File name: | 8d070b107b16ebcdefee6ee609f4f042-content.zip |
Full analysis: | https://app.any.run/tasks/7446e98c-79f6-478e-8814-983eb6f2338c |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 14:12:33 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 67875D506181C32D4CD42605F41E5575 |
SHA1: | C8F69A68761FAB32F0DCC2EF345439BCAE5DCB1A |
SHA256: | BCAC25EF202D80860F6E5BA8C1F2BEDFA504F18A7BEEADF959841055572B1B75 |
SSDEEP: | 49152:Dya0mTIFdiIr2VFesyQ0Hn7oztHZMO21cseID2wFE/Ww:uqK0IrQFesyQ0boztO715y8E/P |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | aTube_Catcher_3928599341.exe.zs |
---|---|
ZipUncompressedSize: | 2557792 |
ZipCompressedSize: | 2468215 |
ZipCRC: | 0x959b027f |
ZipModifyDate: | 2018:12:18 12:07:17 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3380 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\8d070b107b16ebcdefee6ee609f4f042-content.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3408 | "C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" | C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe | — | explorer.exe |
User: admin Company: Integrity Level: MEDIUM Description: File Installer Setup Exit code: 0 Version: | ||||
3480 | "C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl | C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe | aTube_Catcher_3928599341.exe | |
User: admin Company: Integrity Level: HIGH Description: File Installer Setup Version: | ||||
2344 | "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe" --silent --otd="utm.medium:pb,utm.source:ais,utm.campaign:Model-10-16_TXT_nc_Y,utm.id:xHv7YYQgqmiBIqsdgSbeGoIkq2uXYfsojCCvbYkjrW2JI6ttgiOoa4QquTPXdPoujF3vOcNz3S7eZew5wzT8LtIhrWGIK6hugiGnZID%2BTQAAALESn1w%3D" --allusers=0 | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe | aTube_Catcher_3928599341.exe | |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Version: 57.0.3098.91 | ||||
3308 | /d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D12542~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D12542~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D12542~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D12542~2.DAT" | C:\Windows\system32\cmd.exe | — | aTube_Catcher_3928599341.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3584 | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=57.0.3098.91 --initial-client-data=0xd8,0xe0,0xe4,0xdc,0xe8,0x6d8dd5e0,0x6d8dd5f0,0x6d8dd5fc | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe | OperaSetup.exe | |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Version: 57.0.3098.91 | ||||
4076 | TIMEOUT 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3700 | "C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe" --version | C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe | — | OperaSetup.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2704 | cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D12542~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D12542~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" | C:\Windows\system32\cmd.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1232 | "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe" --backend --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Program Files\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --startmenushortcut=1 --desktopshortcut=1 --quicklaunchshortcut=1 --pintotaskbar=1 --server-tracking-data=server_tracking_data --initial-pid=2344 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\Opera Installer\opera_package_20181218141336" --session-guid=d262dd76-5dab-483f-af22-84bbab78992a --server-tracking-blob="NjBlYWE3NDBlZTJlNzAzM2ZmOTg2OGM0MjVjNzljZGExZWM5NTkwZWI2ZDg5NDBiYzVkODQwZTc3NGZkN2E0Yjp7InV0bSI6eyJjYW1wYWlnbiI6Ik1vZGVsLTEwLTE2X1RYVF9uY19ZIiwiaWQiOiJ4SHY3WVlRZ3FtaUJJcXNkZ1NiZUdvSWtxMnVYWWZzb2pDQ3ZiWWtqclcySkk2dHRnaU9vYTRRcXVUUFhkUG91akYzdk9jTnozUzdlWmV3NXd6VDhMdElocldHSUs2aHVnaUduWklEJTJCVFFBQUFMRVNuMXclM0QiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFpcyJ9fQ== " --silent --wait-for-package --initial-proc-handle=A402000000000000 | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe | — | OperaSetup.exe |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Version: 57.0.3098.91 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3380 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3380.38277\aTube_Catcher_3928599341.exe.zs | — | |
MD5:— | SHA256:— | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\0014129C.log | — | |
MD5:— | SHA256:— | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\main.css | text | |
MD5:B124F669D793409FBAF802E99C4C9050 | SHA256:50E33605BFBB2B573DD63FC016DFB82540BA9ADC7B8831F2711B60421D346530 | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\helpers\_backgrounds.scss | text | |
MD5:6092A3768F84CFBC6E5C52301F5B63EA | SHA256:8A22A3285F3C7D82AA1A4273BDD62729DA241723507C1ECD5D2FD0A24C12E23B | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\swAgent.css | text | |
MD5:2543E3AF757C7D7C8A26C7CF57795F60 | SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1 | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\csshover3.htc | html | |
