analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup_files.zip

Full analysis: https://app.any.run/tasks/a4a8722a-e4c8-4a14-83e2-2d3047df0293
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: August 08, 2020, 15:51:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
stealer
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6F00D81FC0DA3E9E885845F254AF1962

SHA1:

196A4925CFEBA7147B4F9C44BA9095EE61C20893

SHA256:

C90F80BE1532C220CFEFA0AE87CCEB564820CC3E9545D9F23346671B985AD9D0

SSDEEP:

98304:tt8/l7G7b/TOyaoRsP3qFThav8TtfKGFDNqw85tDIZCJa:tt8/lC7b/TPaoCPKtrTtZ/q5jDIo0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup_install.exe (PID: 3208)
      • setup_install.exe (PID: 2152)
      • ns576F.tmp (PID: 1120)
      • load.exe (PID: 1732)
      • kronk.exe (PID: 3960)
      • lgjgeyfackm.exe (PID: 2064)
    • Loads dropped or rewritten executable

      • setup_install.exe (PID: 2152)
    • Changes settings of System certificates

      • CScript.exe (PID: 1696)
      • load.exe (PID: 1732)
    • Actions looks like stealing of personal data

      • kronk.exe (PID: 3960)
    • Stealing of credential data

      • kronk.exe (PID: 3960)
  • SUSPICIOUS

    • Creates files in the program directory

      • setup_install.exe (PID: 2152)
    • Starts application with an unusual extension

      • setup_install.exe (PID: 2152)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2908)
      • setup_install.exe (PID: 2152)
      • load.exe (PID: 1732)
    • Executes scripts

      • ns576F.tmp (PID: 1120)
    • Reads Internet Cache Settings

      • CScript.exe (PID: 1696)
      • load.exe (PID: 1732)
      • kronk.exe (PID: 3960)
    • Adds / modifies Windows certificates

      • CScript.exe (PID: 1696)
      • load.exe (PID: 1732)
    • Reads the cookies of Google Chrome

      • kronk.exe (PID: 3960)
    • Reads the cookies of Mozilla Firefox

      • kronk.exe (PID: 3960)
    • Starts CMD.EXE for self-deleting

      • kronk.exe (PID: 3960)
    • Checks for external IP

      • load.exe (PID: 1732)
    • Starts CMD.EXE for commands execution

      • kronk.exe (PID: 3960)
      • load.exe (PID: 1732)
    • Searches for installed software

      • kronk.exe (PID: 3960)
  • INFO

    • Reads settings of System Certificates

      • load.exe (PID: 1732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2020:08:08 11:35:02
ZipCRC: 0xbbf38bf8
ZipCompressedSize: 3949177
ZipUncompressedSize: 3982086
ZipFileName: setup_install.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
11
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start winrar.exe setup_install.exe no specs setup_install.exe kronk.exe ns576f.tmp no specs cscript.exe load.exe cmd.exe no specs timeout.exe no specs cmd.exe no specs lgjgeyfackm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\setup_files.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3208"C:\Users\admin\AppData\Local\Temp\Rar$EXb2908.26845\setup_install.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2908.26845\setup_install.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
11.7.2.0
2152"C:\Users\admin\AppData\Local\Temp\Rar$EXb2908.26845\setup_install.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2908.26845\setup_install.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
11.7.2.0
3960"C:\Program Files\Mongofils\exe\kronk.exe"C:\Program Files\Mongofils\exe\kronk.exe
setup_install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1120"C:\Users\admin\AppData\Local\Temp\nsk56F1.tmp\ns576F.tmp" "C:\Windows\system32\CScript.exe" "C:\Program Files\Mongofils\exe\1.vbs" //e:vbscript //B //NOLOGO C:\Users\admin\AppData\Local\Temp\nsk56F1.tmp\ns576F.tmpsetup_install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1696"C:\Windows\system32\CScript.exe" "C:\Program Files\Mongofils\exe\1.vbs" //e:vbscript //B //NOLOGO C:\Windows\system32\CScript.exe
ns576F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Console Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1732"C:\Program Files\Mongofils\exe\load.exe"C:\Program Files\Mongofils\exe\load.exe
setup_install.exe
User:
admin
Integrity Level:
HIGH
3972"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\admin\AppData\Local\Temp\jh0erE5veAcb & timeout 2 & del /f /q "C:\Program Files\Mongofils\exe\kronk.exe"C:\Windows\system32\cmd.exekronk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2668timeout 2 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1896"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\admin\AppData\Local\Temp\lgjgeyfackm.exe"C:\Windows\system32\cmd.exeload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 579
Read events
1 515
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
12
Text files
295
Unknown types
13

Dropped files

PID
Process
Filename
Type
1696CScript.exeC:\Users\admin\AppData\Local\Temp\Cab5B93.tmp
MD5:
SHA256:
1696CScript.exeC:\Users\admin\AppData\Local\Temp\Tar5B94.tmp
MD5:
SHA256:
2152setup_install.exeC:\Users\admin\AppData\Local\Temp\nsk56F1.tmp\ns576F.tmpexecutable
MD5:30D31B3424FF6B7613EAAF79E9449E0F
SHA256:8F0F0E254113725B386FF4C6C2967D556ED4D568245FC8AF6F2DBEA697BA56BF
2908WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2908.26845\setup_install.exeexecutable
MD5:E5AB571C074D171941CB4E0D16D01C30
SHA256:A40283308FA80C6785F3AC05928E0BC7E9DE7BAF0425ECA4A3AADC3CFA5101FA
2152setup_install.exeC:\Program Files\Mongofils\exe\load.exeexecutable
MD5:88CE7B7F8101C38BC9BDD1AC7733BBDC
SHA256:703C9E037D96363637FC5B4AA21B2DF0AC94641CCF7C83A221DA329A31E9FE4E
1696CScript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:9E1EB3DDA03ED5B39D68CB26399E3C2E
SHA256:161399C3C4D0942A0AFE35D59B26D984D24C6E502253CDBDAECCDD9A0B53380E
3960kronk.exeC:\Users\admin\AppData\Local\Temp\jh0erE5veAcb\_Files\_Cookies\google_chrome.txttext
MD5:2823D2B83EC6D22555CADDD36EEBDAC7
SHA256:31270CB968D5FACA441DEE28C9BE400A0E5BF4CCBA6E2E06C634459059D36DE7
2152setup_install.exeC:\Program Files\Mongofils\exe\kronk.exeexecutable
MD5:EA0491B30CFE1D7EC884F22668089BB9
SHA256:F7E5C2324CF07478ECCA42F82DD3C619ED7C16A5B4BEEF7821D4A0733C646F1E
3960kronk.exeC:\Users\admin\AppData\Local\Temp\jh0erE5veAcb\mpsNKp.tmpsqlite
MD5:E812B5AAA4AB657D430A930438DD0E7C
SHA256:153A35F475F8B6AB4AE389DA8BE3AB7557250C46CE410C8D2C884C8AB418808F
3960kronk.exeC:\Users\admin\AppData\Local\Temp\jh0erE5veAcb\lrgm.tmpsqlite
MD5:B07445123C1156C138DBB2C09CA56381
SHA256:60EF4EEFAE5E163D3C38BBBF592B70453BE8C17D95537C84438DCA3DB7B150F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1696
CScript.exe
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
1732
load.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
1732
load.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAGC%2BAmOouYmuRo7J4Qfua8%3D
US
der
1.47 Kb
whitelisted
1732
load.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF%2FEdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEAgt9o7pxpMVvr9yB5s4EP0%3D
US
der
471 b
whitelisted
3960
kronk.exe
POST
200
2.57.184.163:80
http://otteppp11.top/index.php
unknown
text
2 b
malicious
1732
load.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
text
282 b
shared
1696
CScript.exe
GET
200
2.16.186.27:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgObfHHgHlsa0R7fVL2Sj72S7g%3D%3D
unknown
der
527 b
whitelisted
3960
kronk.exe
POST
200
185.180.231.139:80
http://doorres03.top/index.php
RU
text
3 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1696
CScript.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
3960
kronk.exe
2.57.184.163:80
otteppp11.top
malicious
3960
kronk.exe
185.180.231.139:80
otteppp11.top
MediaServicePlus LLC
RU
malicious
2.16.186.35:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
2.16.186.27:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted
1732
load.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
1732
load.exe
18.205.93.1:443
bitbucket.org
US
malicious
1732
load.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1732
load.exe
52.216.25.116:443
bbuseruploads.s3.amazonaws.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
iplogger.org
  • 88.99.66.31
shared
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted
otteppp11.top
  • 2.57.184.163
  • 185.180.231.139
malicious
doorres03.top
  • 185.180.231.139
  • 2.57.184.163
malicious
ip-api.com
  • 208.95.112.1
shared
bitbucket.org
  • 18.205.93.1
  • 18.205.93.2
  • 18.205.93.0
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
bbuseruploads.s3.amazonaws.com
  • 52.216.25.116
shared

Threats

PID
Process
Class
Message
1696
CScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
1696
CScript.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] IP Check Domain SSL certificate
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3960
kronk.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3960
kronk.exe
A Network Trojan was detected
ET TROJAN Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
1732
load.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
1732
load.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
8 ETPRO signatures available at the full report
Process
Message
kronk.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
load.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
lgjgeyfackm.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------