File name: | Lonelyscreen.1.2.9.keygen.by.Paradox.zip |
Full analysis: | https://app.any.run/tasks/efb7a57e-b6f3-4be0-9789-ad6a37dfdc9f |
Verdict: | Malicious activity |
Threats: | Glupteba is a loader with information-stealing and traffic routing functionality. It is designed primarily to install other viruses on infected PCs but can do much more than that. In addition, it is being constantly updated, making this virus one to watch out for. |
Analysis date: | August 08, 2020, 18:32:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | A08AD2D67A8B60EE574A5D68FFF35C6E |
SHA1: | AF6FFE03B0B53FA3EFDE61D8B9F115788CFFF032 |
SHA256: | B8F8FE870C841E6249FDABC7429F735CEFA7C57F10C41F30964F7E5EC190DE54 |
SSDEEP: | 393216:k0A1zvK1Nl0HeD0Uxir8pOA6AqVFD9HIOb3E:5ARvK1NOHkor8pwF6iE |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Lonelyscreen.1.2.9.keygen.by.Paradox.zip |
---|---|
ZipUncompressedSize: | 13900749 |
ZipCompressedSize: | 13900749 |
ZipCRC: | 0x1ed6911e |
ZipModifyDate: | 2020:08:08 21:32:02 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3216 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2960 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3216.41532\Lonelyscreen.1.2.9.keygen.by.Paradox.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2184 | "C:\Users\admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe" | C:\Users\admin\Desktop\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2688 | cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen.bat" " | C:\Windows\system32\cmd.exe | — | Lonelyscreen.1.2.9.keygen.by.Paradox.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3648 | keygen-pr.exe -p83fsase3Ge | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3816 | keygen-step-3.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1800 | "C:\Users\admin\AppData\Local\Temp\RarSFX1\key.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX1\key.exe | keygen-pr.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2780 | "C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe | keygen-step-4.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2840 | cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe" | C:\Windows\system32\cmd.exe | — | keygen-step-3.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2960 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2960.42840\Lonelyscreen.1.2.9.keygen.by.Paradox.exe | — | |
MD5:— | SHA256:— | |||
408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\Full Version.exe | executable | |
MD5:5EB7D1110A6268092D008D93701A08B5 | SHA256:B858E24EAC464AFD49D6BF782557F946B03E5E97431A1987B09B0203B5636C97 | |||
2780 | whhw.exe | C:\Users\admin\AppData\Local\Temp\RarSFX3\setup.upx.exe | executable | |
MD5:7D72DB8AACECCD5CAB82E0F618CE9D81 | SHA256:A8374F4EFACD0D4ACE4F78A781BAF7A1E0913EDACEB8FEDDCB82D07B68A1BCAB | |||
408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\whhw.exe | executable | |
MD5:2FB5455DAB77DD4D793AAFA3DF21B013 | SHA256:160785406249AAE0E5F2BD62DD5DAF64A15CE9BBB36C57A6F8F5C1DDB6390D9B | |||
408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\DreamTrips.bat | text | |
MD5:7B24665F2DB82F311BFF238F05EB639A | SHA256:81C2E1E08984F45A9FCD8A5E54087B5B2160ED553B584BAC7EF589C0867E4478 | |||
3816 | keygen-step-3.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data1 | sqlite | |
MD5:B07445123C1156C138DBB2C09CA56381 | SHA256:60EF4EEFAE5E163D3C38BBBF592B70453BE8C17D95537C84438DCA3DB7B150F5 | |||
2184 | Lonelyscreen.1.2.9.keygen.by.Paradox.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\keygen.bat | text | |
MD5:362A98FF358CEE4C06AEDF4C8E6F8770 | SHA256:C02A8B5CD85868DA0523B58370BC5B6F8C24FA5AC8E59D874F8BA1C21F4EF158 | |||
2184 | Lonelyscreen.1.2.9.keygen.by.Paradox.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\user32.dll | executable | |
MD5:634FBE95EA4EF2E799B3D117DD9EC52E | SHA256:1BA4BC4F000DD9263307357FFA42D83EB01F59BF28AEC16EF2EB74E24683412E | |||
408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\Install.exe | executable | |
MD5:2C0E1409D473E0ABD4780E8FE56FBCC1 | SHA256:8EA9BF28F667ABD691E7794CCA3095FFF79A2B0FE0CBE3DA3FB8EFFC10DAB4BB | |||
408 | keygen-step-4.exe | C:\Users\admin\AppData\Local\Temp\RarSFX2\Setup.exe | executable | |
MD5:E818A2384A90A03D8314CC4CF1CAD1E0 | SHA256:0585A29DDCDB6A4F0D23D4D09304768877EF1AE500C9664AF9C21A6AFF9D330C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1676 | searzar.exe | GET | 200 | 2.16.186.35:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | unknown | der | 1.37 Kb | whitelisted |
