analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SPAM2.zip

Full analysis: https://app.any.run/tasks/cabbf7f8-439e-4b63-b084-abd7d123fca2
Verdict: Malicious activity
Threats:

Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of.

Analysis date: May 15, 2019, 13:03:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
gootkit
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

719866F667340EBA5CFCD09C9B86ACD4

SHA1:

22258464E32756729E050DF461C28517DB67D241

SHA256:

C03F9CAC4AB5BFCC9B5456C5978E6AE4DB168A4BB8E9F92CE6A37DAE13EF2E1A

SSDEEP:

6144:LoBDGXkGhJAdsZL7BT/NDDoVXOz+tRc6yNF:GCi+LtTpcVXxryF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • gootkit.exe (PID: 1176)
      • gootkit.exe (PID: 1632)
    • Changes settings of System certificates

      • gootkit.exe (PID: 1632)
    • GOTKIT detected

      • gootkit.exe (PID: 1176)
    • Changes internet zones settings

      • gootkit.exe (PID: 1176)
  • SUSPICIOUS

    • Removes files from Windows directory

      • certutil.exe (PID: 284)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2292)
    • Application launched itself

      • gootkit.exe (PID: 1176)
    • Creates files in the Windows directory

      • certutil.exe (PID: 284)
    • Creates files in the user directory

      • powershell.exe (PID: 2188)
    • Executes PowerShell scripts

      • WScript.exe (PID: 2440)
    • Reads the machine GUID from the registry

      • WScript.exe (PID: 2440)
      • powershell.exe (PID: 2188)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: gootkit.exe
ZipUncompressedSize: 219648
ZipCompressedSize: 185188
ZipCRC: 0xd058848c
ZipModifyDate: 2019:05:15 14:57:03
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
18
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe cmd.exe no specs tzutil.exe no specs certutil.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe cmd.exe tzutil.exe no specs certutil.exe no specs regedit.exe no specs wscript.exe no specs powershell.exe #GOOTKIT gootkit.exe gootkit.exe rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2020"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2292"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SPAM2.zip" C:\Users\admin\Desktop\SPAM2\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
316C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\SPAM2\italiano.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1128tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2152certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7601.18151 (win7sp1_gdr.130512-1533)
2548regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1460"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2176"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2240"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\SPAM2\italiano.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2548tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 328
Read events
1 137
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6QCJLN3UFQV9C88QYO55.temp
MD5:
SHA256:
2188powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:EFE728C6A1FA7B524323F3A8067F4CE3
SHA256:80D7DAFCD29A5322777FC138CAE5362796B16E93F5EDFEE6C53BD8E887AC7E8C
2292WinRAR.exeC:\Users\admin\Desktop\SPAM2\gootkit.exeexecutable
MD5:2B6BDA7F51D5C16A24A825632B4C9571
SHA256:6E7CA8FB597803DAA11F446E9D0B3EA312D4173DD016A5769B38DF735446294D
2152certutil.exeC:\Users\admin\AppData\Local\Temp\decodedtext
MD5:CC4D5700F092115E8867C7DD6372F0C3
SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018
316cmd.exeC:\Users\admin\AppData\Local\Temp\b64text
MD5:31D3914C66095D867C9A84C8FAE369B0
SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859
284certutil.exeC:\Users\admin\AppData\Local\Temp\decodedtext
MD5:CC4D5700F092115E8867C7DD6372F0C3
SHA256:3CCF035606E304B96E0AA7B17E045A32C8AA8BD9B7CE664DBA4D9BD87784F018
2292WinRAR.exeC:\Users\admin\Desktop\SPAM2\v2i (1)text
MD5:65B1E0CF2BA55E572843FF6FE8716649
SHA256:8E5855A6F1A14B28DE3DFA4A09E852BB8A8F29D1A2428F64ABF55D577152A4B1
2292WinRAR.exeC:\Users\admin\Desktop\SPAM2\v2i (2)text
MD5:17ED44E5B9261010CB072D882690A2AD
SHA256:372AB229E63CDADC5B30692C42CF72D956B72769E69C338AA00E79412DB8B73E
1176gootkit.exeC:\Users\admin\Desktop\SPAM2\gootkit.infini
MD5:E4AA96249E2E9AA9809FD93E81444CBE
SHA256:B4AFB8311B89D5FFD66B84E2070182728F05B4CF0EBF26E5BC75E9FC968DB275
2240cmd.exeC:\Users\admin\AppData\Local\Temp\b64text
MD5:31D3914C66095D867C9A84C8FAE369B0
SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2188
powershell.exe
GET
185.158.249.122:80
http://eme.emeraldsurfvision.com/v2i.php?need=js&vid=pec11vbs&ajzhe
NL
malicious
1632
gootkit.exe
GET
185.158.249.144:443
https://ssw.138front.com/rbody320
NL
malicious
1632
gootkit.exe
GET
185.158.249.144:443
https://ssw.138front.com/rbody320
NL
malicious
2188
powershell.exe
GET
185.212.47.163:80
http://fad.c21abel.info/api?bcfsb
DE
suspicious
1632
gootkit.exe
GET
185.158.249.144:443
https://ssw.138front.com/rbody320
NL
malicious
1632
gootkit.exe
GET
185.158.249.144:443
https://ssw.138front.com/rbody320
NL
malicious
1632
gootkit.exe
GET
185.158.249.144:443
https://ssw.138front.com/rbody320
NL
malicious
1632
gootkit.exe
GET
185.158.249.144:443
https://ssw.138front.com/rbody320
NL
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1632
gootkit.exe
185.158.249.144:443
ssw.138front.com
easystores GmbH
NL
malicious
2188
powershell.exe
185.158.249.122:80
eme.emeraldsurfvision.com
easystores GmbH
NL
malicious
185.212.47.163:80
fad.c21abel.info
23media GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
eme.emeraldsurfvision.com
  • 185.158.249.122
malicious
ssw.138front.com
  • 185.158.249.144
malicious
fad.c21abel.info
  • 185.212.47.163
suspicious

Threats

No threats detected
Process
Message
gootkit.exe
MP3 file corrupted
gootkit.exe
WMA 0
gootkit.exe
OGG 0