analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8d070b107b16ebcdefee6ee609f4f042-content.zip

Full analysis: https://app.any.run/tasks/7446e98c-79f6-478e-8814-983eb6f2338c
Verdict: Malicious activity
Analysis date: December 18, 2018, 14:12:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
installcore
pup
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

67875D506181C32D4CD42605F41E5575

SHA1:

C8F69A68761FAB32F0DCC2EF345439BCAE5DCB1A

SHA256:

BCAC25EF202D80860F6E5BA8C1F2BEDFA504F18A7BEEADF959841055572B1B75

SSDEEP:

49152:Dya0mTIFdiIr2VFesyQ0Hn7oztHZMO21cseID2wFE/Ww:uqK0IrQFesyQ0boztO715y8E/P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • aTube_Catcher_3928599341.exe (PID: 3480)
      • aTube_Catcher_3928599341.exe (PID: 3408)
      • avast_free_antivirus_setup_online.exe (PID: 3684)
      • instup.exe (PID: 2252)
    • INSTALLCORE was detected

      • aTube_Catcher_3928599341.exe (PID: 3480)
    • Connects to CnC server

      • aTube_Catcher_3928599341.exe (PID: 3480)
    • Loads dropped or rewritten executable

      • OperaSetup.exe (PID: 2344)
      • OperaSetup.exe (PID: 3584)
      • OperaSetup.exe (PID: 1232)
      • OperaSetup.exe (PID: 3700)
      • OperaSetup.exe (PID: 3440)
      • instup.exe (PID: 2980)
      • installer.exe (PID: 2132)
      • installer.exe (PID: 3452)
    • Changes settings of System certificates

      • OperaSetup.exe (PID: 2344)
    • Loads the Task Scheduler COM API

      • installer.exe (PID: 2132)
  • SUSPICIOUS

    • Creates files in the program directory

      • aTube_Catcher_3928599341.exe (PID: 3480)
      • avast_free_antivirus_setup_online.exe (PID: 3684)
      • instup.exe (PID: 2980)
      • installer.exe (PID: 2132)
      • OperaSetup.exe (PID: 1232)
    • Reads Environment values

      • aTube_Catcher_3928599341.exe (PID: 3480)
    • Application launched itself

      • aTube_Catcher_3928599341.exe (PID: 3408)
      • OperaSetup.exe (PID: 2344)
      • OperaSetup.exe (PID: 1232)
      • cmd.exe (PID: 3308)
      • cmd.exe (PID: 3004)
      • installer.exe (PID: 2132)
    • Reads internet explorer settings

      • aTube_Catcher_3928599341.exe (PID: 3480)
    • Creates files in the user directory

      • aTube_Catcher_3928599341.exe (PID: 3480)
      • OperaSetup.exe (PID: 3584)
      • installer.exe (PID: 2132)
    • Reads CPU info

      • aTube_Catcher_3928599341.exe (PID: 3480)
    • Reads the date of Windows installation

      • aTube_Catcher_3928599341.exe (PID: 3480)
    • Starts itself from another location

      • OperaSetup.exe (PID: 2344)
    • Executable content was dropped or overwritten

      • aTube_Catcher_3928599341.exe (PID: 3480)
      • OperaSetup.exe (PID: 2344)
      • OperaSetup.exe (PID: 3584)
      • cmd.exe (PID: 2704)
      • OperaSetup.exe (PID: 3440)
      • avast_free_antivirus_setup_online.exe (PID: 3684)
      • installer.exe (PID: 2132)
      • aTubeCatcherNOAD9618.tmp (PID: 3600)
      • instup.exe (PID: 2980)
      • installer.exe (PID: 3452)
    • Starts CMD.EXE for commands execution

      • aTube_Catcher_3928599341.exe (PID: 3480)
      • cmd.exe (PID: 3308)
      • cmd.exe (PID: 3004)
    • Low-level read access rights to disk partition

      • avast_free_antivirus_setup_online.exe (PID: 3684)
      • instup.exe (PID: 2980)
    • Reads Internet Cache Settings

      • instup.exe (PID: 2980)
    • Adds / modifies Windows certificates

      • OperaSetup.exe (PID: 2344)
    • Reads Windows owner or organization settings

      • aTubeCatcherNOAD9618.tmp (PID: 3600)
    • Reads the Windows organization settings

      • aTubeCatcherNOAD9618.tmp (PID: 3600)
    • Uses TASKKILL.EXE to kill process

      • aTubeCatcherNOAD9618.tmp (PID: 3600)
    • Creates a software uninstall entry

      • installer.exe (PID: 2132)
    • Connects to server without host name

      • instup.exe (PID: 2980)
    • Creates files in the Windows directory

      • aTubeCatcherNOAD9618.tmp (PID: 3600)
    • Modifies the open verb of a shell class

      • installer.exe (PID: 2132)
  • INFO

    • Reads settings of System Certificates

      • OperaSetup.exe (PID: 2344)
    • Loads dropped or rewritten executable

      • aTubeCatcherNOAD9618.tmp (PID: 3600)
    • Creates files in the program directory