1800 | key.exe | POST | — | 104.27.166.134:80 | http://www.oldhorse.info/ | US | — | — | malicious |
3080 | setup.upx.exe | POST | 200 | 45.32.114.117:80 | http://www.wdsfw34erf93.com/index.php/api/fb | SG | text | 24 b | whitelisted |
1676 | searzar.exe | POST | 200 | 38.27.96.30:80 | http://www.nicekkk.pw/Home/Index/getdata | US | text | 7 b | malicious |
1800 | key.exe | POST | — | 104.27.166.134:80 | http://www.oldhorse.info/ | US | — | — | malicious |
2484 | Install.exe | POST | 200 | 172.67.152.86:80 | http://ef1db1064a5e5794.xyz/info/w | US | — | — | malicious |
1800 | key.exe | POST | 200 | 104.27.167.134:80 | http://oldhorse.info/a.php | US | — | — | malicious |
116 | id6.exe | POST | 200 | 194.54.83.254:80 | http://freekzvideo.cloud/business/receive | UA | — | — | malicious |
2724 | Yandex.exe | POST | 200 | 172.67.152.86:80 | http://ef1db1064a5e5794.xyz/info/w | US | — | — | malicious |
4072 | Yandex.exe | POST | 200 | 172.67.152.86:80 | http://ef1db1064a5e5794.xyz/info/w | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1800 | key.exe | 104.27.167.134:80 | oldhorse.info | Cloudflare Inc | US | malicious |
1676 | searzar.exe | 88.99.66.31:443 | iplogger.org | Hetzner Online GmbH | DE | malicious |
3816 | keygen-step-3.exe | 45.32.114.117:80 | www.wdsfw34erf93.com | Choopa, LLC | SG | malicious |
3080 | setup.upx.exe | 45.32.114.117:80 | www.wdsfw34erf93.com | Choopa, LLC | SG | malicious |
116 | id6.exe | 194.54.83.254:80 | freekzvideo.cloud | Omnilance Ltd | UA | malicious |
1676 | searzar.exe | 149.28.244.249:80 | www.ipcode.pw | — | US | suspicious |
2912 | hjjgaa.exe | 208.95.112.1:80 | ip-api.com | IBURST | — | malicious |
1676 | searzar.exe | 2.16.186.11:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
1676 | searzar.exe | 38.27.96.30:80 | www.nicekkk.pw | HOSTSPACE NETWORKS LLC | US | malicious |
1676 | searzar.exe | 2.16.186.35:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.wdsfw34erf93.com |
| whitelisted |
oldhorse.info |
| malicious |
www.oldhorse.info |
| malicious |
freekzvideo.cloud |
| malicious |
www.ipcode.pw |
| malicious |
iplogger.org |
| shared |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
www.nicekkk.pw |
| malicious |
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1800 | key.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Nebuler Checkin |
1800 | key.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
1048 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
116 | id6.exe | A Network Trojan was detected | ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space |
116 | id6.exe | Potentially Bad Traffic | ET INFO HTTP Request to Suspicious *.cloud Domain |
1048 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
1676 | searzar.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.pw domain |
1676 | searzar.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
1676 | searzar.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] IP Check Domain SSL certificate |
1048 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
Process | Message |
---|---|
id6.exe | 006 |
id6.exe | http://freekzvideo.cloud/business/receive |
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\1596911662941 directory exists )
|
id20.exe | http://freekzvideo.cloud/business/receive |
LightHotlux.exe | DeviceId=0743643e-9037-d808-6b96-07efe0d17ab7 Distributer=APSFADexpNR ChannelId=3 BarcodeId=54369003 ApName=Mbappert
|
Trantech.exe | DeviceId=0743643e-9037-d808-6b96-07efe0d17ab7 Distributer=APSFADexpNR ChannelId=3 BarcodeId=54369003 DefaultSearchDomain=https://feed.sonic-search.com HomePageDomain=https://feed.helperbar.com NewTabDomain=https://feed.helperbar.com EncryptUrl=true AddRemove=false AgentName=Mbappert YBSearch=false ApName=Mbappert SetAll=true campaignId=461
|
Mbappert.exe | Agent Main
|
Mbappert.exe | Agent Started
|
Mbappert.exe | Agent service started with arg: DeviceId=0743643e-9037-d808-6b96-07efe0d17ab7 Distributer=APSFADexpNR ChannelId=3 BarcodeId=54369003 DefaultSearchDomain=https://feed.sonic-search.com HomePageDomain=https://feed.helperbar.com NewTabDomain=https://feed.helperbar.com EncryptUrl=true AddRemove=false AgentName=Mbappert YBSearch=false ApName=Mbappert SetAll=true campaignId=461
|
Mbappert.exe | Current directory: C:\ProgramData\Mbappert
|