analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

archiveYTcheats.zip

Full analysis: https://app.any.run/tasks/f5492924-ebd1-4776-8e0a-d5f8ffde686e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 22, 2020, 14:01:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
opendir
loader
miner
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

7F7F47898E7191608635E5CCB1516C9F

SHA1:

E1D64D0D887A9FD1450690F629F93485BAC8DA74

SHA256:

C801803521B81CE62028D081A0ECD0EC3DC580661C11B1225BA5FA281A5276A9

SSDEEP:

98304:t0xIgwVlHN8tp0wCilsx7u6e+IoaYUdSGchwpBpk6AP7n:ixjilt8tpnCi6U6e+IOUdOhwp/k627n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • lr.exe (PID: 2704)
      • launcher.exe (PID: 2076)
      • cr.exe (PID: 2540)
      • sr.exe (PID: 4064)
      • RealtekSb.exe (PID: 3264)
      • xCoreManagment.exe (PID: 3272)
      • ApplicationsFrameHost.exe (PID: 884)
    • Downloads executable files from the Internet

      • lr.exe (PID: 2704)
      • xCoreManagment.exe (PID: 3272)
    • Downloads executable files from IP

      • lr.exe (PID: 2704)
      • xCoreManagment.exe (PID: 3272)
    • Loads the Task Scheduler COM API

      • cr.exe (PID: 2540)
    • Writes to a start menu file

      • cr.exe (PID: 2540)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2132)
    • Changes the autorun value in the registry

      • xCoreManagment.exe (PID: 3272)
    • MINER was detected

      • ApplicationsFrameHost.exe (PID: 884)
    • Connects to CnC server

      • ApplicationsFrameHost.exe (PID: 884)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3620)
      • lr.exe (PID: 2704)
      • cr.exe (PID: 2540)
      • xCoreManagment.exe (PID: 3272)
    • Creates files in the program directory

      • lr.exe (PID: 2704)
      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2068)
      • xCoreManagment.exe (PID: 3272)
    • Reads Internet Cache Settings

      • lr.exe (PID: 2704)
      • sr.exe (PID: 4064)
      • xCoreManagment.exe (PID: 3272)
    • Starts CMD.EXE for commands execution

      • lr.exe (PID: 2704)
      • sr.exe (PID: 4064)
      • xCoreManagment.exe (PID: 3272)
    • Creates files in the user directory

      • cr.exe (PID: 2540)
      • sr.exe (PID: 4064)
    • Starts CMD.EXE for self-deleting

      • lr.exe (PID: 2704)
      • sr.exe (PID: 4064)
    • Starts itself from another location

      • cr.exe (PID: 2540)
    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 3444)
      • cmd.exe (PID: 2068)
    • Reads the cookies of Google Chrome

      • sr.exe (PID: 4064)
    • Searches for installed software

      • sr.exe (PID: 4064)
    • Reads the cookies of Mozilla Firefox

      • sr.exe (PID: 4064)
    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2068)
    • Uses ICACLS.EXE to modify access control list

      • cmd.exe (PID: 3360)
      • cmd.exe (PID: 3504)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 1756)
      • cmd.exe (PID: 2724)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 3284)
      • cmd.exe (PID: 392)
      • cmd.exe (PID: 3680)
      • cmd.exe (PID: 3484)
      • cmd.exe (PID: 1800)
      • cmd.exe (PID: 3328)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:12:04 14:21:17
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: files/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
97
Monitored processes
44
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start winrar.exe launcher.exe no specs lr.exe cmd.exe no specs cr.exe sr.exe realteksb.exe no specs xcoremanagment.exe cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs #MINER applicationsframehost.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs icacls.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3620"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\archiveYTcheats.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2076"C:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\launcher.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\launcher.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2704files\lr.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\files\lr.exe
launcher.exe
User:
admin
Company:
FsGFtLgbCIu dLdgQZrSNnzBnCI pbtOnGnIaK CyYLDU
Integrity Level:
MEDIUM
Description:
nfdAZHySTS774
Exit code:
0
Version:
19.4.9.11597
3616cmd /c ""C:\ProgramData\bt.bat" "C:\Windows\system32\cmd.exelr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
123
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2540C:\ProgramData\cr.exeC:\ProgramData\cr.exe
lr.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4064C:\ProgramData\sr.exeC:\ProgramData\sr.exe
lr.exe
User:
admin
Company:
ROfmgTuRWez YTKkGpxoqhWFecP UlAdpsuxMn scomYY
Integrity Level:
MEDIUM
Description:
akZNSlNhOWoU311
Exit code:
0
Version:
3.8.3.8833
3264"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"C:\Users\admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.execr.exe
User:
admin
Integrity Level:
MEDIUM
3272C:\ProgramData\SystemNetwork\xCoreManagment.exeC:\ProgramData\SystemNetwork\xCoreManagment.exe
lr.exe
User:
admin
Company:
MwgSzFscPZA vwtBOzGgMJPTzhk qzuRMeNGRw WkSKZc
Integrity Level:
MEDIUM
Description:
ZMaYiJqPxp203
Version:
8.0.6.7202
2132"C:\Windows\System32\cmd.exe" /k ping -n 5 localhost < nul & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\files\lr.exe"C:\Windows\System32\cmd.exelr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4040ping -n 5 localhost C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 140
Read events
1 087
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
4
Text files
12
Unknown types
3