      • aTubeCatcherNOAD9618.tmp (PID: 3600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: aTube_Catcher_3928599341.exe.zs
ZipUncompressedSize: 2557792
ZipCompressedSize: 2468215
ZipCRC: 0x959b027f
ZipModifyDate: 2018:12:18 12:07:17
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
28
Malicious processes
8
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs atube_catcher_3928599341.exe no specs #INSTALLCORE atube_catcher_3928599341.exe operasetup.exe cmd.exe no specs operasetup.exe timeout.exe no specs operasetup.exe no specs cmd.exe operasetup.exe no specs cmd.exe no specs cmd.exe no specs operasetup.exe avast_free_antivirus_setup_online.exe instup.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs atubecatchernoad9618.exe no specs atubecatchernoad9618.tmp taskkill.exe no specs taskkill.exe no specs installer.exe installer.exe taskkill.exe no specs instup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3380"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\8d070b107b16ebcdefee6ee609f4f042-content.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3408"C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" C:\Users\admin\Desktop\aTube_Catcher_3928599341.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
File Installer Setup
Exit code:
0
Version:
3480"C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnlC:\Users\admin\Desktop\aTube_Catcher_3928599341.exe
aTube_Catcher_3928599341.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
File Installer Setup
Version:
2344"C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe" --silent --otd="utm.medium:pb,utm.source:ais,utm.campaign:Model-10-16_TXT_nc_Y,utm.id:xHv7YYQgqmiBIqsdgSbeGoIkq2uXYfsojCCvbYkjrW2JI6ttgiOoa4QquTPXdPoujF3vOcNz3S7eZew5wzT8LtIhrWGIK6hugiGnZID%2BTQAAALESn1w%3D" --allusers=0C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe
aTube_Catcher_3928599341.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
57.0.3098.91
3308/d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D12542~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D12542~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D12542~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D12542~2.DAT"C:\Windows\system32\cmd.exeaTube_Catcher_3928599341.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3584C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=57.0.3098.91 --initial-client-data=0xd8,0xe0,0xe4,0xdc,0xe8,0x6d8dd5e0,0x6d8dd5f0,0x6d8dd5fcC:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe
OperaSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
57.0.3098.91
4076TIMEOUT 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3700"C:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exe" --versionC:\Users\admin\AppData\Local\Temp\Opera Installer\OperaSetup.exeOperaSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2704cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D12542~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D12542~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1232"C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe" --backend --install --import-browser-data=1 --enable-stats=1 --enable-installer-stats=1 --launchopera=1 --installfolder="C:\Program Files\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --startmenushortcut=1 --desktopshortcut=1 --quicklaunchshortcut=1 --pintotaskbar=1 --server-tracking-data=server_tracking_data --initial-pid=2344 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\Opera Installer\opera_package_20181218141336" --session-guid=d262dd76-5dab-483f-af22-84bbab78992a --server-tracking-blob="NjBlYWE3NDBlZTJlNzAzM2ZmOTg2OGM0MjVjNzljZGExZWM5NTkwZWI2ZDg5NDBiYzVkODQwZTc3NGZkN2E0Yjp7InV0bSI6eyJjYW1wYWlnbiI6Ik1vZGVsLTEwLTE2X1RYVF9uY19ZIiwiaWQiOiJ4SHY3WVlRZ3FtaUJJcXNkZ1NiZUdvSWtxMnVYWWZzb2pDQ3ZiWWtqclcySkk2dHRnaU9vYTRRcXVUUFhkUG91akYzdk9jTnozUzdlWmV3NXd6VDhMdElocldHSUs2aHVnaUduWklEJTJCVFFBQUFMRVNuMXclM0QiLCJtZWRpdW0iOiJwYiIsInNvdXJjZSI6ImFpcyJ9fQ== " --silent --wait-for-package --initial-proc-handle=A402000000000000C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exeOperaSetup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera Installer
Version:
57.0.3098.91
Total events
2 921
Read events
1 770
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
21
Text files
80
Unknown types
3

