analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

asduasdu8299.zip

Full analysis: https://app.any.run/tasks/6b19b9d2-dc03-47a2-afed-729e0f5deec3
Verdict: Malicious activity
Analysis date: December 06, 2019, 22:51:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7128A9F6EBB2CB85F987EDBC3040EFE6

SHA1:

CF55B25FB97F8C762A239F8D2DD6FB7857815D5E

SHA256:

ADC98EDA062614C23567F241199A7AFBA6B058931AEA2265DD18F25F0DC30CCA

SSDEEP:

393216:EiONuaYBfg93TX9paRxeFgoWirzh5Wnywal/8qfG:cNuaggl7eRxz7nywal/G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3476)
      • MagnitBARTBTC.exe (PID: 3864)
      • FastExecuteScript.exe (PID: 3524)
      • SearchProtocolHost.exe (PID: 1520)
      • explorer.exe (PID: 352)
      • MagnitBARTBTC.exe (PID: 2780)
      • FastExecuteScript.exe (PID: 3508)
      • MagnitBARTBTC.exe (PID: 4056)
      • FastExecuteScript.exe (PID: 3388)
      • FastExecuteScript.exe (PID: 1252)
    • Application was dropped or rewritten from another process

      • MagnitBARTBTC.exe (PID: 3864)
      • FastExecuteScript.exe (PID: 3524)
      • MagnitBARTBTC.exe (PID: 4056)
      • FastExecuteScript.exe (PID: 3508)
      • FastExecuteScript.exe (PID: 3388)
      • MagnitBARTBTC.exe (PID: 2780)
      • FastExecuteScript.exe (PID: 1252)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3204)
      • MagnitBARTBTC.exe (PID: 3864)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3204)
      • MagnitBARTBTC.exe (PID: 3864)
    • Manual execution by user

      • MagnitBARTBTC.exe (PID: 3864)
      • MagnitBARTBTC.exe (PID: 4056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:10:25 21:22:22
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: MagnitBARTBTC/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs magnitbartbtc.exe fastexecutescript.exe searchprotocolhost.exe no specs magnitbartbtc.exe fastexecutescript.exe explorer.exe no specs magnitbartbtc.exe fastexecutescript.exe fastexecutescript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\asduasdu8299.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3476"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3864"C:\Users\admin\Desktop\MagnitBARTBTC\MagnitBARTBTC.exe" C:\Users\admin\Desktop\MagnitBARTBTC\MagnitBARTBTC.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3524appsremote\MagnitBARTBTC\SIDecea1e22\engine\FastExecuteScript.exe C:\Users\admin\Desktop\MagnitBARTBTC\appsremote\MagnitBARTBTC\SIDecea1e22\engine\FastExecuteScript.exe
MagnitBARTBTC.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1520"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
4056"C:\Users\admin\Desktop\MagnitBARTBTC\MagnitBARTBTC.exe" C:\Users\admin\Desktop\MagnitBARTBTC\MagnitBARTBTC.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3388appsremote\MagnitBARTBTC\SIDecea1e22\engine\FastExecuteScript.exe C:\Users\admin\Desktop\MagnitBARTBTC\appsremote\MagnitBARTBTC\SIDecea1e22\engine\FastExecuteScript.exe
MagnitBARTBTC.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2780"C:\Users\admin\Desktop\MagnitBARTBTC\MagnitBARTBTC.exe" C:\Users\admin\Desktop\MagnitBARTBTC\MagnitBARTBTC.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3508appsremote\MagnitBARTBTC\SIDecea1e22\engine\FastExecuteScript.exe C:\Users\admin\Desktop\MagnitBARTBTC\appsremote\MagnitBARTBTC\SIDecea1e22\engine\FastExecuteScript.exe
MagnitBARTBTC.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
7 661
Read events
7 239
Write events
0
Delete events
0

Modification events

No data
Executable files
188
Suspicious files
38
Text files
1 086
Unknown types
229

Dropped files

PID
Process
Filename
Type
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\bearer\qgenericbearer.dllexecutable
MD5:DBA35D31C2B6797C8A4D38AE27D68E6E
SHA256:086D6BA24F34A269856C4E0159A860657590D05AABB2530247E685543B34C52F
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\imageformats\qsvg.dllexecutable
MD5:2831B334B8EDF842CE273B3DD0ACE1F8
SHA256:6BAE9AF6A7790FBDEE87B7EFA53D31D8AFF0AB49BDAAEFD3FB87A8CC7D4E8A90
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\imageformats\qtiff.dllexecutable
MD5:756D047A93D72771578286E621585ED2
SHA256:F9EBF4C98C1E0179CD76A1985386928FDB9E6F459E2238ED5530D160DF4F0923
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\D3Dcompiler_47.dllexecutable
MD5:E6945CCEEFC0A122833576A5FC5F88F4
SHA256:FB8D0049F5DD5858C3B1DA4836FB4B77D97B72D67AD951EDB48F1A3E087EC2B1
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\MagnitBARTBTC.exeexecutable
MD5:F7D9536EC2EE2FCE8D6CA8B0A9367673
SHA256:3313FA60337CEFF9A2DD6A862758758C69CE7C47377348EF395AA5BF70A25DA4
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\iconengines\qsvgicon.dllexecutable
MD5:90BB882A4B5E3427F328259530AA1B3B
SHA256:B2B420AA1805D8B5DC15CCB74DD664D10BD6BA422743F5043A557A701C8A1778
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\data\project.xmlxml
MD5:0A9FC3CECC892D44C9E32DF5E70CFBB3
SHA256:30587F8EE9DBDCD8630106E3FEC71352D1B9301AF105EA85BA7FAC3C1225D053
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\imageformats\qtga.dllexecutable
MD5:D0604A5F13B32A08D5FA5BD887F869A6
SHA256:2B6444D2A8146A066109CA19618CEEE98444127A5B422C14635AB837887E55BF
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\imageformats\qjpeg.dllexecutable
MD5:3232706A63E7CDF217B8ED674179706C
SHA256:45C1F50C922AC1D9D4108E37F49981FD94F997667E23085CB2EA226D406C5602
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.22048\MagnitBARTBTC\imageformats\qgif.dllexecutable
MD5:C108D79D7C85786F33F85041445F519F
SHA256:D5459A707922DD2BF50114CC6718965173EE5B0F67DEB05E933556150CFDD9D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
MagnitBARTBTC.exe
146.185.145.186:443
bablosoft.com
Digital Ocean, Inc.
NL
suspicious

DNS requests

Domain
IP
Reputation
bablosoft.com
  • 146.185.145.186
whitelisted

Threats

No threats detected
No debug info