File name: | 8d070b107b16ebcdefee6ee609f4f042-content.zip |
Full analysis: | https://app.any.run/tasks/d23d4a39-e2aa-4d4a-8949-fa741e0a253e |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | December 18, 2018, 14:14:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 67875D506181C32D4CD42605F41E5575 |
SHA1: | C8F69A68761FAB32F0DCC2EF345439BCAE5DCB1A |
SHA256: | BCAC25EF202D80860F6E5BA8C1F2BEDFA504F18A7BEEADF959841055572B1B75 |
SSDEEP: | 49152:Dya0mTIFdiIr2VFesyQ0Hn7oztHZMO21cseID2wFE/Ww:uqK0IrQFesyQ0boztO715y8E/P |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | aTube_Catcher_3928599341.exe.zs |
---|---|
ZipUncompressedSize: | 2557792 |
ZipCompressedSize: | 2468215 |
ZipCRC: | 0x959b027f |
ZipModifyDate: | 2018:12:18 12:07:17 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3600 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\8d070b107b16ebcdefee6ee609f4f042-content.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2896 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\8d070b107b16ebcdefee6ee609f4f042-content.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3648 | "C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" | C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe | — | explorer.exe |
User: admin Company: Integrity Level: MEDIUM Description: File Installer Setup Exit code: 0 Version: | ||||
3652 | "C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl | C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe | aTube_Catcher_3928599341.exe | |
User: admin Company: Integrity Level: HIGH Description: File Installer Setup Exit code: 0 Version: | ||||
3748 | "C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe" | C:\Users\admin\Desktop\aTube_Catcher_3928599341.exe | — | explorer.exe |
User: admin Company: Integrity Level: MEDIUM Description: File Installer Setup Exit code: 0 Version: | ||||
3628 | /d /c TIMEOUT 1 & cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D71874~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D71874~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D71874~1.DAT" & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\D71874~2.DAT" | C:\Windows\system32\cmd.exe | — | aTube_Catcher_3928599341.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2304 | TIMEOUT 1 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2528 | "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe" --silent --otd="utm.medium:pb,utm.source:ais,utm.campaign:Model-10-16_TXT_nc_Y,utm.id:Mja7WXJt6lB3b%2Bsld2ueInRp61NhLLsQem3vVX9u7VV%2FbutVcm%2FsUHRm%2BQshOboWehCvATU%2BnRYoKKwBNXm8FiRs7Vl2bOdTc27mUndt%2Fk4AAABHX99k" --allusers=0 | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe | aTube_Catcher_3928599341.exe | |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 57.0.3098.91 | ||||
2764 | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=57.0.3098.91 --initial-client-data=0xd8,0xe0,0xe4,0xdc,0xe8,0x6d7cd5e0,0x6d7cd5f0,0x6d7cd5fc | C:\Users\admin\AppData\Local\Temp\in30BF1E8E\OperaSetup.exe | OperaSetup.exe | |
User: admin Company: Opera Software Integrity Level: HIGH Description: Opera Installer Exit code: 0 Version: 57.0.3098.91 | ||||
2120 | cmd /d /c copy /B /Y "C:\Users\admin\AppData\Local\Temp\D71874~1.DAT"+"C:\Users\admin\AppData\Local\Temp\D71874~2.DAT" "C:\Users\admin\AppData\Local\Temp\in30BF1E8E\403EC063_stp\avast_free_antivirus_setup_online.exe" | C:\Windows\system32\cmd.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2896.48967\aTube_Catcher_3928599341.exe.zs | — | |
MD5:— | SHA256:— | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\00142DF4.log | — | |
MD5:— | SHA256:— | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\main.scss | text | |
MD5:CB247E0D3C350863F3E1401D839BE114 | SHA256:EECACEF42E8FE49F478E5BB9D8B5C76AECA2FECFD95734F7CCBF4445B228FE25 | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\main.css | text | |
MD5:B124F669D793409FBAF802E99C4C9050 | SHA256:50E33605BFBB2B573DD63FC016DFB82540BA9ADC7B8831F2711B60421D346530 | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\ie6_main.css | text | |
MD5:4380298AB45468332DD3BAEC638E2BD1 | SHA256:5EEE1C6442EDB46B3EE800FCC13557C1AF5858949D98655647514BCFDCFE99DC | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\swAgent.css | text | |
MD5:2543E3AF757C7D7C8A26C7CF57795F60 | SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1 | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\csshover3.htc | html | |
MD5:52FA0DA50BF4B27EE625C80D36C67941 | SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493 | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\_functions.scss | text | |