Dropped files

PID
Process
Filename
Type
3380WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3380.38277\aTube_Catcher_3928599341.exe.zs
MD5:
SHA256:
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\0014129C.log
MD5:
SHA256:
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\main.csstext
MD5:B124F669D793409FBAF802E99C4C9050
SHA256:50E33605BFBB2B573DD63FC016DFB82540BA9ADC7B8831F2711B60421D346530
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\helpers\_backgrounds.scsstext
MD5:6092A3768F84CFBC6E5C52301F5B63EA
SHA256:8A22A3285F3C7D82AA1A4273BDD62729DA241723507C1ECD5D2FD0A24C12E23B
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\swAgent.csstext
MD5:2543E3AF757C7D7C8A26C7CF57795F60
SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\csshover3.htchtml
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\_functions.scsstext
MD5:8F7259DE64F6DDF352BF461F44D34A81
SHA256:80EDC9D67172BC830D68D33F4547735FB072CADF3EF25AAB37A10B50DB87A069
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\helpers\_display.scsstext
MD5:7FC18252C6212F1EBB349B5F7F429217
SHA256:1B1F774D3B163C1BA9C86CAD87D4B594FBA588A364132121F8A234F149816429
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\helpers\_border-radius.scsstext
MD5:6BDF3FD89410E39D33F8137E04AD4A16
SHA256:2C6B98CB19C3E3A0E37472767C53DF213243AE92BC80EF9A7F5BAA17F7B6FA31
3480aTube_Catcher_3928599341.exeC:\Users\admin\AppData\Local\Temp\inH131548458579\css\_helpers.scsstext
MD5:5F158DBBD9FC4594A2F6C13854501916
SHA256:BF12B79F67F1CB9988797F7D81F6F504C8DFE0F0435482E64819A140DBC8DA14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
41
DNS requests
48
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
aTube_Catcher_3928599341.exe
HEAD
200
185.59.222.146:80
http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis
NL
malicious
3480
aTube_Catcher_3928599341.exe
GET
192.96.201.161:80
http://www2.catinntehi.com/app/aTube/aTube_12Sep18.cis
US
malicious
3480
aTube_Catcher_3928599341.exe
HEAD
200
185.59.222.146:80
http://app.catinntehi.com/app/aTube/aTube_12Sep18.cis
NL
malicious
3480
aTube_Catcher_3928599341.exe
HEAD
200
185.59.222.146:80
http://app.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe
NL
malicious
POST
200
54.154.255.147:80
http://gw.catinntehi.com/aTube/
IE
binary
529 Kb
malicious
3480
aTube_Catcher_3928599341.exe
GET
200
146.185.27.45:80
http://img.catinntehi.com/img/Tavasat/15Feb17/v2/EN.png
GB
image
43.9 Kb
malicious
3480
aTube_Catcher_3928599341.exe
GET
206
185.59.222.146:80
http://app.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe
NL
binary
24.2 Mb
malicious
3480
aTube_Catcher_3928599341.exe
GET
192.96.201.161:80
http://www2.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe
US
malicious
3480
aTube_Catcher_3928599341.exe
GET
192.96.201.161:80
http://www2.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis
US
malicious
3480
aTube_Catcher_3928599341.exe
GET
192.96.201.161:80
http://www2.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3480
aTube_Catcher_3928599341.exe
52.214.73.247:80
ww2.catinntehi.com
Amazon.com, Inc.
IE
malicious
3480
aTube_Catcher_3928599341.exe
146.185.27.45:80
img.catinntehi.com
UK-2 Limited
GB
malicious
54.154.255.147:80
gw.catinntehi.com
Amazon.com, Inc.
IE
malicious
3480
aTube_Catcher_3928599341.exe
192.96.201.161:80
www2.catinntehi.com
Leaseweb USA, Inc.
US
malicious
3480
aTube_Catcher_3928599341.exe
185.59.222.146:80
app.catinntehi.com
Datacamp Limited
NL
malicious
2344
OperaSetup.exe
82.145.217.121:443
desktop-netinstaller-sub.osp.opera.software
Opera Software AS
suspicious
2344
OperaSetup.exe
185.26.182.105:443
autoupdate.geo.opera.com
Opera Software AS
unknown
2980
instup.exe
77.234.45.250:443
alpha-iqs.ff.avast.com
AVAST Software s.r.o.
DE
unknown
2980
instup.exe
5.45.62.61:443
alpha-license-dealer.ff.avast.com
AVAST Software s.r.o.
NL
unknown
3684
avast_free_antivirus_setup_online.exe
74.125.140.101:80
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
ww2.catinntehi.com
  • 52.214.73.247
  • 54.194.149.175
malicious
gw.catinntehi.com
  • 54.154.255.147
  • 52.30.154.50
malicious
img.catinntehi.com
  • 146.185.27.45
malicious
app.catinntehi.com
  • 185.59.222.146
malicious
www2.catinntehi.com
  • 192.96.201.161
malicious
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
autoupdate.geo.opera.com
  • 185.26.182.105
  • 185.26.182.95
whitelisted
www.google-analytics.com
  • 74.125.140.101
  • 74.125.140.102
  • 74.125.140.138
  • 74.125.140.139
  • 74.125.140.100
  • 74.125.140.113
whitelisted
v7event.stats.avast.com
  • 77.234.45.53
  • 77.234.45.54
whitelisted
shepherd.ff.avast.com
  • 5.62.48.204
  • 77.234.42.66
whitelisted

Threats

PID
Process
Class
Message
3480
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3480
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3480
aTube_Catcher_3928599341.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
3480
aTube_Catcher_3928599341.exe
unknown
SURICATA TCPv4 invalid checksum
3480
aTube_Catcher_3928599341.exe
unknown
SURICATA IPv4 invalid checksum
3480
aTube_Catcher_3928599341.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3480
aTube_Catcher_3928599341.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3480
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3480
aTube_Catcher_3928599341.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
2980
instup.exe
unknown
SURICATA IPv4 invalid checksum
1 ETPRO signatures available at the full report
Process
Message
instup.exe
[2018-12-18 14:13:38.242] [error ] [settings ] [ 2980: 3648] Failed to get program directory Exception: Unable to retrieve path of the program directory! Code: 0x00000002 (2)