analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

archiveYTcheats.zip

Full analysis: https://app.any.run/tasks/726ef41d-af19-4c28-aa7d-bff255235105
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 22, 2020, 13:58:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
opendir
loader
miner
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7F7F47898E7191608635E5CCB1516C9F

SHA1:

E1D64D0D887A9FD1450690F629F93485BAC8DA74

SHA256:

C801803521B81CE62028D081A0ECD0EC3DC580661C11B1225BA5FA281A5276A9

SSDEEP:

98304:t0xIgwVlHN8tp0wCilsx7u6e+IoaYUdSGchwpBpk6AP7n:ixjilt8tpnCi6U6e+IOUdOhwp/k627n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • lr.exe (PID: 2880)
      • launcher.exe (PID: 2072)
      • cr.exe (PID: 880)
      • sr.exe (PID: 3568)
      • xCoreManagment.exe (PID: 2532)
      • RealtekSb.exe (PID: 2120)
      • ApplicationsFrameHost.exe (PID: 272)

    • Downloads executable files from the Internet

      • lr.exe (PID: 2880)
      • xCoreManagment.exe (PID: 2532)

    • Downloads executable files from IP

      • lr.exe (PID: 2880)
      • xCoreManagment.exe (PID: 2532)

    • Loads the Task Scheduler COM API

      • cr.exe (PID: 880)

    • Writes to a start menu file

      • cr.exe (PID: 880)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 1232)

    • Changes the autorun value in the registry

      • xCoreManagment.exe (PID: 2532)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • lr.exe (PID: 2880)
      • WinRAR.exe (PID: 660)
      • cr.exe (PID: 880)
      • xCoreManagment.exe (PID: 2532)

    • Reads Internet Cache Settings

      • lr.exe (PID: 2880)
      • sr.exe (PID: 3568)
      • xCoreManagment.exe (PID: 2532)

    • Creates files in the program directory

      • lr.exe (PID: 2880)
      • cmd.exe (PID: 820)
      • xCoreManagment.exe (PID: 2532)
      • cmd.exe (PID: 2940)

    • Starts CMD.EXE for commands execution

      • lr.exe (PID: 2880)
      • sr.exe (PID: 3568)
      • xCoreManagment.exe (PID: 2532)

    • Creates files in the user directory

      • cr.exe (PID: 880)
      • sr.exe (PID: 3568)

    • Starts itself from another location

      • cr.exe (PID: 880)

    • Starts CMD.EXE for self-deleting

      • lr.exe (PID: 2880)
      • sr.exe (PID: 3568)

    • Reads the cookies of Google Chrome

      • sr.exe (PID: 3568)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 820)
      • cmd.exe (PID: 2940)

    • Reads the cookies of Mozilla Firefox

      • sr.exe (PID: 3568)

    • Searches for installed software

      • sr.exe (PID: 3568)

    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 3092)
      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 3640)
      • cmd.exe (PID: 3100)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 3880)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2940)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: files/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:12:04 14:21:17
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
29
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start winrar.exe launcher.exe no specs lr.exe cmd.exe no specs cr.exe sr.exe realteksb.exe no specs xcoremanagment.exe cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs applicationsframehost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\archiveYTcheats.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2072"C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\launcher.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\launcher.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2880files\lr.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\files\lr.exe
launcher.exe
User:
admin
Company:
FsGFtLgbCIu dLdgQZrSNnzBnCI pbtOnGnIaK CyYLDU
Integrity Level:
MEDIUM
Description:
nfdAZHySTS774
Exit code:
0
Version:
19.4.9.11597
2560cmd /c ""C:\ProgramData\bt.bat" "C:\Windows\system32\cmd.exelr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
123
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
880C:\ProgramData\cr.exeC:\ProgramData\cr.exe
lr.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3568C:\ProgramData\sr.exeC:\ProgramData\sr.exe
lr.exe
User:
admin
Company:
ROfmgTuRWez YTKkGpxoqhWFecP UlAdpsuxMn scomYY
Integrity Level:
MEDIUM
Description:
akZNSlNhOWoU311
Exit code:
0
Version:
3.8.3.8833
2120"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.execr.exe
User:
admin
Integrity Level:
MEDIUM
2532C:\ProgramData\SystemNetwork\xCoreManagment.exeC:\ProgramData\SystemNetwork\xCoreManagment.exe
lr.exe
User:
admin
Company:
MwgSzFscPZA vwtBOzGgMJPTzhk qzuRMeNGRw WkSKZc
Integrity Level:
MEDIUM
Description:
ZMaYiJqPxp203
Version:
8.0.6.7202
1232"C:\Windows\System32\cmd.exe" /k ping -n 5 localhost < nul & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\files\lr.exe"C:\Windows\System32\cmd.exelr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
816ping -n 5 localhost C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 096
Read events
1 045
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
4
Text files
11
Unknown types
3

