analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Proxo_Bootstrapper-2.zip

Full analysis: https://app.any.run/tasks/9bd0226d-3596-4907-8e60-ea5dbd6c9b8c
Verdict: Malicious activity
Analysis date: December 06, 2019, 15:33:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

DD6A1659F2D0C67F5794768FAAE63F50

SHA1:

DDE03EE64DFCD5CEEA226D618A4A616D9D05927B

SHA256:

D16BCD0458C34239282EBE63D7DC85D12B244F1B26B004DF5DBA35217B07DEF5

SSDEEP:

12288:NOaYiuVJtQ9BwVeRkq71AleFphMF0XXGrZfvY6ih:0aYf69BwVK1tg+yQ64

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Proxo 2.6.7.exe (PID: 3932)
      • Proxo Bootstrapper.exe (PID: 2440)
      • Proxo 2.9.2a.exe (PID: 3920)
      • Proxo 2.9.2a.exe (PID: 2088)
    • Changes settings of System certificates

      • Proxo 2.9.2a.exe (PID: 2088)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Proxo Bootstrapper.exe (PID: 2440)
      • WinRAR.exe (PID: 2508)
      • Proxo 2.6.7.exe (PID: 3932)
    • Creates files in the user directory

      • Proxo 2.9.2a.exe (PID: 2088)
    • Adds / modifies Windows certificates

      • Proxo 2.9.2a.exe (PID: 2088)
  • INFO

    • Reads settings of System Certificates

      • Proxo 2.9.2a.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:05:04 04:50:10
ZipCRC: 0xd843624d
ZipCompressedSize: 145746
ZipUncompressedSize: 154112
ZipFileName: Proxo Bootstrapper.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start winrar.exe proxo bootstrapper.exe proxo 2.6.7.exe proxo 2.9.2a.exe no specs proxo 2.9.2a.exe

Process information

PID
CMD
Path
Indicators
Parent process
2508"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Proxo_Bootstrapper-2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2440"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WindowsFormsApp89
Exit code:
1
Version:
1.0.0.0
3932"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.6.7.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.6.7.exe
Proxo Bootstrapper.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3920"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exeProxo 2.6.7.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2088"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exe
Proxo 2.6.7.exe
User:
admin
Integrity Level:
HIGH
Total events
1 379
Read events
1 293
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3932Proxo 2.6.7.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\SkisploitProxoModule.dllexecutable
MD5:7446E13298C6F5AD35668A636742EC97
SHA256:7CD4AE804ED4B73693CA3370EF98FED61E5D7A517F45494DEDF36841F07F50CE
2440Proxo Bootstrapper.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\SkisploitProxoModule.dllexecutable
MD5:7446E13298C6F5AD35668A636742EC97
SHA256:7CD4AE804ED4B73693CA3370EF98FED61E5D7A517F45494DEDF36841F07F50CE
2088Proxo 2.9.2a.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dpdv2[1].aspxtext
MD5:0E06F5E542066124FDE83B25E818192E
SHA256:F41BDADA8F98DBA2AB4011B4AB7E18FF6F3F90FE2BED2FCCF0763AB14D0CF62D
3932Proxo 2.6.7.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.9.2a.exeexecutable
MD5:59656A3CC227A618F9CD9E9BA79984E5
SHA256:F6462699B89FD61BA994D18F8DE954B797D203EA8820412DF95B020A119E8959
3932Proxo 2.6.7.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper 2.0 (Auto Updater).exeexecutable
MD5:3F13CC3AE504869B74F83B3EF225D005
SHA256:62C21F3BC2275A3994B29CD4803E8114E4C9D2CC558F638C748A425C867823DF
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo Bootstrapper.exeexecutable
MD5:B6CA1F0E926A94AC21FE42629FDA9B93
SHA256:097CCED9DDD6B46E78CAA5567E74BF181BF0DB765DF5518DA3B7EEC7DA1CF8A4
2088Proxo 2.9.2a.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\offers[1].phptext
MD5:526D6BE5E12047329B3EB3DA10927700
SHA256:C01FAE7FD325413F0D8B74111A87112D5DBE3224FC212F6FFDB6A6781E3D2081
2088Proxo 2.9.2a.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@proxo[1].txttext
MD5:1CBEBC215139D205654CD98FCBC61FA3
SHA256:BC61FA4248D71764B371ABBD043579B4104C03528CD1E08B15989AB253BB370C
2440Proxo Bootstrapper.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\Proxo 2.6.7.exeexecutable
MD5:3F13CC3AE504869B74F83B3EF225D005
SHA256:62C21F3BC2275A3994B29CD4803E8114E4C9D2CC558F638C748A425C867823DF
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.41900\SkisploitProxoModule.dllexecutable
MD5:B77D4700E6BEA4952E289E52F42B95B8
SHA256:75600175B9D3A682642D025669A8C0499E38E72A2BD7606B39B48B976E68CC07
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2088
Proxo 2.9.2a.exe
POST
200
35.190.60.70:80
http://dlsft.com/callback/?channel=Easyexploits&action=started
US
malicious
2088
Proxo 2.9.2a.exe
POST
200
35.190.60.70:80
http://dlsft.com/callback/geo/geo.php
US
text
18 b
malicious
2088
Proxo 2.9.2a.exe
GET
200
35.190.60.70:80
http://dlsft.com/callback/offers.php
US
text
25 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2440
Proxo Bootstrapper.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
3932
Proxo 2.6.7.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2440
Proxo Bootstrapper.exe
104.20.68.143:443
pastebin.com
Cloudflare Inc
US
malicious
3932
Proxo 2.6.7.exe
104.20.68.143:443
pastebin.com
Cloudflare Inc
US
malicious
2088
Proxo 2.9.2a.exe
23.203.77.99:443
dpd.securestudies.com
Akamai Technologies, Inc.
US
unknown
2088
Proxo 2.9.2a.exe
104.18.54.179:443
proxo.wtf
Cloudflare Inc
US
unknown
2088
Proxo 2.9.2a.exe
35.190.60.70:80
dlsft.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.68.143
  • 104.20.67.143
shared
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.130.233
  • 162.159.129.233
shared
dlsft.com
  • 35.190.60.70
malicious
proxo.wtf
  • 104.18.54.179
  • 104.18.55.179
malicious
dpd.securestudies.com
  • 23.203.77.99
whitelisted

Threats

PID
Process
Class
Message
2088
Proxo 2.9.2a.exe
Misc activity
ADWARE [PTsecurity] Gen:Variant.Midie.55716
1 ETPRO signatures available at the full report
Process
Message
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question
Proxo 2.9.2a.exe
scanning node question /questions/question