Dropped files

PID
Process
Filename
Type
3620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\qt.conftext
MD5:9E32E17C1CE953BF87887AA63D5EDFC1
SHA256:7EB8A713CD483AD16B971A84725021787EEAFFB47FB89EA86B4A99A5F91562A9
2704lr.exeC:\ProgramData\bt.battext
MD5:72FF1AD85F3E98E7936A17AAA6A05AEE
SHA256:B8B20F7408AB581624FA042B3164BA4512E8F7D08442B05E1ED97DF0912751E0
4064sr.exeC:\Users\admin\AppData\Local\Temp\CabE5A5.tmp
MD5:
SHA256:
4064sr.exeC:\Users\admin\AppData\Local\Temp\TarE5A6.tmp
MD5:
SHA256:
4064sr.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ER989HF8.txt
MD5:
SHA256:
3620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\files\Qt.pydexecutable
MD5:0F9A0C4F71694FF02C427480214609FE
SHA256:128917E19434E95A31DF8B4BC3F23F8569743E209062CE4D61EF28128E30FE7E
3620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\Qt5CLucene.dllexecutable
MD5:B064E97D369D178530C500959FED5357
SHA256:EA7F0967F44B95F71D6C17B87B3E928114BF053FB289C74C8CBCA11491F55DD9
3620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3620.11663\files\files\lr.exeexecutable
MD5:4B6AB1FF1538937548B04C2B7027E2F7
SHA256:60776DB1D4FC8DF442887B76166CEB58D6C6DD948AFCBE25668ECF777147E936
4064sr.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1binary
MD5:2F033A2C01D93044C419EBDD537A4F2C
SHA256:82FDEF8365723F17F29FC3F3978741A1BE05B902B190816E0E0830A2DF35E00F
2704lr.exeC:\ProgramData\cr.exeexecutable
MD5:09110C330299FA83578B2CC5534A6CD7
SHA256:42B35C0D0E94F1DB0132CD92F748736BC9C0ACCF701F1E47E01AF53D4A5BA835
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2704
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/lc/sr.exe
NL
executable
2.71 Mb
malicious
2704
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/lc/cr.exe
NL
executable
5.46 Mb
malicious
2704
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/lc/bt.bat
NL
text
780 b
malicious
3272
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/x32/config.json
NL
text
1.59 Kb
malicious
2704
lr.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/xCoreManagment.exe
NL
executable
3.20 Mb
malicious
3272
xCoreManagment.exe
GET
404
185.92.149.29:80
http://185.92.149.29/Build2/other/other.txt?
NL
xml
1.03 Kb
malicious
3272
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/server_version.txt?
NL
text
4 b
malicious
4064
sr.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEA75bDr2duIraIwn5olTK3c%3D
US
der
278 b
whitelisted
4064
sr.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
3272
xCoreManagment.exe
GET
200
185.92.149.29:80
http://185.92.149.29/Build2/server_version.txt?
NL
text
4 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4064
sr.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2704
lr.exe
185.92.149.29:80
1a3c1a2b.xyz
NovoServe B.V.
NL
malicious
3272
xCoreManagment.exe
185.92.149.29:80
1a3c1a2b.xyz
NovoServe B.V.
NL
malicious
884
ApplicationsFrameHost.exe
185.92.149.29:88
1a3c1a2b.xyz
NovoServe B.V.
NL
malicious
4064
sr.exe
104.27.172.77:443
mytelegramapi.cf
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
mytelegramapi.cf
  • 104.27.172.77
  • 104.27.173.77
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
1a3c1a2b.xyz
  • 185.92.149.29
malicious

Threats

PID
Process
Class
Message
2704
lr.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2704
lr.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2704
lr.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2704
lr.exe
A Network Trojan was detected
ET INFO AutoIt User Agent Executable Request
2704
lr.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2704
lr.exe
Misc activity
ET INFO Packed Executable Download
2704
lr.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2704
lr.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2704
lr.exe
Misc activity
ET INFO Packed Executable Download
2704
lr.exe
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
5 ETPRO signatures available at the full report
No debug info