MD5:52FA0DA50BF4B27EE625C80D36C67941 | SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493 | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\_functions.scss | text | |
MD5:8F7259DE64F6DDF352BF461F44D34A81 | SHA256:80EDC9D67172BC830D68D33F4547735FB072CADF3EF25AAB37A10B50DB87A069 | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\helpers\_display.scss | text | |
MD5:7FC18252C6212F1EBB349B5F7F429217 | SHA256:1B1F774D3B163C1BA9C86CAD87D4B594FBA588A364132121F8A234F149816429 | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\helpers\_border-radius.scss | text | |
MD5:6BDF3FD89410E39D33F8137E04AD4A16 | SHA256:2C6B98CB19C3E3A0E37472767C53DF213243AE92BC80EF9A7F5BAA17F7B6FA31 | |||
3480 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH131548458579\css\_helpers.scss | text | |
MD5:5F158DBBD9FC4594A2F6C13854501916 | SHA256:BF12B79F67F1CB9988797F7D81F6F504C8DFE0F0435482E64819A140DBC8DA14 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3480 | aTube_Catcher_3928599341.exe | HEAD | 200 | 185.59.222.146:80 | http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis | NL | — | — | malicious |
3480 | aTube_Catcher_3928599341.exe | GET | — | 192.96.201.161:80 | http://www2.catinntehi.com/app/aTube/aTube_12Sep18.cis | US | — | — | malicious |
3480 | aTube_Catcher_3928599341.exe | HEAD | 200 | 185.59.222.146:80 | http://app.catinntehi.com/app/aTube/aTube_12Sep18.cis | NL | — | — | malicious |
3480 | aTube_Catcher_3928599341.exe | HEAD | 200 | 185.59.222.146:80 | http://app.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe | NL | — | — | malicious |
— | — | POST | 200 | 54.154.255.147:80 | http://gw.catinntehi.com/aTube/ | IE | binary | 529 Kb | malicious |
3480 | aTube_Catcher_3928599341.exe | GET | 200 | 146.185.27.45:80 | http://img.catinntehi.com/img/Tavasat/15Feb17/v2/EN.png | GB | image | 43.9 Kb | malicious |
3480 | aTube_Catcher_3928599341.exe | GET | 206 | 185.59.222.146:80 | http://app.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe | NL | binary | 24.2 Mb | malicious |
3480 | aTube_Catcher_3928599341.exe | GET | — | 192.96.201.161:80 | http://www2.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe | US | — | — | malicious |
3480 | aTube_Catcher_3928599341.exe | GET | — | 192.96.201.161:80 | http://www2.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis | US | — | — | malicious |
3480 | aTube_Catcher_3928599341.exe | GET | — | 192.96.201.161:80 | http://www2.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3480 | aTube_Catcher_3928599341.exe | 52.214.73.247:80 | ww2.catinntehi.com | Amazon.com, Inc. | IE | malicious |
3480 | aTube_Catcher_3928599341.exe | 146.185.27.45:80 | img.catinntehi.com | UK-2 Limited | GB | malicious |
— | — | 54.154.255.147:80 | gw.catinntehi.com | Amazon.com, Inc. | IE | malicious |
3480 | aTube_Catcher_3928599341.exe | 192.96.201.161:80 | www2.catinntehi.com | Leaseweb USA, Inc. | US | malicious |
3480 | aTube_Catcher_3928599341.exe | 185.59.222.146:80 | app.catinntehi.com | Datacamp Limited | NL | malicious |
2344 | OperaSetup.exe | 82.145.217.121:443 | desktop-netinstaller-sub.osp.opera.software | Opera Software AS | — | suspicious |
2344 | OperaSetup.exe | 185.26.182.105:443 | autoupdate.geo.opera.com | Opera Software AS | — | unknown |
2980 | instup.exe | 77.234.45.250:443 | alpha-iqs.ff.avast.com | AVAST Software s.r.o. | DE | unknown |
2980 | instup.exe | 5.45.62.61:443 | alpha-license-dealer.ff.avast.com | AVAST Software s.r.o. | NL | unknown |
3684 | avast_free_antivirus_setup_online.exe | 74.125.140.101:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
ww2.catinntehi.com |
| malicious |
gw.catinntehi.com |
| malicious |
img.catinntehi.com |
| malicious |
app.catinntehi.com |
| malicious |
www2.catinntehi.com |
| malicious |
desktop-netinstaller-sub.osp.opera.software |
| whitelisted |
autoupdate.geo.opera.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
v7event.stats.avast.com |
| whitelisted |
shepherd.ff.avast.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3480 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2 |
3480 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 |
3480 | aTube_Catcher_3928599341.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option |
3480 | aTube_Catcher_3928599341.exe | unknown | SURICATA TCPv4 invalid checksum |
3480 | aTube_Catcher_3928599341.exe | unknown | SURICATA IPv4 invalid checksum |
3480 | aTube_Catcher_3928599341.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3480 | aTube_Catcher_3928599341.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
3480 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 |
3480 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 |
2980 | instup.exe | unknown | SURICATA IPv4 invalid checksum |
Process | Message |
---|---|
instup.exe | [2018-12-18 14:13:38.242] [error ] [settings ] [ 2980: 3648] Failed to get program directory
Exception: Unable to retrieve path of the program directory!
Code: 0x00000002 (2)
|