File name: | SPAM2.zip |
Full analysis: | https://app.any.run/tasks/cabbf7f8-439e-4b63-b084-abd7d123fca2 |
Verdict: | Malicious activity |
Threats: | Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of. |
Analysis date: | May 15, 2019, 13:03:40 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 719866F667340EBA5CFCD09C9B86ACD4 |
SHA1: | 22258464E32756729E050DF461C28517DB67D241 |
SHA256: | C03F9CAC4AB5BFCC9B5456C5978E6AE4DB168A4BB8E9F92CE6A37DAE13EF2E1A |
SSDEEP: | 6144:LoBDGXkGhJAdsZL7BT/NDDoVXOz+tRc6yNF:GCi+LtTpcVXxryF |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | gootkit.exe |
---|---|
ZipUncompressedSize: | 219648 |
ZipCompressedSize: | 185188 |
ZipCRC: | 0xd058848c |
ZipModifyDate: | 2019:05:15 14:57:03 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2020 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2292 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SPAM2.zip" C:\Users\admin\Desktop\SPAM2\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
316 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\SPAM2\italiano.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1128 | tzutil /s "W. Europe Standard Time" | C:\Windows\system32\tzutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Time Zone Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2152 | certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\system32\certutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) | ||||
2548 | regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1460 | "C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Editor Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2176 | "C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded" | C:\Windows\regedit.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Editor Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2240 | "C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\SPAM2\italiano.bat" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2548 | tzutil /s "W. Europe Standard Time" | C:\Windows\system32\tzutil.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Time Zone Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2188 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6QCJLN3UFQV9C88QYO55.temp | — | |
MD5:— | SHA256:— | |||
2188 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:EFE728C6A1FA7B524323F3A8067F4CE3 | SHA256:80D7DAFCD29A5322777FC138CAE5362796B16E93F5EDFEE6C53BD8E887AC7E8C | |||
2292 | WinRAR.exe | C:\Users\admin\Desktop\SPAM2\gootkit.exe | executable | |
MD5:2B6BDA7F51D5C16A24A825632B4C9571 | SHA256:6E7CA8FB597803DAA11F446E9D0B3EA312D4173DD016A5769B38DF735446294D | |||
2152 | certutil.exe | C:\Users\admin\AppData\Local\Temp\decoded | text | |
MD5:CC4D5700F092115E8867C7DD6372F0C3 | SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018 | |||
316 | cmd.exe | C:\Users\admin\AppData\Local\Temp\b64 | text | |
MD5:31D3914C66095D867C9A84C8FAE369B0 | SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859 | |||
284 | certutil.exe | C:\Users\admin\AppData\Local\Temp\decoded | text | |
MD5:CC4D5700F092115E8867C7DD6372F0C3 | SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018 | |||
2292 | WinRAR.exe | C:\Users\admin\Desktop\SPAM2\v2i (1) | text | |
MD5:65B1E0CF2BA55E572843FF6FE8716649 | SHA256:8E5855A6F1A14B28DE3DFA4A09E852BB8A8F29D1A2428F64ABF55D577152A4B1 | |||
2292 | WinRAR.exe | C:\Users\admin\Desktop\SPAM2\v2i (2) | text | |
MD5:17ED44E5B9261010CB072D882690A2AD | SHA256:372AB229E63CDADC5B30692C42CF72D956B72769E69C338AA00E79412DB8B73E | |||
1176 | gootkit.exe | C:\Users\admin\Desktop\SPAM2\gootkit.inf | ini | |
MD5:E4AA96249E2E9AA9809FD93E81444CBE | SHA256:B4AFB8311B89D5FFD66B84E2070182728F05B4CF0EBF26E5BC75E9FC968DB275 | |||
2240 | cmd.exe | C:\Users\admin\AppData\Local\Temp\b64 | text | |
MD5:31D3914C66095D867C9A84C8FAE369B0 | SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2188 | powershell.exe | GET | — | 185.158.249.122:80 | http://eme.emeraldsurfvision.com/v2i.php?need=js&vid=pec11vbs&ajzhe | NL | — | — | malicious |
1632 | gootkit.exe | GET | — | 185.158.249.144:443 | https://ssw.138front.com/rbody320 | NL | — | — | malicious |
1632 | gootkit.exe | GET | — | 185.158.249.144:443 | https://ssw.138front.com/rbody320 | NL | — | — | malicious |
2188 | powershell.exe | GET | — | 185.212.47.163:80 | http://fad.c21abel.info/api?bcfsb | DE | — | — | suspicious |
1632 | gootkit.exe | GET | — | 185.158.249.144:443 | https://ssw.138front.com/rbody320 | NL | — | — | malicious |
1632 | gootkit.exe | GET | — | 185.158.249.144:443 | https://ssw.138front.com/rbody320 | NL | — | — | malicious |
1632 | gootkit.exe | GET | — | 185.158.249.144:443 | https://ssw.138front.com/rbody320 | NL | — | — | malicious |
1632 | gootkit.exe | GET | — | 185.158.249.144:443 | https://ssw.138front.com/rbody320 | NL | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1632 | gootkit.exe | 185.158.249.144:443 | ssw.138front.com | easystores GmbH | NL | malicious |
2188 | powershell.exe | 185.158.249.122:80 | eme.emeraldsurfvision.com | easystores GmbH | NL | malicious |
— | — | 185.212.47.163:80 | fad.c21abel.info | 23media GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
eme.emeraldsurfvision.com |
| malicious |
ssw.138front.com |
| malicious |
fad.c21abel.info |
| suspicious |
Process | Message |
---|---|
gootkit.exe | MP3 file corrupted |
gootkit.exe | WMA 0 |
gootkit.exe | OGG 0 |