analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TradeAlert Pro.zip

Full analysis: https://app.any.run/tasks/c2dd3ec0-0890-4251-a4c4-8967b6bd9a48
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 24, 2022, 20:36:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
vidar
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

323895165938D88D8F3131822B04AB92

SHA1:

3E2C49C61C6DF167F060D1AF310E624E08CC62F3

SHA256:

CB58046644114748BF6E5A0014CA4A3B602588E3E193101171F4008EF24DCA45

SSDEEP:

98304:ByUUVe4o8rv6+PIdELOWbQzstu+VSQFJmJMgO10UUlZGgYWuLq6:ByUG/v6Tdab0sU+VSQaJMgO1mxPH6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Steals credentials from Web Browsers

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Loads dropped or rewritten executable

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Stealing of credential data

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Actions looks like stealing of personal data

      • MetaStock Pro View(portable).exe (PID: 2168)
    • VIDAR was detected

      • MetaStock Pro View(portable).exe (PID: 2168)
  • SUSPICIOUS

    • Reads the computer name

      • MetaStock Pro View(portable).exe (PID: 2168)
      • WinRAR.exe (PID: 3504)
    • Checks supported languages

      • WinRAR.exe (PID: 3504)
      • MetaStock Pro View(portable).exe (PID: 2168)
      • cmd.exe (PID: 3940)
    • Reads Windows owner or organization settings

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Reads the cookies of Mozilla Firefox

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Executable content was dropped or overwritten

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Drops a file that was compiled in debug mode

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Reads CPU info

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Reads the cookies of Google Chrome

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Reads Environment values

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Creates files in the program directory

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3940)
    • Starts CMD.EXE for commands execution

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Starts CMD.EXE for self-deleting

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Searches for installed software

      • MetaStock Pro View(portable).exe (PID: 2168)
  • INFO

    • Reads settings of System Certificates

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Checks Windows Trust Settings

      • MetaStock Pro View(portable).exe (PID: 2168)
    • Reads the computer name

      • taskkill.exe (PID: 1704)
    • Checks supported languages

      • taskkill.exe (PID: 1704)
      • timeout.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Privacy Policy/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2021:11:04 20:55:09
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs #VIDAR metastock pro view(portable).exe cmd.exe no specs taskkill.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3504"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TradeAlert Pro.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2168"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\MetaStock Pro View(portable).exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\MetaStock Pro View(portable).exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
3940"C:\Windows\System32\cmd.exe" /c taskkill /im MetaStock Pro View(portable).exe /f & timeout /t 6 & del /f /q "C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\MetaStock Pro View(portable).exe" & del C:\ProgramData\*.dll & exitC:\Windows\System32\cmd.exeMetaStock Pro View(portable).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1704taskkill /im MetaStock Pro View(portable).exe /f C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3772timeout /t 6 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
7 716
Read events
7 664
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
11
Text files
36
Unknown types
11