MD5:8F7259DE64F6DDF352BF461F44D34A81 | SHA256:80EDC9D67172BC830D68D33F4547735FB072CADF3EF25AAB37A10B50DB87A069 | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\helpers\_display.scss | text | |
MD5:7FC18252C6212F1EBB349B5F7F429217 | SHA256:1B1F774D3B163C1BA9C86CAD87D4B594FBA588A364132121F8A234F149816429 | |||
3652 | aTube_Catcher_3928599341.exe | C:\Users\admin\AppData\Local\Temp\inH132248419457\css\_helpers.scss | text | |
MD5:5F158DBBD9FC4594A2F6C13854501916 | SHA256:BF12B79F67F1CB9988797F7D81F6F504C8DFE0F0435482E64819A140DBC8DA14 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3652 | aTube_Catcher_3928599341.exe | HEAD | 200 | 85.159.237.103:80 | http://app.catinntehi.com/app/aTube/aTube_12Sep18.cis | NL | — | — | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | — | 192.96.201.162:80 | http://www2.catinntehi.com/ofr/Rowabobeso/operaY32_57.0.3098.91.exe | US | — | — | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | 206 | 85.159.237.103:80 | http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis | NL | binary | 1.46 Mb | malicious |
3652 | aTube_Catcher_3928599341.exe | HEAD | 200 | 85.159.237.103:80 | http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis | NL | — | — | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | 200 | 192.96.201.161:80 | http://img.catinntehi.com/img/Rowabobeso/bg_custom_TB.png | US | image | 11.7 Kb | malicious |
3652 | aTube_Catcher_3928599341.exe | POST | 200 | 54.154.255.147:80 | http://gw.catinntehi.com/aTube/ | IE | binary | 529 Kb | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | 200 | 192.96.201.162:80 | http://www2.catinntehi.com/app/aTube/aTube_12Sep18.cis | US | binary | 18.2 Mb | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | — | 85.159.237.103:80 | http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis | NL | — | — | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | 200 | 192.96.201.161:80 | http://img.catinntehi.com/img/Tavasat/15Feb17/v2/EN.png | US | image | 43.9 Kb | malicious |
3652 | aTube_Catcher_3928599341.exe | GET | 206 | 85.159.237.103:80 | http://app.catinntehi.com/ofr/Tavasat/Tavasat_09Feb17.cis | NL | binary | 2.82 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3652 | aTube_Catcher_3928599341.exe | 192.96.201.161:80 | img.catinntehi.com | Leaseweb USA, Inc. | US | malicious |
3652 | aTube_Catcher_3928599341.exe | 192.96.201.162:80 | www2.catinntehi.com | Leaseweb USA, Inc. | US | malicious |
3652 | aTube_Catcher_3928599341.exe | 54.194.149.175:80 | ww2.catinntehi.com | Amazon.com, Inc. | IE | malicious |
3652 | aTube_Catcher_3928599341.exe | 85.159.237.103:80 | app.catinntehi.com | NForce Entertainment B.V. | NL | malicious |
3652 | aTube_Catcher_3928599341.exe | 54.154.255.147:80 | gw.catinntehi.com | Amazon.com, Inc. | IE | malicious |
3156 | avast_free_antivirus_setup_online.exe | 74.125.140.113:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
4000 | instup.exe | 77.234.43.231:443 | alpha-iqs.ff.avast.com | AVAST Software s.r.o. | GB | unknown |
4000 | instup.exe | 5.45.62.121:443 | auth.ff.avast.com | AVAST Software s.r.o. | NL | malicious |
4000 | instup.exe | 77.234.42.107:80 | shepherd.ff.avast.com | AVAST Software s.r.o. | US | unknown |
2528 | OperaSetup.exe | 185.26.182.105:443 | autoupdate.geo.opera.com | Opera Software AS | — | unknown |
Domain | IP | Reputation |
---|---|---|
ww2.catinntehi.com |
| malicious |
gw.catinntehi.com |
| malicious |
img.catinntehi.com |
| malicious |
app.catinntehi.com |
| malicious |
www2.catinntehi.com |
| malicious |
autoupdate.geo.opera.com |
| whitelisted |
desktop-netinstaller-sub.osp.opera.software |
| whitelisted |
www.google-analytics.com |
| whitelisted |
v7event.stats.avast.com |
| whitelisted |
shepherd.ff.avast.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3652 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2 |
3652 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 |
3652 | aTube_Catcher_3928599341.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option |
3652 | aTube_Catcher_3928599341.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3652 | aTube_Catcher_3928599341.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
3652 | aTube_Catcher_3928599341.exe | unknown | SURICATA TCPv4 invalid checksum |
3652 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 |
3652 | aTube_Catcher_3928599341.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 |
2080 | instup.exe | unknown | SURICATA TCPv4 invalid checksum |
2080 | instup.exe | unknown | SURICATA IPv4 invalid checksum |
Process | Message |
---|---|
instup.exe | [2018-12-18 14:15:26.549] [error ] [settings ] [ 4000: 4032] Failed to get program directory
Exception: Unable to retrieve path of the program directory!
