analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://assettreat.com/wp-admin/css/colors/blue/rolf.zip

Full analysis: https://app.any.run/tasks/edf305d0-54df-4626-9f29-20451c2302e4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 10:58:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MD5:

D9A4A43ABA367CE0DCEBAC5D0AA60647

SHA1:

8A966FC05A3C5305EE9BCCA164F6A08E7EE20E13

SHA256:

B2B8DFCC16A96E76583453B338E3C12161A427D0BFB08FC735A72CD6EAACE107

SSDEEP:

3:N1KfmXA4tmgTTp4VMS0Vn:CWtmgTU9sn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • WScript.exe (PID: 2540)

    • Application was dropped or rewritten from another process

      • rad19C18.tmp (PID: 1020)

    • TROLDESH was detected

      • rad19C18.tmp (PID: 1020)

    • Changes the autorun value in the registry

      • rad19C18.tmp (PID: 1020)

    • Deletes shadow copies

      • rad19C18.tmp (PID: 1020)

    • Dropped file may contain instructions of ransomware

      • rad19C18.tmp (PID: 1020)

    • Runs app for hidden code execution

      • rad19C18.tmp (PID: 1020)

    • Connects to CnC server

      • chrome.exe (PID: 1380)

    • Actions looks like stealing of personal data

      • rad19C18.tmp (PID: 1020)

    • Modifies files in Chrome extension folder

      • rad19C18.tmp (PID: 1020)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2540)
      • rad19C18.tmp (PID: 1020)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2540)
      • rad19C18.tmp (PID: 1020)
      • chrome.exe (PID: 1380)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3800)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2540)
      • rad19C18.tmp (PID: 1020)

    • Connects to unusual port

      • rad19C18.tmp (PID: 1020)

    • Creates files in the program directory

      • rad19C18.tmp (PID: 1020)

    • Checks for external IP

      • rad19C18.tmp (PID: 1020)

    • Creates files like Ransomware instruction

      • rad19C18.tmp (PID: 1020)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1380)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2868)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2868)
      • iexplore.exe (PID: 3536)
      • chrome.exe (PID: 1380)

    • Application launched itself

      • iexplore.exe (PID: 2868)
      • chrome.exe (PID: 1380)

    • Dropped object may contain URL to Tor Browser

      • rad19C18.tmp (PID: 1020)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1380)

    • Dropped object may contain Bitcoin addresses

      • rad19C18.tmp (PID: 1020)

    • Dropped object may contain TOR URL's

      • rad19C18.tmp (PID: 1020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
41
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs winrar.exe no specs winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH rad19c18.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs explorer.exe no specs PhotoViewer.dll no specs notepad.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2868"C:\Program Files\Internet Explorer\iexplore.exe" http://assettreat.com/wp-admin/css/colors/blue/rolf.zipC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3536"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2868 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2296"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\rolf.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3112"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\rolf.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3924"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\rolf.zip" C:\Users\admin\Downloads\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2540"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\Группа компаний Рольф подробности заказа.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3392"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad19C18.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1020C:\Users\admin\AppData\Local\Temp\rad19C18.tmpC:\Users\admin\AppData\Local\Temp\rad19C18.tmp
cmd.exe
User:
admin
Company:
Burnaware
Integrity Level:
MEDIUM
Description:
Verify Disc
Version:
8.3.0.0
3660C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad19C18.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3472"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
rad19C18.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 021
Read events
2 760
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1 220
Text files
272
Unknown types
25

Dropped files

PID
Process
Filename
Type
2868iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF39B4D923EE2FFC3B.TMP
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFDFBC3FAD35E38D75.TMP
MD5:
SHA256:
2868iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{30E72E7F-4648-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
1020rad19C18.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
1020rad19C18.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
1020rad19C18.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensus
MD5:
SHA256:
1020rad19C18.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
1020rad19C18.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
106
DNS requests
60
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3536
iexplore.exe
GET
200
198.38.82.163:80
http://assettreat.com/wp-admin/css/colors/blue/rolf.zip
US
compressed
3.06 Kb
malicious
1020
rad19C18.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2540
WScript.exe
GET
200
46.231.127.146:80
http://www.kikoveneno.net/templates/kikoveneno/images/msges.jpg
ES
executable
1.22 Mb
suspicious
1380
chrome.exe
GET
302
185.100.85.150:80
http://cryptsen7fo43rr6.onion.to/
RO
malicious
1380
chrome.exe
GET
301
195.201.201.32:80
http://2ip.ru/
RU
shared
1020
rad19C18.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1380
chrome.exe
GET
62.138.11.6:80
http://cryptsen7fo43rr6.onion.cab/
DE
malicious
1020
rad19C18.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1020
rad19C18.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1380
chrome.exe
GET
200
84.15.64.236:80
http://r1---sn-cpux-8ovl.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvZDI3QUFWdDJLbzhIMFNCY21HWi04QmFaZw/6818.528.0.0_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.206.166.82&mm=28&mn=sn-cpux-8ovl&ms=nvh&mt=1552560644&mv=u&pl=23&shardbypass=yes
LT
crx
826 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1020
rad19C18.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
1020
rad19C18.tmp
54.37.136.45:9001
OVH SAS
FR
suspicious
2540
WScript.exe
46.231.127.146:80
www.kikoveneno.net
DinaHosting S.L.
ES
suspicious
1380
chrome.exe
172.217.16.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2868
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2540
WScript.exe
212.205.117.3:80
www.innews.gr
OTEnet S.A.
GR
suspicious
1020
rad19C18.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared
1020
rad19C18.tmp
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
1020
rad19C18.tmp
217.182.198.95:443
OVH SAS
DE
suspicious
1020
rad19C18.tmp
144.76.71.91:8443
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
assettreat.com
  • 198.38.82.163
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.innews.gr
  • 212.205.117.3
unknown
www.kikoveneno.net
  • 46.231.127.146
unknown
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared
clients2.google.com
  • 172.217.22.46
whitelisted
clientservices.googleapis.com
  • 172.217.16.195
whitelisted
www.gstatic.com
  • 216.58.205.227
whitelisted
www.google.de
  • 172.217.16.163
whitelisted

Threats

PID
Process
Class
Message
2540
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2540
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2540
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
1020
rad19C18.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116
1020
rad19C18.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1020
rad19C18.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 362
1020
rad19C18.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 524
1020
rad19C18.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143
1020
rad19C18.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
1020
rad19C18.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
29 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://assettreat.com/wp-admin/css/colors/blue/rolf.zip