analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

COINWALLET.zip

Full analysis: https://app.any.run/tasks/0efab29b-bb9e-4270-b192-502f23369da5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 00:14:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

9C8681AC87988ADEC91DD1D40E3D4A77

SHA1:

D0B336A5BE1AEE9A6D4F723EB8731C502CD66320

SHA256:

B90DB84E857E2559FD2294D857D22B683B7C592B0D9A46FEF2215D8A5DB9FAF3

SSDEEP:

6144:9FKU+icMEjI7LfOAPpFJnrN4q1DDpqbduGhR79MiwcKV9chyHqhSzV8Pr9lQ/ov2:L9+K7L2APBrNVAd3pIVV0hSJ8PrPQEoX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PasswordDecoder.exe (PID: 2392)
      • SgrmBroker.exe (PID: 2236)
      • dllhost.exe (PID: 1316)
      • PassDecoder.exe (PID: 3936)
      • RuntimeBroker.exe (PID: 2504)
      • PasswordDecoder.exe (PID: 1292)
      • RuntimeBroker.exe (PID: 3424)

    • Connects to CnC server

      • dllhost.exe (PID: 1316)

    • Actions looks like stealing of personal data

      • RuntimeBroker.exe (PID: 3424)

    • Stealing of credential data

      • RuntimeBroker.exe (PID: 3424)

    • Loads dropped or rewritten executable

      • RuntimeBroker.exe (PID: 3424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2200)
      • SgrmBroker.exe (PID: 2236)
      • dllhost.exe (PID: 1316)
      • PasswordDecoder.exe (PID: 2392)
      • RuntimeBroker.exe (PID: 2504)
      • RuntimeBroker.exe (PID: 3424)

    • Application launched itself

      • RuntimeBroker.exe (PID: 2504)

    • Reads the cookies of Mozilla Firefox

      • RuntimeBroker.exe (PID: 3424)

    • Reads the cookies of Google Chrome

      • RuntimeBroker.exe (PID: 3424)

    • Creates files in the user directory

      • RuntimeBroker.exe (PID: 3424)

    • Loads Python modules

      • RuntimeBroker.exe (PID: 3424)

    • Starts CMD.EXE for commands execution

      • RuntimeBroker.exe (PID: 3424)
      • dllhost.exe (PID: 1316)
      • SgrmBroker.exe (PID: 2236)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 992)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • RuntimeBroker.exe (PID: 2504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: carteria.txt
ZipUncompressedSize: 112
ZipCompressedSize: 110
ZipCRC: 0x148b1b31
ZipModifyDate: 2019:07:28 11:36:01
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
15
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start winrar.exe passworddecoder.exe passdecoder.exe no specs sgrmbroker.exe notepad.exe no specs dllhost.exe runtimebroker.exe runtimebroker.exe cmd.exe no specs systeminfo.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs passworddecoder.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2200"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\COINWALLET.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2392"C:\Users\admin\AppData\Local\Temp\Rar$EXa2200.6509\PasswordDecoder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2200.6509\PasswordDecoder.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3936"C:\Users\admin\AppData\Local\Microsoft\PassDecoder.exe" C:\Users\admin\AppData\Local\Microsoft\PassDecoder.exePasswordDecoder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2236"C:\Users\admin\AppData\Local\Microsoft\SgrmBroker.exe" C:\Users\admin\AppData\Local\Microsoft\SgrmBroker.exe
PasswordDecoder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
4092"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2200.7134\passphrases.txtC:\Windows\system32\NOTEPAD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1316"C:\Users\admin\AppData\Local\Microsoft\dllhost.exe"C:\Users\admin\AppData\Local\Microsoft\dllhost.exe
SgrmBroker.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2504"C:\Users\admin\AppData\Local\Microsoft\RuntimeBroker.exe"C:\Users\admin\AppData\Local\Microsoft\RuntimeBroker.exe
dllhost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3424"C:\Users\admin\AppData\Local\Microsoft\RuntimeBroker.exe"C:\Users\admin\AppData\Local\Microsoft\RuntimeBroker.exe
RuntimeBroker.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
992C:\Windows\system32\cmd.exe /c SYSTEMINFOC:\Windows\system32\cmd.exeRuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1948SYSTEMINFOC:\Windows\system32\systeminfo.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Displays system information
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
993
Read events
950
Write events
43
Delete events
0