Code: 0x00000002 (2)
|
regsvr32.exe | 14:15:50:596.794 [02644] : [InitDebug]: Level=0
|
regsvr32.exe | HKCR
{
NoRemove AppID
{
'{3DD7EA49-B5E1-4493-895D-C73562138FC0}' = s 'StarBurnXLib'
'StarBurnX12.DLL'
{
val AppID = s '{3DD7EA49-B5E1-4493-895D-C73562138FC0}'
'Version' = s '[!output TYPELIB_VERSION_MAJOR].[!output TYPELIB_VERSION_MINOR]'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.DriveSpeed.12 = s 'DriveSpeed Class'
{
CLSID = s '{E0EEE430-80D8-42D7-8D83-F046AECD7536}'
}
StarBurnX.DriveSpeed = s 'DriveSpeed Class'
{
CLSID = s '{E0EEE430-80D8-42D7-8D83-F046AECD7536}'
CurVer = s 'StarBurnX.DriveSpeed.12'
}
NoRemove CLSID
{
ForceRemove {E0EEE430-80D8-42D7-8D83-F046AECD7536} = s 'DriveSpeed Class'
{
ProgID = s 'StarBurnX.DriveSpeed.12'
VersionIndependentProgID = s 'StarBurnX.DriveSpeed'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.DriveSpeeds.12 = s 'DriveSpeeds Class'
{
CLSID = s '{7169A231-64EC-4702-98AB-05ABB6D882A9}'
}
StarBurnX.DriveSpeeds = s 'DriveSpeeds Class'
{
CLSID = s '{7169A231-64EC-4702-98AB-05ABB6D882A9}'
CurVer = s 'StarBurnX.DriveSpeeds.12'
}
NoRemove CLSID
{
ForceRemove {7169A231-64EC-4702-98AB-05ABB6D882A9} = s 'DriveSpeeds Class'
{
ProgID = s 'StarBurnX.DriveSpeeds.12'
VersionIndependentProgID = s 'StarBurnX.DriveSpeeds'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.DriveInfo.12 = s 'DriveInfo Class'
{
CLSID = s '{996C8DFD-8CE6-43B2-9414-CB6132485363}'
}
StarBurnX.DriveInfo = s 'DriveInfo Class'
{
CLSID = s '{996C8DFD-8CE6-43B2-9414-CB6132485363}'
CurVer = s 'StarBurnX.DriveInfo.12'
}
NoRemove CLSID
{
ForceRemove {996C8DFD-8CE6-43B2-9414-CB6132485363} = s 'DriveInfo Class'
{
ProgID = s 'StarBurnX.DriveInfo.12'
VersionIndependentProgID = s 'StarBurnX.DriveInfo'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.Track.12 = s 'Track Class'
{
CLSID = s '{F750BC9F-72CE-45C6-9D1F-BFEFB0765918}'
}
StarBurnX.Track = s 'Track Class'
{
CLSID = s '{F750BC9F-72CE-45C6-9D1F-BFEFB0765918}'
CurVer = s 'StarBurnX.Track.12'
}
NoRemove CLSID
{
ForceRemove {F750BC9F-72CE-45C6-9D1F-BFEFB0765918} = s 'Track Class'
{
ProgID = s 'StarBurnX.Track.12'
VersionIndependentProgID = s 'StarBurnX.Track'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.Tracks.12 = s 'Tracks Class'
{
CLSID = s '{AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF}'
}
StarBurnX.Tracks = s 'Tracks Class'
{
CLSID = s '{AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF}'
CurVer = s 'StarBurnX.Tracks.12'
}
NoRemove CLSID
{
ForceRemove {AE860CE7-C15E-4B9C-BA5B-2EB38369E4AF} = s 'Tracks Class'
{
ProgID = s 'StarBurnX.Tracks.12'
VersionIndependentProgID = s 'StarBurnX.Tracks'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.Session.12 = s 'Session Class'
{
CLSID = s '{80E026F0-CE90-4F15-986A-45317268AB5A}'
}
StarBurnX.Session = s 'Session Class'
{
CLSID = s '{80E026F0-CE90-4F15-986A-45317268AB5A}'
CurVer = s 'StarBurnX.Session.12'
}
NoRemove CLSID
{
ForceRemove {80E026F0-CE90-4F15-986A-45317268AB5A} = s 'Session Class'
{
ProgID = s 'StarBurnX.Session.12'
VersionIndependentProgID = s 'StarBurnX.Session'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|
regsvr32.exe | HKCR
{
StarBurnX.Sessions.12 = s 'Sessions Class'
{
CLSID = s '{4EE12AA6-A781-490F-96DA-783969C58A1A}'
}
StarBurnX.Sessions = s 'Sessions Class'
{
CLSID = s '{4EE12AA6-A781-490F-96DA-783969C58A1A}'
CurVer = s 'StarBurnX.Sessions.12'
}
NoRemove CLSID
{
ForceRemove {4EE12AA6-A781-490F-96DA-783969C58A1A} = s 'Sessions Class'
{
ProgID = s 'StarBurnX.Sessions.12'
VersionIndependentProgID = s 'StarBurnX.Sessions'
ForceRemove 'Programmable'
InprocServer32 = s 'C:\Program Files\DsNET Corp\aTube Catcher 2.0\StarBurnX12.dll'
{
val ThreadingModel = s 'Free'
}
'TypeLib' = s '{93CBA48A-1C58-4648-B22D-8F3588CB8D95}'
'Version' = s '12.0'
}
}
}
|