File name:	15052025_1745_Ordendecompra015647.js.zip
Full analysis:	https://app.any.run/tasks/452b462f-4994-4b3b-a1d5-f83331928c9a
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 17:51:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generic arch-scr snake keylogger evasion stealer susp-powershell
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	E08D04D38520206867F5A8C53A7A753B
SHA1:	4C9289F9AF19A7F6D60DBD57F40D35DA9CFA446B
SHA256:	CBA8DDE3FC0E4E2ED9E405EF64DE94F9EC78ABC17E8A18739B25D610F3AC5D4E
SSDEEP:	1536:xft/dbVnhv+kpvxgUja18oUoEBHRYOgxwY6prQWw1kTkzJ:bdZndPoUjhTo1YQdJ

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2025:05:14 18:12:26
ZipCRC:	0xaf8ff548
ZipCompressedSize:	58549
ZipUncompressedSize:	128597
ZipFileName:	Orden de compra 015647.js


(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\15052025_1745_Ordendecompra015647.js.zip
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7420) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7560) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: D7D9100000000000
(PID) Process:	(7740) powershell.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0

PID	Process	Filename		Type
7740	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zewmwarn.4jk.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7740	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:8E7D26D71A1CAF822C338431F0651251	SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
7560	wscript.exe	C:\Users\admin\AppData\Local\Temp\temp_477639.bat		text
		MD5:F9381AD6D4C688EC76065CF5BF702A4E	SHA256:3C04E7B6073BB75B5339AC917693EECBCF73723B132998E95D48BFE078A57D57
7740	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_muziz5kq.r4e.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7672	cmd.exe	C:\Users\admin\dwm.bat		text
		MD5:F9381AD6D4C688EC76065CF5BF702A4E	SHA256:3C04E7B6073BB75B5339AC917693EECBCF73723B132998E95D48BFE078A57D57

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7740	powershell.exe	GET	200	193.122.6.168:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7740	powershell.exe	GET	200	193.122.6.168:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7980	SIHClient.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7740	powershell.exe	193.122.6.168:80	checkip.dyndns.org	ORACLE-BMC-31898	DE	whitelisted
7740	powershell.exe	104.21.48.1:443	reallyfreegeoip.org	CLOUDFLARENET	—	malicious
7980	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7980	SIHClient.exe	23.48.23.169:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7980	SIHClient.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7980	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
login.live.com	20.190.160.67 20.190.160.3 40.126.32.136 40.126.32.76 20.190.160.20 20.190.160.65 20.190.160.128 20.190.160.17	whitelisted
checkip.dyndns.org	193.122.6.168 193.122.130.0 132.226.8.169 158.101.44.242 132.226.247.73	whitelisted
reallyfreegeoip.org	104.21.48.1 104.21.112.1 104.21.64.1 104.21.16.1 104.21.32.1 104.21.96.1 104.21.80.1	malicious
slscr.update.microsoft.com	20.12.23.50 20.109.210.53	whitelisted
crl.microsoft.com	23.48.23.169 23.48.23.195 23.48.23.191 23.48.23.173 23.48.23.179 23.48.23.186 23.48.23.132 23.48.23.143 23.48.23.181	whitelisted
www.microsoft.com	23.52.120.96	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
7740	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
7740	powershell.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
7740	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
2196	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
7740	powershell.exe	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI

General Info

15052025_1745_Ordendecompra015647.js.zip

E08D04D38520206867F5A8C53A7A753B

4C9289F9AF19A7F6D60DBD57F40D35DA9CFA446B

CBA8DDE3FC0E4E2ED9E405EF64DE94F9EC78ABC17E8A18739B25D610F3AC5D4E

1536:xft/dbVnhv+kpvxgUja18oUoEBHRYOgxwY6prQWw1kTkzJ:bdZndPoUjhTo1YQdJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Gets path to any of the special folders (SCRIPT)

Generic archive extractor

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Uses AES cipher (POWERSHELL)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Actions looks like stealing of personal data

SNAKEKEYLOGGER has been detected (SURICATA)

Request from PowerShell which ran from CMD.EXE

Steals credentials from Web Browsers

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

SUSPICIOUS

Starts CMD.EXE for commands execution

Writes binary data to a Stream object (SCRIPT)

Runs shell command (SCRIPT)

Executing commands from a ".bat" file

Creates FileSystem object to access computer's file system (SCRIPT)

Application launched itself

Starts POWERSHELL.EXE for commands execution

Possibly malicious use of IEX has been detected

The process bypasses the loading of PowerShell profile settings

Uses base64 encoding (POWERSHELL)

Checks for external IP

The process verifies whether the antivirus software is installed

INFO

Manual execution by a user

Converts byte array into Unicode string (POWERSHELL)

Uses string split method (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Gets data length (POWERSHELL)

Checks proxy server information

Disables trace logs

Found Base64 encoded access to Marshal class via PowerShell (YARA)

Found Base64 encoded text manipulation via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files