analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

crypto.zip

Full analysis: https://app.any.run/tasks/4a905fe3-c5ff-42f2-a3d4-2bad2162dbd3
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 22:02:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A2F1DF729688E1796AA11C426D197AEB

SHA1:

9C6ABCD0B9D42AF6F32FDFDE4525291B4039A227

SHA256:

BFCCFF51537F1F6AE8B8BAD4CA6A9CE9937DAB107DA2DD5298E0020ED53E4E6F

SSDEEP:

6144:YFKU+icMEjI7LfOAPpFJnrN4q1DDpqbduGhR79MiwcKV9chyHqhSzV8Pr9lQ/ovL:69+K7L2APBrNVAd3pIVV0hSJ8PrPQEo+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PasswordDecoder.exe (PID: 2872)
      • SgrmBroker.exe (PID: 2348)
      • PassDecoder.exe (PID: 1856)
      • dllhost.exe (PID: 2156)
      • PassDecoder.exe (PID: 2284)
      • PasswordDecoder.exe (PID: 3044)
      • SgrmBroker.exe (PID: 2416)

    • Connects to CnC server

      • dllhost.exe (PID: 2156)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PasswordDecoder.exe (PID: 2872)
      • SgrmBroker.exe (PID: 2348)
      • PasswordDecoder.exe (PID: 3044)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2956)

    • Starts CMD.EXE for commands execution

      • SgrmBroker.exe (PID: 2416)
      • dllhost.exe (PID: 2156)
      • SgrmBroker.exe (PID: 2348)

  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 2180)
      • NOTEPAD.EXE (PID: 4084)
      • PasswordDecoder.exe (PID: 2872)
      • NOTEPAD.EXE (PID: 2912)
      • NOTEPAD.EXE (PID: 1188)
      • iexplore.exe (PID: 3268)
      • PasswordDecoder.exe (PID: 3044)

    • Application launched itself

      • iexplore.exe (PID: 3268)

    • Changes internet zones settings

      • iexplore.exe (PID: 3268)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2832)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2832)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2832)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3268)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2956)
      • iexplore.exe (PID: 2832)
      • iexplore.exe (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PasswordDecoder.exe
ZipUncompressedSize: 401192
ZipCompressedSize: 379451
ZipCRC: 0x55e107a1
ZipModifyDate: 2019:09:08 02:38:26
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
20
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs notepad.exe no specs notepad.exe no specs passworddecoder.exe passdecoder.exe no specs sgrmbroker.exe dllhost.exe notepad.exe no specs notepad.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs passworddecoder.exe passdecoder.exe no specs sgrmbroker.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1712"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\crypto.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4084"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\shapeshift.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2180"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\blockchain.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2872"C:\Users\admin\Desktop\PasswordDecoder.exe" C:\Users\admin\Desktop\PasswordDecoder.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1856"C:\Users\admin\AppData\Local\Microsoft\PassDecoder.exe" C:\Users\admin\AppData\Local\Microsoft\PassDecoder.exePasswordDecoder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2348"C:\Users\admin\AppData\Local\Microsoft\SgrmBroker.exe" C:\Users\admin\AppData\Local\Microsoft\SgrmBroker.exe
PasswordDecoder.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
2156"C:\Users\admin\AppData\Local\Microsoft\dllhost.exe"C:\Users\admin\AppData\Local\Microsoft\dllhost.exe
SgrmBroker.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2912"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\bitcoin.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1188"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\blockchain.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3268"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 929
Read events
1 732
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
153
Unknown types
13

Dropped files

PID
Process
Filename
Type
1712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1712.25928\PasswordDecoder.exe
MD5:
SHA256:
1712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1712.25928\passphrases.txt
MD5:
SHA256:
1712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1712.25928\shapeshift.txt
MD5:
SHA256:
1712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1712.25928\ltc.txt
MD5:
SHA256:
1712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1712.25928\bitcoin.txt
MD5:
SHA256:
1712WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1712.25928\blockchain.txt
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3268iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@pornhub[2].txt
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\58IK8I4R\pornhub_com[1].txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
54
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2832
iexplore.exe
GET
301
66.254.114.41:80
http://pornhub.com/
US
whitelisted
2156
dllhost.exe
POST
200
185.141.61.161:10
http://qqwveqwevqwe.duckdns.org:10/
unknown
text
10.5 Mb
malicious
3268
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2156
dllhost.exe
185.141.61.161:10
qqwveqwevqwe.duckdns.org
malicious
2832
iexplore.exe
205.185.208.79:443
static.trafficjunky.com
Highwinds Network Group, Inc.
US
unknown
2832
iexplore.exe
69.16.175.10:443
smpop.icfcdn.com
Highwinds Network Group, Inc.
US
malicious
2832
iexplore.exe
205.185.208.142:443
di.phncdn.com
Highwinds Network Group, Inc.
US
suspicious
2832
iexplore.exe
66.254.114.41:80
pornhub.com
Reflected Networks, Inc.
US
malicious
2832
iexplore.exe
66.254.114.41:443
pornhub.com
Reflected Networks, Inc.
US
malicious
2832
iexplore.exe
172.217.23.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2832
iexplore.exe
66.254.114.32:443
hubt.pornhub.com
Reflected Networks, Inc.
US
unknown
2832
iexplore.exe
172.217.21.238:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
qqwveqwevqwe.duckdns.org
  • 185.141.61.161
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
pornhub.com
  • 66.254.114.41
whitelisted
www.pornhub.com
  • 66.254.114.41
whitelisted
di.phncdn.com
  • 205.185.208.142
whitelisted
smpop.icfcdn.com
  • 69.16.175.10
  • 69.16.175.42
malicious
cdn1d-static-shared.phncdn.com
  • 205.185.208.142
whitelisted
static.trafficjunky.com
  • 205.185.208.79
whitelisted
fonts.googleapis.com
  • 172.217.23.106
whitelisted
fonts.gstatic.com
  • 172.217.22.3
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2156
dllhost.exe
A Network Trojan was detected
AV TROJAN MilkyBoy CnC Beacon
2156
dllhost.exe
A Network Trojan was detected
STEALER [PTsecurity] Stealer.Pjdn
2156
dllhost.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable base64 Payload
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
crypto.zip