File name: | TradeAlert Pro.zip |
Full analysis: | https://app.any.run/tasks/c2dd3ec0-0890-4251-a4c4-8967b6bd9a48 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 24, 2022, 20:36:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 323895165938D88D8F3131822B04AB92 |
SHA1: | 3E2C49C61C6DF167F060D1AF310E624E08CC62F3 |
SHA256: | CB58046644114748BF6E5A0014CA4A3B602588E3E193101171F4008EF24DCA45 |
SSDEEP: | 98304:ByUUVe4o8rv6+PIdELOWbQzstu+VSQFJmJMgO10UUlZGgYWuLq6:ByUG/v6Tdab0sU+VSQaJMgO1mxPH6 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Privacy Policy/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2021:11:04 20:55:09 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3504 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TradeAlert Pro.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
2168 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\MetaStock Pro View(portable).exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\MetaStock Pro View(portable).exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
3940 | "C:\Windows\System32\cmd.exe" /c taskkill /im MetaStock Pro View(portable).exe /f & timeout /t 6 & del /f /q "C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\MetaStock Pro View(portable).exe" & del C:\ProgramData\*.dll & exit | C:\Windows\System32\cmd.exe | — | MetaStock Pro View(portable).exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1704 | taskkill /im MetaStock Pro View(portable).exe /f | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | timeout /t 6 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_ar.rtf | text | |
MD5:9B5B6B6C14FDEFBB3D67AB8425666CEA | SHA256:6CEE95EDFB044E5DE674B49C816EC074CF1FD99B58E50B90101BA0ADE80D7AF4 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_it.rtf | text | |
MD5:1078DBC19F8BFBB2C11B1CC4772296BE | SHA256:9B72BE935D74636B9F311570D38F75F6D7D0CAEDEB00EC1A0051C668AD4785A3 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_de.rtf | text | |
MD5:4CFA2DA298B95EFA55B19D51C81A3C66 | SHA256:D62B3089300FE942D491EE3D18BAB07B59AAAA5410B72181C267A694A2692F8D | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_nl.rtf | text | |
MD5:7F56FCA514C9117A273A9A72B9CC426A | SHA256:F24E68C305D3BE6AB7BE8674E4FA79ACB4EF9D292A5C09B121C7227908E4A544 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_fi.rtf | text | |
MD5:1D713CD1758AAF01F4E39C8E514843E5 | SHA256:9EE64A38F94533592B2012039491ED0969FDB8C595A176BD0805531B0E8161F4 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_en-us.rtf | text | |
MD5:61C77F963F5ED65DFC13A9EBD5AD820E | SHA256:9E35D0A96499BB811E99ABCAD801F217BAD15D6748CAB036B398C9AA6656D01F | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_da.rtf | text | |
MD5:2FFDB0BB667EC42B624D6934055DDE9C | SHA256:E182177BCBC5296F335E04A90DE522153C9680B87FBE9EA049495AB5AD8111A7 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_hr.rtf | text | |
MD5:41334A45F84423F450592CDF99664E1C | SHA256:02F84C13EC1A5D2DF1699948AA72F3AF17854D0FAA2FF9F2F79AB5B1DE273831 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_en.rtf | text | |
MD5:1AEC177B22E45F99FC812D5BFEDD2F07 | SHA256:6B45386A52901170D24DB77537044197450BF3412590B694DE589596C5F68839 | |||
3504 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_cs.rtf | text | |
MD5:99112078FA44DC65D231A074539DCD9E | SHA256:4576C09B432ACC5933AB0CDCDE451D329E4AADDEBCC232D93E754B7CF151EF6A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2168 | MetaStock Pro View(portable).exe | POST | 200 | 162.55.213.180:80 | http://162.55.213.180/1142 | US | text | 153 b | malicious |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 23.32.238.51:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTP0UTbeG8SwdpMOtR3UfBVjA%3D%3D | US | der | 503 b | shared |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 23.32.238.208:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4842203a3836b846 | US | compressed | 59.9 Kb | whitelisted |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 23.45.105.185:80 | http://x1.c.lencr.org/ | NL | der | 717 b | whitelisted |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 162.55.213.180:80 | http://162.55.213.180/freebl3.dll | US | executable | 326 Kb | malicious |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 162.55.213.180:80 | http://162.55.213.180/mozglue.dll | US | executable | 133 Kb | malicious |
2168 | MetaStock Pro View(portable).exe | POST | 200 | 162.55.213.180:80 | http://162.55.213.180/ | US | text | 22 b | malicious |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 23.32.238.208:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?38f87fcd157daec1 | US | compressed | 4.70 Kb | whitelisted |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 162.55.213.180:80 | http://162.55.213.180/vcruntime140.dll | US | executable | 81.8 Kb | malicious |
2168 | MetaStock Pro View(portable).exe | GET | 200 | 162.55.213.180:80 | http://162.55.213.180/msvcp140.dll | US | executable | 429 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2168 | MetaStock Pro View(portable).exe | 23.32.238.208:80 | ctldl.windowsupdate.com | XO Communications | US | unknown |
2168 | MetaStock Pro View(portable).exe | 95.216.4.252:443 | mastodon.online | Hetzner Online GmbH | DE | suspicious |
2168 | MetaStock Pro View(portable).exe | 23.32.238.51:80 | r3.o.lencr.org | XO Communications | US | unknown |
2168 | MetaStock Pro View(portable).exe | 162.55.213.180:80 | — | — | US | malicious |
2168 | MetaStock Pro View(portable).exe | 23.45.105.185:80 | x1.c.lencr.org | Akamai International B.V. | NL | unknown |
Domain | IP | Reputation |
---|---|---|
mastodon.online |
| suspicious |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2168 | MetaStock Pro View(portable).exe | A Network Trojan was detected | ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern |
2168 | MetaStock Pro View(portable).exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
2168 | MetaStock Pro View(portable).exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .dll file with no User-Agent |
2168 | MetaStock Pro View(portable).exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |