

SpyNet.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.3.0.0

Modules

Images
c:\users\admin\appdata\local\temp\spynet.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2372

"C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\SpyNet.exe"

C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\SpyNet.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

exeBase

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\documents\spynet2.6\spynet2.6\spynet.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

2592

"C:\Windows\system32\cscript.exe" "C:\Users\admin\AppData\Local\Temp\teste.vbs"

C:\Windows\system32\cscript.exe

—

SpyNet 2.6.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3136

"C:\Users\admin\AppData\Roaming\system\windefender.exe"

C:\Users\admin\AppData\Roaming\system\windefender.exe

SpyNet.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

1.3.0.0

Modules

Images
c:\users\admin\appdata\roaming\system\windefender.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

3280

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\admin\AppData\Local\Temp\SpyNet2.6.zip"

C:\Program Files\7-Zip\7zFM.exe

—

explorer.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip File Manager

Exit code:

Version:

18.01

Modules

Images
c:\program files\7-zip\7zfm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

3340

"C:\Users\admin\AppData\Local\Temp\SpyNet 2.6.exe"

C:\Users\admin\AppData\Local\Temp\SpyNet 2.6.exe

SpyNet.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\spynet 2.6.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll

3896

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\admin\AppData\Local\Temp\SpyNet2.6\" -ad -an -ai#7zMap29503:98:7zEvent5041

C:\Program Files\7-Zip\7zG.exe

7zFM.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip GUI

Exit code:

Version:

18.01

Modules

Images
c:\program files\7-zip\7zg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

1 430

Read events

1 359

Write events

Delete events

Modification events


(PID) Process:	(3280) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\7-Zip\FM\Columns
Operation:	write	Name:	7-Zip.zip
Value: 0100000004000000010000000400000001000000A00000000700000001000000640000000800000001000000640000000C00000001000000640000000A00000001000000640000000B00000001000000640000000900000001000000640000000F00000001000000640000001C00000001000000640000001300000001000000640000001600000001000000640000002F00000001000000640000001700000001000000640000002100000001000000640000005000000001000000640000002400000001000000640000001F0000000100000064000000200000000100000064000000
(PID) Process:	(3896) 7zG.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\53\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3896) 7zG.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	Browse For Folder Width
Value: 318
(PID) Process:	(3896) 7zG.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	Browse For Folder Height
Value: 288
(PID) Process:	(3896) 7zG.exe	Key:	HKEY_CURRENT_USER\Software\7-Zip\Extraction
Operation:	write	Name:	PathHistory
Value: 43003A005C00550073006500720073005C00610064006D0069006E005C0044006F00630075006D0065006E00740073005C005300700079004E006500740032002E0036005C000000
(PID) Process:	(2372) SpyNet.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2372) SpyNet.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3280) 7zFM.exe	Key:	HKEY_CURRENT_USER\Software\7-Zip\FM\Columns
Operation:	write	Name:	FSFolder
Value: 0100000004000000010000000400000001000000A00000000700000001000000640000000C00000001000000640000000A00000001000000640000001C00000001000000640000001F00000001000000640000002000000001000000640000000B00000000000000640000000900000000000000640000000800000000000000640000005B0000000000000064000000250000000000000064000000590000000000000064000000
(PID) Process:	(1588) SpyNet.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpyNet_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(1588) SpyNet.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpyNet_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2592	cscript.exe	C:\Users\admin\AppData\Local\Temp\teste.txt		—
		MD5:—	SHA256:—
3340	SpyNet 2.6.exe	C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\IP.txt		—
		MD5:—	SHA256:—
3896	7zG.exe	C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\Language\Default.ini		text
		MD5:—	SHA256:—
2372	SpyNet.exe	C:\Users\admin\AppData\Local\Temp\SpyNet.exe		executable
		MD5:—	SHA256:—
3896	7zG.exe	C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\Settings\Settings.ini		text
		MD5:—	SHA256:—
3896	7zG.exe	C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\Profiles\server1.ini		text
		MD5:—	SHA256:—
3896	7zG.exe	C:\Users\admin\Documents\SpyNet2.6\SpyNet2.6\SpyNet.exe		executable
		MD5:—	SHA256:—
3340	SpyNet 2.6.exe	C:\Users\admin\AppData\Local\Temp\Settings\Settings.ini		text
		MD5:448A49C2D7253C927E820056E9E7EA8B	SHA256:AFCC1B53D0E2EF177754D4F6AE9AB391E7115E39FC73CAAABCB3CD585C2E4C7C
3340	SpyNet 2.6.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XB3OCR2W\ip-adress_com[1].txt		html
		MD5:—	SHA256:—
3340	SpyNet 2.6.exe	C:\Users\admin\AppData\Local\Temp\sqlite3.dll		executable
		MD5:744DCC4CBBFBB18FE3878C4E769EC48F	SHA256:33EB31A2A576E663474A895FF0190316C64A93D9CE05A55DF0D53F9BEEB61163

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1588	SpyNet.exe	GET	200	185.194.141.58:80	http://ip-api.com/json/	DE	text	351 b	malicious
3340	SpyNet 2.6.exe	GET	301	85.93.89.6:80	http://www.ip-adress.com/	DE	html	234 b	shared
3136	windefender.exe	GET	200	185.194.141.58:80	http://ip-api.com/json/	DE	text	351 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3136	windefender.exe	185.194.141.58:80	ip-api.com	netcup GmbH	DE	unknown
3340	SpyNet 2.6.exe	85.93.89.6:80	www.ip-adress.com	Host Europe GmbH	DE	malicious
3340	SpyNet 2.6.exe	85.93.89.6:443	www.ip-adress.com	Host Europe GmbH	DE	malicious
3136	windefender.exe	88.240.165.5:63	drkcmtt.duckdns.org	Turk Telekom	TR	unknown
1588	SpyNet.exe	185.194.141.58:80	ip-api.com	netcup GmbH	DE	unknown

DNS requests

Domain	IP	Reputation
ip-api.com	185.194.141.58	malicious
drkcmtt.duckdns.org	88.240.165.5	unknown
www.ip-adress.com	85.93.89.6 85.93.88.251 207.38.89.115 209.126.124.166	shared

Threats

PID	Process	Class	Message
1588	SpyNet.exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
1588	SpyNet.exe	A Network Trojan was detected	MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer)
3136	windefender.exe	Potential Corporate Privacy Violation	ET POLICY External IP Lookup ip-api.com
3136	windefender.exe	A Network Trojan was detected	MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer)
1080	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Add for printing

No debug info

General Info

SpyNet2.6.zip

A1E7143C1A3353C98C9F6BEB987528A0

9BF3CF3E1FD97C385AEC544F8E2DCB60E483E52D

ACA0C13F2625E2912AA434912C2A6165C4EDE7F0F8C00919F4F8D25985F1BDD4

98304:il3QPeWRjYjEym49nQ7KaOumV+LW0DfTHRbqjeaeKNgFqKribswbm4xp9T0i/bS+:mHBBgOt+S+fTHgGKNgF7wq4jiiDdB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Starts itself from another location

Checks for external IP

Executes scripts

Connects to unusual port

INFO

Dropped object may contain URL's

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings