analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

99303988488829.zip

Full analysis: https://app.any.run/tasks/72daf838-4f1f-4365-8aba-f4fe5b0175e0
Verdict: Malicious activity
Analysis date: December 06, 2018, 11:04:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8349B16B1AB602DBF015FF392FE66E12

SHA1:

44E4A2153F7167AF4CCECB73189913AFA961C909

SHA256:

B8A98809822AC05179B8D891344F0165B10F37AE5EAB43034A50890F8F48124B

SSDEEP:

192:GnoieAqJ5MoMzNUWWi0rYHWX0sA12OkcnPdmrYLqT:GcAupWdNIh2BFnlmU6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 2788)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 99303988488829.vbs
ZipUncompressedSize: 14003
ZipCompressedSize: 6978
ZipCRC: 0x1223f02a
ZipModifyDate: 2018:12:06 02:41:19
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
30
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2788"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\99303988488829.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2344"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2788.31281\99303988488829.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Total events
496
Read events
472
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2344WScript.exeC:\Users\admin\AppData\Local\Temp\CabB54C.tmp
MD5:
SHA256:
2344WScript.exeC:\Users\admin\AppData\Local\Temp\TarB54D.tmp
MD5:
SHA256:
2344WScript.exeC:\Users\admin\AppData\Local\Temp\CabB56D.tmp
MD5:
SHA256:
2344WScript.exeC:\Users\admin\AppData\Local\Temp\TarB56E.tmp
MD5:
SHA256:
2344WScript.exeC:\Users\admin\AppData\Local\Temp\CabB61B.tmp
MD5:
SHA256:
2344WScript.exeC:\Users\admin\AppData\Local\Temp\TarB61C.tmp
MD5:
SHA256:
2788WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2788.31281\99303988488829.vbstext
MD5:77D4699CAE309293012A81B062817A6A
SHA256:494D6D1814B6D7DABEC902BDB0D8D0A13985F8D215AE076CFAEF2ADCFDFCB269
2344WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015binary
MD5:1EA683A60EB18B9DA5866C7192061FF3
SHA256:361C4C76D0F7C1870866BAB66ECDE417FA1CC99BC4A14C2A8583FAE797D988EC
2344WScript.exeC:\Users\admin\AppData\Local\Temp\Microsoft.urltext
MD5:F08AE01D196FED6458005372527366DF
SHA256:A74259DF7113E101CDA53FEF97F36F0927FA6FF963C0ED16261BCEDE6EE33C9E
2344WScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:A902CF373E02F7DC34F456ED7449279C
SHA256:EA0C12AEDEA644678014991A96534145E85AA12CD8955396DFDC98A4FC96F0D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2344
WScript.exe
GET
46.47.98.128:80
http://dns.spoolers.org/aVDNZbcfyI.php
BG
malicious
2344
WScript.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2344
WScript.exe
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2344
WScript.exe
46.47.98.128:80
dns.spoolers.org
Bulsatcom EAD
BG
malicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.10
  • 205.185.216.10
  • 205.185.216.42
whitelisted
dns.spoolers.org
  • 46.47.98.128
  • 89.25.41.223
  • 46.139.176.151
  • 31.5.167.149
  • 89.215.156.222
  • 213.222.130.75
  • 37.247.216.118
  • 37.34.176.37
  • 95.43.57.155
  • 86.106.200.105
malicious

Threats

No threats detected
No debug info