File name: | bf5e00fa491b76fcceea0b8de133f5c28e20c556facce6652e6bca60fa946746.rar |
Full analysis: | https://app.any.run/tasks/416a19b7-8fa7-4dcb-b215-2f4b89da6403 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | May 20, 2019, 12:39:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 0569CA387F8B950E00B99E9ACB612BE9 |
SHA1: | 33D0CDACED6249AA93B4B1B54D2005A907EE563F |
SHA256: | BF5E00FA491B76FCCEEA0B8DE133F5C28E20C556FACCE6652E6BCA60FA946746 |
SSDEEP: | 1536:Tr99BZ4Hi14xpjaCvCl7fnrZ0L/gCwKzDQV+o5p5t/1MxxJZ/dd6mEpjKCqvDawE:d9BZ4Hddsl50LpwKzcV+CqxrZWFsawE |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2860 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bf5e00fa491b76fcceea0b8de133f5c28e20c556facce6652e6bca60fa946746.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1472 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3112 | C:\Users\Public\wprgxyeqd79.exe | C:\Users\Public\wprgxyeqd79.exe | EXCEL.EXE | |
User: admin Company: Miranda IM Integrity Level: MEDIUM Description: Tile Textheight Clipbook Mostly Wading Exit code: 0 Version: 8.7.56.236 | ||||
3524 | C:\Windows\System32\svchost.exe -k WerSvcGroup | C:\Windows\System32\svchost.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2852 | C:\Users\Public\rtegre.exe | C:\Users\Public\rtegre.exe | EXCEL.EXE | |
User: admin Company: x264 project Integrity Level: MEDIUM Description: Nkcreatestaticmapping Aboriginal Year Version: 5.7.3.790 | ||||
3480 | "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | — | services.exe |
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Software Protection Platform Service Version: 14.0.0370.400 (longhorn(wmbla).090811-1833) | ||||
3028 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2224 | C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1576 | "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520 | C:\Windows\system32\SearchFilterHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Filter Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2316 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR2B0F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE24B.tmp | — | |
MD5:— | SHA256:— | |||
1472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoE25B.tmp | — | |
MD5:— | SHA256:— | |||
1472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFE3985E0E6AD524F5.TMP | — | |
MD5:— | SHA256:— | |||
1472 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFDF848E2BC84CBE54.TMP | — | |
MD5:— | SHA256:— | |||
2860 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\__rar_2860.12374 | — | |
MD5:— | SHA256:— | |||
2316 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR7ED3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2852 | rtegre.exe | C:\Users\admin\AppData\Local\Temp\{F13B6488-555C-4C41-A787-BC3C2EBB777B}\log | — | |
MD5:— | SHA256:— | |||
2860 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\bf5e00fa491b76fcceea0b8de133f5c28e20c556facce6652e6bca60fa946746.rar | compressed | |
MD5:94DE748CD13243E7C4F9041A208683F7 | SHA256:E4123CD24EEFB26464CA373CD5FEFCACBA9195FE7981ECDD1914687D4DA377B9 | |||
2852 | rtegre.exe | C:\Users\admin\AppData\Local\Temp\{F13B6488-555C-4C41-A787-BC3C2EBB777B}\temp | sqlite | |
MD5:7ED7E7FFE1DC4EAAEE2EDAFDD4815A47 | SHA256:BD7D82BAB01903699A91783F35D7E1EBF2BA8AEDC1023F09C0E6934B1B0651C3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2852 | rtegre.exe | GET | — | 199.249.230.79:80 | http://199.249.230.79/tor/server/fp/2f1a6481756d34bbf2cd3bebabbfec2e863a6f55 | US | — | — | suspicious |
2852 | rtegre.exe | GET | — | 93.115.86.6:80 | http://93.115.86.6/tor/server/fp/508eaaa5322c7bf048c8fadbbfb37d0a3e1d9262 | RO | — | — | suspicious |
2852 | rtegre.exe | GET | — | 192.99.35.91:80 | http://192.99.35.91/tor/server/fp/229877817a7599f4a866a869e282564f3c562917 | CA | — | — | suspicious |
2852 | rtegre.exe | GET | — | 66.111.2.131:9030 | http://66.111.2.131:9030/tor/status-vote/current/consensus | US | — | — | suspicious |
2852 | rtegre.exe | GET | — | 212.186.71.38:80 | http://212.186.71.38/tor/server/fp/52bfada8beaa01ba46c8f767f83c18e2fe50c1b9 | AT | — | — | suspicious |
2852 | rtegre.exe | GET | — | 185.217.93.92:80 | http://185.217.93.92/tor/server/fp/1b9638c3e98d8e9dc03350b25e87128cc79860d8 | NL | — | — | suspicious |
2852 | rtegre.exe | GET | — | 96.66.15.147:80 | http://96.66.15.147/tor/server/fp/d4c16732e765eb52eb0b749db35dc14c8e0df996 | US | — | — | suspicious |
2852 | rtegre.exe | GET | — | 51.77.72.200:80 | http://51.77.72.200/tor/server/fp/592031cfdba17dd46e1e365e6c60ad1f81655033 | GB | — | — | suspicious |
2852 | rtegre.exe | GET | — | 185.10.68.52:80 | http://185.10.68.52/tor/server/fp/bcc274eff09434289b2471df35cfff0894f54d25 | SC | — | — | malicious |
2852 | rtegre.exe | GET | — | 23.129.64.153:80 | http://23.129.64.153/tor/server/fp/d42ee874bd05eaf1edfc4805e0f90b24d74c6b80 | US | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2852 | rtegre.exe | 23.21.121.219:443 | api.ipify.org | Amazon.com, Inc. | US | whitelisted |
1472 | EXCEL.EXE | 47.245.58.124:443 | kentona.su | — | US | suspicious |
— | — | 185.10.68.52:80 | — | Flokinet Ltd | SC | malicious |
2852 | rtegre.exe | 49.50.107.221:80 | — | Cyfuture India Pvt. Ltd. | IN | suspicious |
2852 | rtegre.exe | 104.244.77.111:443 | — | FranTech Solutions | US | suspicious |
— | — | 51.77.72.200:80 | — | — | GB | suspicious |
2852 | rtegre.exe | 185.217.93.92:80 | — | AbeloHost B.V. | NL | suspicious |
2852 | rtegre.exe | 185.26.127.24:80 | — | GANDI SAS | LU | suspicious |
— | — | 129.6.15.28:13 | time-a.nist.gov | National Bureau of Standards | US | unknown |
2852 | rtegre.exe | 66.111.2.131:9030 | — | The New York Internet Company | US | suspicious |
Domain | IP | Reputation |
---|---|---|
kentona.su |
| malicious |
api.ipify.org |
| shared |
time-a.nist.gov |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
2852 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 550 |
2852 | rtegre.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2852 | rtegre.exe | Misc activity | SUSPICIOUS [PTsecurity] ipify.org External IP Check |
2852 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 242 |
2852 | rtegre.exe | Potential Corporate Privacy Violation | ET P2P Tor Get Server Request |
2852 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98 |
2852 | rtegre.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 697 |
2852 | rtegre.exe | Potential Corporate Privacy Violation | ET P2P Tor Get Server Request |
2852 | rtegre.exe | A Network Trojan was detected | MALWARE [PTsecurity] Suspicious TOR Connection (Possible Spy.Ursnif/RTM/Crypt0l0cker activity) |