analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

trafficbot_b38b2.zip

Full analysis: https://app.any.run/tasks/bc0000cb-5d86-40de-834d-6157f215572b
Verdict: Malicious activity
Analysis date: December 06, 2018, 13:50:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installcapital
adware
prepscram
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

9F2CE203B95AF949A60FEF2BCEB7EA92

SHA1:

9BE3D213CCB3FC9B09037696EB6B13320C142C6B

SHA256:

CB62027C32A1849644CD1E25CDD85EBAF70990097D2CA6EAC39A6658D242CE42

SSDEEP:

49152:LLZjXknZebCBuTNcCq4zQ5HiYW4N1Wz3rcjRn118ywkYvXpOln3c:HZSouBuTNc4hYNjWz3rGh1Gywzfslns

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • trafficbot.exe (PID: 3028)
    • PREPSCRAM was detected

      • trafficbot.exe (PID: 3028)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2284)
      • chrome.exe (PID: 1360)
    • Changes internet zones settings

      • iexplore.exe (PID: 2284)
    • Reads settings of System Certificates

      • chrome.exe (PID: 1360)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3064)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: trafficbot.exe
ZipUncompressedSize: 2394124
ZipCompressedSize: 2394124
ZipCRC: 0x63e0d314
ZipModifyDate: 2018:12:06 13:50:19
ZipCompression: None
ZipBitFlag: 0x0009
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
20
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs #PREPSCRAM trafficbot.exe explorer.exe no specs wmplayer.exe no specs setup_wm.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3456"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\trafficbot_b38b2.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3028"C:\Users\admin\Desktop\trafficbot.exe" C:\Users\admin\Desktop\trafficbot.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2288"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2568"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1C:\Program Files\Windows Media Player\wmplayer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
3792"C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1C:\Program Files\Windows Media Player\setup_wm.exewmplayer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Media Configuration Utility
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
1360"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6f4600b0,0x6f4600c0,0x6f4600ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
2316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2424 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,8448941037983088074,4780735442809886204,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=D5ADBA515A578E93B4655A4CACB09E28 --mojo-platform-channel-handle=960 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
864"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,8448941037983088074,4780735442809886204,131072 --enable-features=PasswordImport --service-pipe-token=B3A61707B5E0633E3D63C8B63EFB5552 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=B3A61707B5E0633E3D63C8B63EFB5552 --renderer-client-id=5 --mojo-platform-channel-handle=1916 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
1 439
Read events
1 299
Write events
136
Delete events
4

Modification events

(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3456) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\trafficbot_b38b2.zip
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3456) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
0
Suspicious files
90
Text files
117
Unknown types
0

Dropped files

PID
Process
Filename
Type
3456WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3456.29026\trafficbot.exe
MD5:
SHA256:
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
MD5:
SHA256:
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\0ed267bc-fc5e-4d43-83bc-a73f51a04fa2.tmp
MD5:
SHA256:
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3edbd983-dc69-4184-b681-374269e5341c.tmp
MD5:
SHA256:
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF1a758f.TMPtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
3792setup_wm.exeC:\Users\admin\AppData\Local\Temp\wmsetup.logtext
MD5:D15BB5AA56365FA4FAD7141D1D8F7E01
SHA256:285B903249DBA47715AF55F7FA0FE5898E2EBAD67FD5C798DFCABCB7C094B7BB
1360chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\e6622492fa163609ddd4212f54512baa07929ed3\caecb3bd-7969-4305-84d6-3a376453ec73\index-dir\temp-index
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
37
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3028
trafficbot.exe
GET
200
54.192.94.187:80
http://alt.tubgiants.host/offer.php?affId=7512&trackingId=387904815&instId=7584&ho_trackingid=HO387904815&cc=DE&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=427&kid=hqmrb21are2jts1hiqm
US
whitelisted
2284
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1360
chrome.exe
172.217.20.67:443
www.google.de
Google Inc.
US
whitelisted
1360
chrome.exe
172.217.168.45:443
accounts.google.com
Google Inc.
US
whitelisted
1360
chrome.exe
216.58.215.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
1360
chrome.exe
173.194.76.94:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1360
chrome.exe
172.217.168.3:443
www.gstatic.com
Google Inc.
US
whitelisted
1360
chrome.exe
216.58.215.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3028
trafficbot.exe
54.192.94.187:80
alt.tubgiants.host
Amazon.com, Inc.
US
malicious
1360
chrome.exe
172.217.168.4:443
www.google.com
Google Inc.
US
whitelisted
1360
chrome.exe
64.233.184.94:443
id.google.com
Google Inc.
US
whitelisted
1360
chrome.exe
172.217.168.46:443
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
alt.tubgiants.host
  • 54.192.94.187
  • 54.192.94.179
  • 54.192.94.156
  • 54.192.94.200
whitelisted
clientservices.googleapis.com
  • 216.58.215.227
whitelisted
www.gstatic.com
  • 172.217.168.3
whitelisted
www.google.de
  • 172.217.20.67
whitelisted
safebrowsing.googleapis.com
  • 216.58.215.234
whitelisted
accounts.google.com
  • 172.217.168.45
shared
ssl.gstatic.com
  • 173.194.76.94
whitelisted
www.google.com
  • 172.217.168.4
whitelisted
fonts.gstatic.com
  • 216.58.215.227
whitelisted
clients4.google.com
  • 216.58.215.238
whitelisted

Threats

PID
Process
Class
Message
3028
trafficbot.exe
A Network Trojan was detected
ET MALWARE PPI User-Agent (InstallCapital)
3028
trafficbot.exe
Misc activity
ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram
No debug info