analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://bhatner.com/wp-content/uploads/2020/01/ahead/9312.zip

Full analysis: https://app.any.run/tasks/13853cd1-4b0f-45e8-bc49-56fafc5043fe
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 24, 2020, 12:23:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
qbot
trojan
Indicators:
MD5:

9C3584BC27F28C32B1530F04C5960BF7

SHA1:

790DDF9F05FB64ADB643741F8BA4F9592CB4287D

SHA256:

C483C9D30F122C6675B6D61656C27D51F6A3966DC547FF4F64D38E440278030C

SSDEEP:

3:N1KchZ2OlAQyX1Un:CchQOlAZy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ColorPick.exe (PID: 2668)
      • ytfovlym.exe (PID: 2864)
      • ColorPick.exe (PID: 3196)
      • ytfovlym.exe (PID: 3828)
    • Downloads executable files with a strange extension

      • WScript.exe (PID: 3148)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3148)
    • QBOT was detected

      • ColorPick.exe (PID: 2668)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 1860)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ColorPick.exe (PID: 2668)
      • WScript.exe (PID: 3148)
      • cmd.exe (PID: 1860)
    • Starts itself from another location

      • ColorPick.exe (PID: 2668)
    • Creates files in the user directory

      • ColorPick.exe (PID: 2668)
    • Application launched itself

      • ColorPick.exe (PID: 2668)
      • ytfovlym.exe (PID: 2864)
    • Starts CMD.EXE for commands execution

      • ColorPick.exe (PID: 2668)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 628)
      • iexplore.exe (PID: 2808)
    • Changes internet zones settings

      • iexplore.exe (PID: 628)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2808)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 628)
    • Manual execution by user

      • WScript.exe (PID: 3148)
    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 1860)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 628)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 628)
    • Changes settings of System certificates

      • iexplore.exe (PID: 628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe #QBOT colorpick.exe colorpick.exe ytfovlym.exe cmd.exe ping.exe no specs ytfovlym.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628"C:\Program Files\Internet Explorer\iexplore.exe" "http://bhatner.com/wp-content/uploads/2020/01/ahead/9312.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2808"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:628 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1116"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\9312.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3148"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\JVC_1478.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2668C:\Users\admin\AppData\Local\Temp\ColorPick.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exe
WScript.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
Modules
Images
c:\users\admin\appdata\local\temp\colorpick.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3196C:\Users\admin\AppData\Local\Temp\ColorPick.exe /CC:\Users\admin\AppData\Local\Temp\ColorPick.exe
ColorPick.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
Modules
Images
c:\users\admin\appdata\local\temp\colorpick.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2864C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe
ColorPick.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
Modules
Images
c:\users\admin\appdata\roaming\microsoft\zulycjadyc\ytfovlym.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1860"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\ColorPick.exe"C:\Windows\System32\cmd.exe
ColorPick.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\msxml6.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\common files\microsoft shared\filters\offfiltx.dll
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
3916ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3828C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe
ytfovlym.exe
User:
admin
Company:
Microsoft C
Integrity Level:
MEDIUM
Description:
Macedo
Exit code:
0
Version:
6.5.1042
Modules
Images
c:\users\admin\appdata\roaming\microsoft\zulycjadyc\ytfovlym.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
8 393
Read events
1 620
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
13
Text files
2
Unknown types
3

Dropped files

PID
Process
Filename
Type
628iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA61BDF8BDEB1F836.TMP
MD5:
SHA256:
2808iexplore.exeC:\Users\admin\Downloads\9312.zip.qcw5v5x.partial
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFAD69F389D6D35BD9.TMP
MD5:
SHA256:
628iexplore.exeC:\Users\admin\Downloads\9312.zip.qcw5v5x.partial:Zone.Identifier
MD5:
SHA256:
1116WinRAR.exeC:\Users\admin\Desktop\JVC_1478.vbs
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF984BB82E8A848656.TMP
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{66DED661-3EA4-11EA-972D-5254004A04AF}.dat
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab6FD4.tmp
MD5:
SHA256:
628iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar6FD5.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
11
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3148
WScript.exe
GET
200
5.61.27.159:80
http://alphaenergyeng.com/wp-content/uploads/2020/01/ahead/444444.png
US
executable
464 Kb
suspicious
2808
iexplore.exe
GET
200
103.91.92.1:80
http://bhatner.com/wp-content/uploads/2020/01/ahead/9312.zip
IN
compressed
2.23 Mb
whitelisted
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
628
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
628
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
iexplore.exe
103.91.92.1:80
bhatner.com
Click4net Internet Services P Ltd
IN
unknown
628
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
628
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
628
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3148
WScript.exe
5.61.27.159:80
alphaenergyeng.com
Nrp Network LLC
US
malicious

DNS requests

Domain
IP
Reputation
bhatner.com
  • 103.91.92.1
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
alphaenergyeng.com
  • 5.61.27.159
suspicious

Threats

PID
Process
Class
Message
3148
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3148
WScript.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
3148
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3148
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
Process
Message
ColorPick.exe
ZBZQBZ
ColorPick.exe
ZBZQBZ
ytfovlym.exe
ZBZQBZ
ytfovlym.exe
ZBZQBZ