File name: | Proxo_Bootstrapper-2.zip |
Full analysis: | https://app.any.run/tasks/9bd0226d-3596-4907-8e60-ea5dbd6c9b8c |
Verdict: | Malicious activity |
Analysis date: | December 06, 2019, 15:33:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | DD6A1659F2D0C67F5794768FAAE63F50 |
SHA1: | DDE03EE64DFCD5CEEA226D618A4A616D9D05927B |
SHA256: | D16BCD0458C34239282EBE63D7DC85D12B244F1B26B004DF5DBA35217B07DEF5 |
SSDEEP: | 12288:NOaYiuVJtQ9BwVeRkq71AleFphMF0XXGrZfvY6ih:0aYf69BwVK1tg+yQ64 |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2019:05:04 04:50:10 |
ZipCRC: | 0xd843624d |
ZipCompressedSize: | 145746 |
ZipUncompressedSize: | 154112 |
ZipFileName: | Proxo Bootstrapper.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2508 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Proxo_Bootstrapper-2.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2440 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Description: WindowsFormsApp89 Exit code: 1 Version: 1.0.0.0 | ||||
3932 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.6.7.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.6.7.exe | Proxo Bootstrapper.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3920 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe | — | Proxo 2.6.7.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
2088 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe | Proxo 2.6.7.exe | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
3932 | Proxo 2.6.7.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\SkisploitProxoModule.dll | executable | |
MD5:7446E13298C6F5AD35668A636742EC97 | SHA256:7CD4AE804ED4B73693CA3370EF98FED61E5D7A517F45494DEDF36841F07F50CE | |||
2440 | Proxo Bootstrapper.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\SkisploitProxoModule.dll | executable | |
MD5:7446E13298C6F5AD35668A636742EC97 | SHA256:7CD4AE804ED4B73693CA3370EF98FED61E5D7A517F45494DEDF36841F07F50CE | |||
2088 | Proxo 2.9.2a.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dpdv2[1].aspx | text | |
MD5:0E06F5E542066124FDE83B25E818192E | SHA256:F41BDADA8F98DBA2AB4011B4AB7E18FF6F3F90FE2BED2FCCF0763AB14D0CF62D | |||
3932 | Proxo 2.6.7.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe | executable | |
MD5:59656A3CC227A618F9CD9E9BA79984E5 | SHA256:F6462699B89FD61BA994D18F8DE954B797D203EA8820412DF95B020A119E8959 | |||
3932 | Proxo 2.6.7.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper 2.0 (Auto Updater).exe | executable | |
MD5:3F13CC3AE504869B74F83B3EF225D005 | SHA256:62C21F3BC2275A3994B29CD4803E8114E4C9D2CC558F638C748A425C867823DF | |||
2508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper.exe | executable | |
MD5:B6CA1F0E926A94AC21FE42629FDA9B93 | SHA256:097CCED9DDD6B46E78CAA5567E74BF181BF0DB765DF5518DA3B7EEC7DA1CF8A4 | |||
2088 | Proxo 2.9.2a.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\offers[1].php | text | |
MD5:526D6BE5E12047329B3EB3DA10927700 | SHA256:C01FAE7FD325413F0D8B74111A87112D5DBE3224FC212F6FFDB6A6781E3D2081 | |||
2088 | Proxo 2.9.2a.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@proxo[1].txt | text | |
MD5:1CBEBC215139D205654CD98FCBC61FA3 | SHA256:BC61FA4248D71764B371ABBD043579B4104C03528CD1E08B15989AB253BB370C | |||
2440 | Proxo Bootstrapper.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.6.7.exe | executable | |
MD5:3F13CC3AE504869B74F83B3EF225D005 | SHA256:62C21F3BC2275A3994B29CD4803E8114E4C9D2CC558F638C748A425C867823DF | |||
2508 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\SkisploitProxoModule.dll | executable | |
MD5:B77D4700E6BEA4952E289E52F42B95B8 | SHA256:75600175B9D3A682642D025669A8C0499E38E72A2BD7606B39B48B976E68CC07 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2088 | Proxo 2.9.2a.exe | POST | 200 | 35.190.60.70:80 | http://dlsft.com/callback/?channel=Easyexploits&action=started | US | — | — | malicious |
2088 | Proxo 2.9.2a.exe | POST | 200 | 35.190.60.70:80 | http://dlsft.com/callback/geo/geo.php | US | text | 18 b | malicious |
2088 | Proxo 2.9.2a.exe | GET | 200 | 35.190.60.70:80 | http://dlsft.com/callback/offers.php | US | text | 25 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2440 | Proxo Bootstrapper.exe | 162.159.135.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
3932 | Proxo 2.6.7.exe | 162.159.135.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2440 | Proxo Bootstrapper.exe | 104.20.68.143:443 | pastebin.com | Cloudflare Inc | US | malicious |
3932 | Proxo 2.6.7.exe | 104.20.68.143:443 | pastebin.com | Cloudflare Inc | US | malicious |
2088 | Proxo 2.9.2a.exe | 23.203.77.99:443 | dpd.securestudies.com | Akamai Technologies, Inc. | US | unknown |
2088 | Proxo 2.9.2a.exe | 104.18.54.179:443 | proxo.wtf | Cloudflare Inc | US | unknown |
2088 | Proxo 2.9.2a.exe | 35.190.60.70:80 | dlsft.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
cdn.discordapp.com |
| shared |
dlsft.com |
| malicious |
proxo.wtf |
| malicious |
dpd.securestudies.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2088 | Proxo 2.9.2a.exe | Misc activity | ADWARE [PTsecurity] Gen:Variant.Midie.55716 |
Process | Message |
---|---|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|
Proxo 2.9.2a.exe | scanning node question /questions/question
|