Dropped files

PID
Process
Filename
Type
2880lr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\xCoreManagment[1].exeexecutable
MD5:2E025CFFB72E88FF323B3F5A4932FAE0
SHA256:F024AFD3B113C8773754AB240BBBCB34E12EFDCCF2DF29067A49324A47B13A75
880cr.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnklnk
MD5:2F4C035F29696C38BA3BD835F03D352D
SHA256:54FD7D66AC2B4EC269CA08A9466DBACA5C95A88CE44F5D10AF86E30EBB3E0AC0
2880lr.exeC:\ProgramData\cr.exeexecutable
MD5:09110C330299FA83578B2CC5534A6CD7
SHA256:42B35C0D0E94F1DB0132CD92F748736BC9C0ACCF701F1E47E01AF53D4A5BA835
2880lr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\cr[1].exeexecutable
MD5:09110C330299FA83578B2CC5534A6CD7
SHA256:42B35C0D0E94F1DB0132CD92F748736BC9C0ACCF701F1E47E01AF53D4A5BA835
2880lr.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\bt[1].battext
MD5:72FF1AD85F3E98E7936A17AAA6A05AEE
SHA256:B8B20F7408AB581624FA042B3164BA4512E8F7D08442B05E1ED97DF0912751E0
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\qt.conftext
MD5:9E32E17C1CE953BF87887AA63D5EDFC1
SHA256:7EB8A713CD483AD16B971A84725021787EEAFFB47FB89EA86B4A99A5F91562A9
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\launcher.exeexecutable
MD5:09B8E466518D3084175CDD48864C1A64
SHA256:A473507D089B63567B67CD3015560F3E091A0181F839BF9D6737AEFB1EE5B7FB
660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\files\Qt.pydexecutable
MD5:0F9A0C4F71694FF02C427480214609FE
SHA256:128917E19434E95A31DF8B4BC3F23F8569743E209062CE4D61EF28128E30FE7E
2880lr.exeC:\ProgramData\bt.battext
MD5:72FF1AD85F3E98E7936A17AAA6A05AEE
SHA256:B8B20F7408AB581624FA042B3164BA4512E8F7D08442B05E1ED97DF0912751E0
2880lr.exeC:\ProgramData\SystemNetwork\xCoreManagment.exeexecutable
MD5:2E025CFFB72E88FF323B3F5A4932FAE0
SHA256:F024AFD3B113C8773754AB240BBBCB34E12EFDCCF2DF29067A49324A47B13A75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2880
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/lc/bt.bat
NL
text
780 b
malicious
2532
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/server_version.txt
NL
text
4 b
malicious
2880
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/xCoreManagment.exe
NL
executable
3.20 Mb
malicious
2880
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/lc/cr.exe
NL
executable
5.46 Mb
malicious
2532
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/x32/config.json
NL
text
1.59 Kb
malicious
2532
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/server_version.txt?
NL
text
4 b
malicious
2532
xCoreManagment.exe
GET
404
185.92.149.29:80
http://185.92.149.29/Build2/other/other.txt?
NL
xml
1.03 Kb
malicious
2532
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/x32/ApplicationsFrameHost.exe
NL
executable
5.12 Mb
malicious
2880
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/lc/sr.exe
NL
executable
2.71 Mb
malicious
3568
sr.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEA75bDr2duIraIwn5olTK3c%3D
US
der
278 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2532
xCoreManagment.exe
185.92.149.29:80
1a3c1a2b.xyz
NovoServe B.V.
NL
malicious
2880
lr.exe
185.92.149.29:80
1a3c1a2b.xyz
NovoServe B.V.
NL
malicious
3568
sr.exe
104.27.173.77:443
mytelegramapi.cf
Cloudflare Inc
US
shared
185.92.149.29:88
1a3c1a2b.xyz
NovoServe B.V.
NL
malicious
3568
sr.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
mytelegramapi.cf
  • 104.27.173.77
  • 104.27.172.77
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
1a3c1a2b.xyz
  • 185.92.149.29
malicious

Threats

PID
Process
Class
Message
2880
lr.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2880
lr.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2880
lr.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2880
lr.exe
A Network Trojan was detected
ET INFO AutoIt User Agent Executable Request
2880
lr.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2880
lr.exe
Misc activity
ET INFO Packed Executable Download
2880
lr.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2880
lr.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2880
lr.exe
Misc activity
ET INFO Packed Executable Download
2880
lr.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
archiveYTcheats.zip