File name: | test1.zip |
Full analysis: | https://app.any.run/tasks/89b216b9-895e-4efe-9809-3f6f902e5b25 |
Verdict: | Malicious activity |
Threats: | TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage. |
Analysis date: | January 17, 2020, 23:14:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v4.5 to extract |
MD5: | 634F3AFF60F49E0E70C3BF7A8732BBF5 |
SHA1: | 9546999EF57B133D3047D2A941E60FDDD6873984 |
SHA256: | ADEEBFE44F1EF737FB8BD8ABDB25C0FECF9D4CD86A597534FF4C5BB243DA362D |
SSDEEP: | 6144:E6E3tggdqvtKYRL5Q5qB6TggO5Mcj6Idrh++cGeIZWRvXG0V7u1gMs:E6yFe5cI6jOuclE+cgmPGmH9 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0801 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:00:00 00:00:00 |
ZipCRC: | 0x39220635 |
ZipCompressedSize: | 287382 |
ZipUncompressedSize: | 462288 |
ZipFileName: | Device/HarddiskVolume3/Users/hermell/AppData/Local/Temp/59346383.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1752 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1724 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2344 | C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
408 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe | DllHost.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2140 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\respectivewords.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2908 | C:\Users\admin\AppData\Roaming\WinNetCore\39324383.exe | C:\Users\admin\AppData\Roaming\WinNetCore\39324383.exe | taskeng.exe | |
User: SYSTEM Integrity Level: SYSTEM | ||||
1784 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | explorer.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 | ||||
3304 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Exit code: 1 Version: 15.23.20070.215641 | ||||
3408 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
1188 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3408.0.524815997\476436060" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRAB49.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{90512652-8747-4905-AC02-E6CC89EF6D8B}.tmp | — | |
MD5:— | SHA256:— | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EB404F54-B6AB-4219-8385-F70BAEDC0F78}.tmp | — | |
MD5:— | SHA256:— | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{47417411-CFF5-4BD4-BF3F-87B0FC7240FF}.tmp | — | |
MD5:— | SHA256:— | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\manifest.json | text | |
MD5:7F83698730B6D5D895DA2AEB1A871406 | SHA256:47290C4DF41FDAA09FE3EECD7F2A4A47DDD65F8630AE58AEDEC1D25B7A99F801 | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:471342A14E3DAB132C25552D50679A7C | SHA256:CAAF26CB16ED62FF12F8DC1BE99D201309D28A9B26A63C01A2544CDEAA8AA4DA | |||
2140 | WINWORD.EXE | C:\Users\admin\Desktop\~$spectivewords.rtf | pgc | |
MD5:70EF7105FE3C484F5D4FD6535A4E5E52 | SHA256:54C9D8E39C55A445B4973AFBA57C14521614B4E1664B0A0759337856C96551D7 | |||
1752 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb1752.37255\Device\HarddiskVolume3\Users\hermell\AppData\Local\Temp\59346383.exe | executable | |
MD5:699CEBD527F0373DC20699640E690979 | SHA256:7FE1EDC657E804A7B1970C69F85D921E8C665E6935786267DD14DCA481951E73 | |||
2140 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\respectivewords.rtf.LNK | lnk | |
MD5:01B71C190FA484417DF92FFB1B84D030 | SHA256:BD0BB36E113EA4644C8F3B9C6EC59080A1A4840222F42CCA593A5997255D7A01 | |||
3304 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat | binary | |
MD5:E724D72264DA270D3DA2293F7579F7CC | SHA256:3516E878C6EF18D6D7DF8F3D01B63D7E7E87C865D822F62358B96C0576456975 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2908 | 39324383.exe | 5.182.210.246:443 | — | — | — | malicious |