Modification events

(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2200) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\COINWALLET.zip
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2200) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
26
Suspicious files
2
Text files
27
Unknown types
1

Dropped files

PID
Process
Filename
Type
2200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2200.6509\keys.txttext
MD5:4379A5FF96FDEFD558C06474825886E1
SHA256:411DD537B26121161AE352946184F678BF1C61C9CB67B98AF9464EAC1CBE6017
2200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2200.6509\passphrases.txttext
MD5:6A27FFEED7FDD9E9C9068E483337D78F
SHA256:27C8F2A8577F829329C461E65B10CBA8DD3BE795557C9FAA8E4EF0D602DE50DB
2392PasswordDecoder.exeC:\Users\admin\AppData\Local\Microsoft\edgB55B.tmptext
MD5:7FC332B52FF41ACFD39061B7F8F61D2B
SHA256:5B783F45C9827E91FF824FA082B3C673A3788F21AD023C14FBF13257FE737ACE
2200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2200.6509\private.txttext
MD5:20BD85B91F73D63257B218B471AEFB5D
SHA256:966730AF3F6842D509EC27DA5A9931F116F9090CC944A341B488B92FAAC2A6B2
2504RuntimeBroker.exeC:\Users\admin\AppData\Local\Temp\_MEI25042\Microsoft.VC90.CRT.manifestxml
MD5:0BCAE6094FDA15852A9D5C1E1F03BB24
SHA256:454E12BC0DED5A81B52F38D73942E9F0A1BD2073AC2E976F63A8AF115C7EA296
2200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2200.6509\carteria.txttext
MD5:667651BDB754209D24C6EF48F750A85E
SHA256:188A50A8B3A0629537E2C047DE8E95BF593312FB667392D2DB423470A6251AE5
2504RuntimeBroker.exeC:\Users\admin\AppData\Local\Temp\_MEI25042\_sqlite3.pydexecutable
MD5:CF6E48AFBAD2A930775723387080D2C3
SHA256:B355041828E249B476D198F5B245B89A32E1A857F401F137E768E6E2F8B5F687
1316dllhost.exeC:\Users\admin\AppData\Local\Microsoft\RuntimeBroker.exeexecutable
MD5:C064FCB25FF8F8FE05D4A2AF7FE3CEF4
SHA256:5EED55AEDEFE0ABFD89D578C340606B7D339B831EA42A4B8E1CFE05FC9E790B5
2200WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2200.7134\passphrases.txttext
MD5:6A27FFEED7FDD9E9C9068E483337D78F
SHA256:27C8F2A8577F829329C461E65B10CBA8DD3BE795557C9FAA8E4EF0D602DE50DB
2504RuntimeBroker.exeC:\Users\admin\AppData\Local\Temp\_MEI25042\ghost.exe.manifestxml
MD5:EFE3A95630653F821ABA795181D765AE
SHA256:89D65765DA00D4EBE5021AA67F282AE3A6437391A6A2D6772091125EDF20BF17
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1316
dllhost.exe
POST
200
185.141.61.161:10
http://qqwveqwevqwe.duckdns.org:10/
unknown
text
8.20 Mb
malicious
3424
RuntimeBroker.exe
POST
200
185.141.61.161:10
http://qqwveqwevqwe.duckdns.org:10/
unknown
text
2 b
malicious
3424
RuntimeBroker.exe
POST
200
185.141.61.161:10
http://qqwveqwevqwe.duckdns.org:10/
unknown
binary
1 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3424
RuntimeBroker.exe
185.141.61.161:10
qqwveqwevqwe.duckdns.org
malicious
1316
dllhost.exe
185.141.61.161:10
qqwveqwevqwe.duckdns.org
malicious

DNS requests

Domain
IP
Reputation
qqwveqwevqwe.duckdns.org
  • 185.141.61.161
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1316
dllhost.exe
A Network Trojan was detected
AV TROJAN MilkyBoy CnC Beacon
1316
dllhost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Stealer.Pjdn
1316
dllhost.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
3424
RuntimeBroker.exe
Misc activity
SUSPICIOUS [PTsecurity] Python Request HTTP Header
3424
RuntimeBroker.exe
Misc activity
SUSPICIOUS [PTsecurity] Python Request HTTP Header
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
COINWALLET.zip