Dropped files

PID
Process
Filename
Type
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_ar.rtftext
MD5:9B5B6B6C14FDEFBB3D67AB8425666CEA
SHA256:6CEE95EDFB044E5DE674B49C816EC074CF1FD99B58E50B90101BA0ADE80D7AF4
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_it.rtftext
MD5:1078DBC19F8BFBB2C11B1CC4772296BE
SHA256:9B72BE935D74636B9F311570D38F75F6D7D0CAEDEB00EC1A0051C668AD4785A3
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_de.rtftext
MD5:4CFA2DA298B95EFA55B19D51C81A3C66
SHA256:D62B3089300FE942D491EE3D18BAB07B59AAAA5410B72181C267A694A2692F8D
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_nl.rtftext
MD5:7F56FCA514C9117A273A9A72B9CC426A
SHA256:F24E68C305D3BE6AB7BE8674E4FA79ACB4EF9D292A5C09B121C7227908E4A544
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_fi.rtftext
MD5:1D713CD1758AAF01F4E39C8E514843E5
SHA256:9EE64A38F94533592B2012039491ED0969FDB8C595A176BD0805531B0E8161F4
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_en-us.rtftext
MD5:61C77F963F5ED65DFC13A9EBD5AD820E
SHA256:9E35D0A96499BB811E99ABCAD801F217BAD15D6748CAB036B398C9AA6656D01F
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_da.rtftext
MD5:2FFDB0BB667EC42B624D6934055DDE9C
SHA256:E182177BCBC5296F335E04A90DE522153C9680B87FBE9EA049495AB5AD8111A7
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_hr.rtftext
MD5:41334A45F84423F450592CDF99664E1C
SHA256:02F84C13EC1A5D2DF1699948AA72F3AF17854D0FAA2FF9F2F79AB5B1DE273831
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_en.rtftext
MD5:1AEC177B22E45F99FC812D5BFEDD2F07
SHA256:6B45386A52901170D24DB77537044197450BF3412590B694DE589596C5F68839
3504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3504.25940\Privacy Policy\UBT_cs.rtftext
MD5:99112078FA44DC65D231A074539DCD9E
SHA256:4576C09B432ACC5933AB0CDCDE451D329E4AADDEBCC232D93E754B7CF151EF6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2168
MetaStock Pro View(portable).exe
POST
200
162.55.213.180:80
http://162.55.213.180/1142
US
text
153 b
malicious
2168
MetaStock Pro View(portable).exe
GET
200
23.32.238.51:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTP0UTbeG8SwdpMOtR3UfBVjA%3D%3D
US
der
503 b
shared
2168
MetaStock Pro View(portable).exe
GET
200
23.32.238.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4842203a3836b846
US
compressed
59.9 Kb
whitelisted
2168
MetaStock Pro View(portable).exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2168
MetaStock Pro View(portable).exe
GET
200
162.55.213.180:80
http://162.55.213.180/freebl3.dll
US
executable
326 Kb
malicious
2168
MetaStock Pro View(portable).exe
GET
200
162.55.213.180:80
http://162.55.213.180/mozglue.dll
US
executable
133 Kb
malicious
2168
MetaStock Pro View(portable).exe
POST
200
162.55.213.180:80
http://162.55.213.180/
US
text
22 b
malicious
2168
MetaStock Pro View(portable).exe
GET
200
23.32.238.208:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?38f87fcd157daec1
US
compressed
4.70 Kb
whitelisted
2168
MetaStock Pro View(portable).exe
GET
200
162.55.213.180:80
http://162.55.213.180/vcruntime140.dll
US
executable
81.8 Kb
malicious
2168
MetaStock Pro View(portable).exe
GET
200
162.55.213.180:80
http://162.55.213.180/msvcp140.dll
US
executable
429 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2168
MetaStock Pro View(portable).exe
23.32.238.208:80
ctldl.windowsupdate.com
XO Communications
US
unknown
2168
MetaStock Pro View(portable).exe
95.216.4.252:443
mastodon.online
Hetzner Online GmbH
DE
suspicious
2168
MetaStock Pro View(portable).exe
23.32.238.51:80
r3.o.lencr.org
XO Communications
US
unknown
2168
MetaStock Pro View(portable).exe
162.55.213.180:80
US
malicious
2168
MetaStock Pro View(portable).exe
23.45.105.185:80
x1.c.lencr.org
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
mastodon.online
  • 95.216.4.252
suspicious
ctldl.windowsupdate.com
  • 23.32.238.208
  • 23.32.238.178
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 23.32.238.51
  • 23.32.238.67
shared

Threats

PID
Process
Class
Message
2168
MetaStock Pro View(portable).exe
A Network Trojan was detected
ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
2168
MetaStock Pro View(portable).exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2168
MetaStock Pro View(portable).exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
2168
MetaStock Pro View(portable).exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1 ETPRO signatures available at the full report
No debug info