analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FinCERT_BAPB_URL2019052401.zip

Full analysis: https://app.any.run/tasks/b1d6e483-515d-4e9c-a42f-181e9c91fb40
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 07:26:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CE05A678D6F56ECBE86AB33C4756C94D

SHA1:

8261C0BCE7D6D56D862F312E985A6F4DAF5A9981

SHA256:

CA3BDB13533F2A1E1B7987D9C6482917D7633C20438E52025CE3D9AB885E387A

SSDEEP:

48:9+XRZN/LjYs43y3NhL/BJc1YxOuyye+vVeBlU5sT3bS3JMLWhP6tqa7YYAvBH3sV:YXRbwJy3J/xOVB+vglU5CuZGma7Ybv2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radD346D.tmp (PID: 1448)
      • radD9E7C.tmp (PID: 2584)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2396)
    • Changes the autorun value in the registry

      • radD346D.tmp (PID: 1448)
    • TROLDESH was detected

      • radD346D.tmp (PID: 1448)
    • Deletes shadow copies

      • radD346D.tmp (PID: 1448)
    • Runs app for hidden code execution

      • radD346D.tmp (PID: 1448)
    • Dropped file may contain instructions of ransomware

      • radD346D.tmp (PID: 1448)
    • Actions looks like stealing of personal data

      • radD346D.tmp (PID: 1448)
    • Modifies files in Chrome extension folder

      • radD346D.tmp (PID: 1448)
  • SUSPICIOUS

    • Starts Internet Explorer

      • OUTLOOK.EXE (PID: 1560)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 1560)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 1560)
      • radD346D.tmp (PID: 1448)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2396)
      • WScript.exe (PID: 2100)
      • radD346D.tmp (PID: 1448)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3204)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 2984)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2396)
      • WScript.exe (PID: 2100)
      • radD346D.tmp (PID: 1448)
    • Executes scripts

      • WinRAR.exe (PID: 2132)
    • Creates files in the program directory

      • radD346D.tmp (PID: 1448)
    • Checks for external IP

      • radD346D.tmp (PID: 1448)
    • Executed as Windows Service

      • vssvc.exe (PID: 3284)
    • Creates files like Ransomware instruction

      • radD346D.tmp (PID: 1448)
  • INFO

    • Manual execution by user

      • OUTLOOK.EXE (PID: 1560)
      • WScript.exe (PID: 2396)
    • Application launched itself

      • iexplore.exe (PID: 2080)
    • Creates files in the user directory

      • iexplore.exe (PID: 280)
    • Changes internet zones settings

      • iexplore.exe (PID: 2080)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 280)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 1560)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2080)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2080)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2080)
    • Dropped object may contain URL to Tor Browser

      • radD346D.tmp (PID: 1448)
    • Dropped object may contain TOR URL's

      • radD346D.tmp (PID: 1448)
    • Dropped object may contain Bitcoin addresses

      • radD346D.tmp (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: [Content] ?⭮??⥫쭮 ??????.eml
ZipUncompressedSize: 4798
ZipCompressedSize: 3120
ZipCRC: 0xd5d824e0
ZipModifyDate: 2019:05:24 09:18:09
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
16
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe iexplore.exe iexplore.exe winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radd346d.tmp wscript.exe cmd.exe no specs radd9e7c.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\FinCERT_BAPB_URL2019052401.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1560"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\Desktop\[Content] «G¡«ß¿Gѽ8¡« ºá¬áºá.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2080"C:\Program Files\Internet Explorer\iexplore.exe" https://lazovskiphoto.com/ural_zakaz.zipC:\Program Files\Internet Explorer\iexplore.exe
OUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
280"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2080 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2132"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\ural_zakaz.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2396"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3204"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radD346D.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1448C:\Users\admin\AppData\Local\Temp\radD346D.tmpC:\Users\admin\AppData\Local\Temp\radD346D.tmp
cmd.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Registry Defrag
Version:
5.0.0.14
2100"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2132.34333\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3696"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radD9E7C.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
3 338
Read events
2 748
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1 065
Text files
75
Unknown types
31

Dropped files

PID
Process
Filename
Type
2964WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2964.30709\[Content] «G¡«ß¿Gѽ8¡« ºá¬áºá.eml
MD5:
SHA256:
1560OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR43A8.tmp.cvr
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2080iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1560OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:CCAA6B162D79A35A10C2C21799C8C7F8
SHA256:CDB4D74E41FB3E24EB647210163F7CF4E2C01684D651C0A6D561526388A22C05
2080iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA0E21A4FDB7632C8.TMP
MD5:
SHA256:
280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:FB732257ADF9B5F869DC1D021E07031A
SHA256:C6A9D3E70F1BCDC453765EF4E07F9006D2B88754ED690523ED603DF20AFE2CB9
1560OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\mapisvc.inftext
MD5:48DD6CAE43CE26B992C35799FCD76898
SHA256:7BFE1F3691E2B4FB4D61FBF5E9F7782FBE49DA1342DBD32201C2CC8E540DBD1A
1560OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{B3BFE229-8A65-47FA-B40E-70379644C11D}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:7D80C0A7E3849818695EAF4989186A3C
SHA256:72DC527D78A8E99331409803811CC2D287E812C008A1C869A6AEA69D7A44B597
280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1560
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
1448
radD346D.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2080
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1448
radD346D.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
280
iexplore.exe
85.93.145.251:443
lazovskiphoto.com
JSC Internet-Cosmos
RU
unknown
2396
WScript.exe
62.173.145.104:80
www.zagogulina.com
JSC Internet-Cosmos
RU
malicious
1448
radD346D.tmp
54.36.103.223:9001
OVH SAS
FR
suspicious
1448
radD346D.tmp
94.16.122.65:80
netcup GmbH
DE
suspicious
1448
radD346D.tmp
205.185.118.79:443
FranTech Solutions
US
suspicious
1560
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1448
radD346D.tmp
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared
1448
radD346D.tmp
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
lazovskiphoto.com
  • 85.93.145.251
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.zagogulina.com
  • 62.173.145.104
malicious
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.34.131
  • 104.18.35.131
shared

Threats

PID
Process
Class
Message
2396
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2396
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2396
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
1448
radD346D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182
1448
radD346D.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
1448
radD346D.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
1448
radD346D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 702
1448
radD346D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 327
1448
radD346D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 524
1448
radD346D.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
25 ETPRO signatures available at the full report
No debug info