analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Virus__.msg

Full analysis: https://app.any.run/tasks/01dd79ca-280e-4bbd-85c8-d04a43225c8c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 01:08:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
qealler
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

6FD4E26FDCC3C9AAB981835F59427DD4

SHA1:

5E521AF536F4CC9AE81CFDB0AB7174AF1C8079E5

SHA256:

BE6DE4B6321C84F2A044D7F676BECBE1E8AC28C1BC817E71279E75ECCA02876E

SSDEEP:

3072:a1wWIeryy137FO0qZyB9qEIm1iqgfsTjibOLgWCD+aggpkrDypq:GTp3Z8Y9J13Kb9WCyaggpfp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2556)

    • Executes PowerShell scripts

      • cmd.exe (PID: 1748)

    • QEALLER was detected

      • javaw.exe (PID: 3532)

    • Actions looks like stealing of personal data

      • javaw.exe (PID: 3532)

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 3532)

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 3940)

  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 2556)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3532)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1748)

    • Creates files in the user directory

      • javaw.exe (PID: 3532)
      • powershell.exe (PID: 3432)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3532)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1652)

    • Application launched itself

      • iexplore.exe (PID: 2380)

    • Changes internet zones settings

      • iexplore.exe (PID: 2380)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2380)

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2556)
      • WINWORD.EXE (PID: 1856)

    • Manual execution by user

      • javaw.exe (PID: 3532)
      • explorer.exe (PID: 3840)
      • WINWORD.EXE (PID: 1856)
      • mmc.exe (PID: 3940)
      • mmc.exe (PID: 916)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2556)
      • iexplore.exe (PID: 2380)
      • iexplore.exe (PID: 1652)

    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2556)
      • WINWORD.EXE (PID: 1856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
11
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start outlook.exe iexplore.exe iexplore.exe explorer.exe no specs #QEALLER javaw.exe cmd.exe no specs chcp.com no specs powershell.exe no specs winword.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2556"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Virus__.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2380"C:\Program Files\Internet Explorer\iexplore.exe" https://us-east-2.protection.sophos.com/?d=wroxetervineyard.co.uk&u=aHR0cHM6Ly93cm94ZXRlcnZpbmV5YXJkLmNvLnVrLw==&e=c3VwcG9ydEBhaXRzeXMuY29tLmF1&t=Wi9zNHptSURkemIvY2FNT3Z2dzBac0lYOUVQaGhLRFNYQUx3SEtsWHh3RT0=&h=c9ef06e1c6f043e2b540d5d154980b1cC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1652"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2380 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3840"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3532"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Downloads\Payment confirmation for over due invoices-191020gx.jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
1748cmd.exe /c chcp 1252 > NUL & powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -C:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2104chcp 1252 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3432powershell.exe -ExecutionPolicy Bypass -NoExit -NoProfile -Command -C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1856"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Documents\usaenglish.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
916"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 817
Read events
2 846
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
21
Text files
38
Unknown types
14

Dropped files

PID
Process
Filename
Type
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR4098.tmp.cvr
MD5:
SHA256:
2556OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:610C3761DBB95F329EE474835FDD1EE4
SHA256:90DEBA733E17A0AFE22EA370B8F6738AECF9A08594D79C031594B6373E1929CB
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:C8195BB2445062C690305B7252963E0B
SHA256:E325690C9D73C63B5530156AB0D69D26133668C45B25CA0E7EF336A8154296AC
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E62573C.datimage
MD5:12E5EABF3EF18D6C6B01E48F78C21985
SHA256:00833B56D61FC84805E7CCD56A833B39953DC1F7FB91E55BE35C1486A43D00A7
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A0667E.datimage
MD5:78377D6C1C1502CAEB9A0A018630C40D
SHA256:B19A8E9B543F49439E09FC12AA4EE8B4B10F9E1775E2F117C7A39A4092A0ED8B
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C212E0A3.datimage
MD5:CDA743C44EFF541D7802B4F9E32406E8
SHA256:218D2AC398FB34069A032658786A9A33A73E571CBD30F8B09EB7C1019F922B31
1652iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:F58EAC592AFA8A8C5BB8B047397DE01C
SHA256:908CE32359CA59FE8B8EF823FDDC36E51A653B2BA5B4719919F6CB66198FAF47
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D496867.datimage
MD5:E95357816CB60F696FF9AC1B9FE93579
SHA256:8FB7A07D64E045E9ABE48212E189397EA5293960ECD3014EE65027B5B8738DF2
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F7E8CAA.datimage
MD5:3C69A6E1903B9E46E6D313BE27BE0FA5
SHA256:1563924E369721053BFE6EECA5208905FBB488F123A99B421B8F56D739FBAFC5
2556OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E9C560D.datimage
MD5:79C94827BDD2DBD75C587C9931DFFC69
SHA256:E81531C165A4F8AB87F1DFAB3AC698BDC83F73E33085D1FE3575CF572910D3F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
27
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2556
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1652
iexplore.exe
GET
200
52.222.177.172:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
1652
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D
US
der
471 b
whitelisted
1652
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
1652
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEC8w4tAgdEt1RiKXlOpl6%2FU%3D
US
der
471 b
whitelisted
1652
iexplore.exe
GET
200
54.230.182.13:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
1652
iexplore.exe
GET
200
54.230.182.118:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEALiUkureckjj7MJj36f730%3D
US
der
471 b
whitelisted
1652
iexplore.exe
GET
200
52.222.177.67:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
1652
iexplore.exe
GET
200
54.230.182.13:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
2380
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1652
iexplore.exe
54.230.182.13:80
o.ss2.us
Amazon.com, Inc.
US
unknown
1652
iexplore.exe
52.222.177.172:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
2556
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1652
iexplore.exe
54.230.183.38:443
us-east-2.protection.sophos.com
Amazon.com, Inc.
US
unknown
2380
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1652
iexplore.exe
209.182.213.43:443
wroxetervineyard.co.uk
InMotion Hosting, Inc.
US
unknown
1652
iexplore.exe
103.8.25.8:443
al-mishkat.com
SKSA TECHNOLOGY SDN BHD
MY
unknown
1652
iexplore.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
1652
iexplore.exe
52.222.177.214:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
1652
iexplore.exe
52.222.177.67:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
us-east-2.protection.sophos.com
  • 54.230.183.38
  • 54.230.183.25
  • 54.230.183.103
  • 54.230.183.7
shared
o.ss2.us
  • 54.230.182.13
  • 54.230.182.145
  • 54.230.182.138
  • 54.230.182.2
whitelisted
ocsp.rootg2.amazontrust.com
  • 52.222.177.214
  • 52.222.177.172
  • 52.222.177.67
  • 52.222.177.138
whitelisted
ocsp.rootca1.amazontrust.com
  • 52.222.177.67
  • 52.222.177.138
  • 52.222.177.172
  • 52.222.177.214
shared
ocsp.sca1b.amazontrust.com
  • 54.230.182.118
  • 54.230.182.218
  • 54.230.182.114
  • 54.230.182.44
whitelisted
wroxetervineyard.co.uk
  • 209.182.213.43
unknown
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
al-mishkat.com
  • 103.8.25.8
unknown
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
3532
javaw.exe
A Network Trojan was detected
STEALER [PTsecurity] Pyrogenic.Qealler
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Virus__.msg