analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_.zip

Full analysis: https://app.any.run/tasks/13ddd915-956c-473c-8485-1786bac13a5b
Verdict: Malicious activity
Analysis date: September 30, 2020, 07:41:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5DBF41454F3F9AA46B310010ACB83A69

SHA1:

F7A9210F64F297F6602950AD868585DB53823D68

SHA256:

D3160823838521D5E2AFD1F10AE47BA38CFAF0F63E3E27C943073890A1A1238D

SSDEEP:

196608:NHw3N4MyGZpkrURxw8IqXMkM8FukVTiu3hUYel+ACtnpTknzyt5s2iL973wXFFq:NHun+URxwlPitliu3O3CpTkzOd45w1Fq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1240)
      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)
      • filezilla.exe (PID: 1884)

    • Loads dropped or rewritten executable

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1240)
      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)
      • filezilla.exe (PID: 1884)
      • regsvr32.exe (PID: 2336)

    • Changes settings of System certificates

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Actions looks like stealing of personal data

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Registers / Runs the DLL via REGSVR32.EXE

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2596)
      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1240)
      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2596)
      • filezilla.exe (PID: 1884)
      • WinRAR.exe (PID: 2624)

    • Application launched itself

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1240)

    • Reads Environment values

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Reads internet explorer settings

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Creates COM task schedule object

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)
      • regsvr32.exe (PID: 2336)

    • Creates a software uninstall entry

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Creates files in the user directory

      • filezilla.exe (PID: 1884)

    • Creates files in the program directory

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 1704)
      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1240)
      • WinRAR.exe (PID: 2624)

    • Dropped object may contain Bitcoin addresses

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)

    • Reads settings of System Certificates

      • FileZilla_3.50.0_win64_sponsored-setup.exe (PID: 1728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.kmz | Google Earth saved working session (60)
.zip | ZIP compressed archive (40)

EXIF

ZIP

ZipFileName: _/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:09:28 14:44:22
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe notepad.exe no specs filezilla_3.50.0_win64_sponsored-setup.exe filezilla_3.50.0_win64_sponsored-setup.exe regsvr32.exe no specs filezilla.exe winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2596"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\_.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1704"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\!.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1240"C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe" C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe
explorer.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.50.0
1728"C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe" /UAC:60152 /NCRC C:\Users\admin\Desktop\FileZilla_3.50.0_win64_sponsored-setup.exe
FileZilla_3.50.0_win64_sponsored-setup.exe
User:
admin
Company:
Tim Kosse
Integrity Level:
HIGH
Description:
FileZilla FTP Client
Exit code:
0
Version:
3.50.0
2336"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\FileZilla FTP Client\fzshellext_64.dll"C:\Windows\system32\regsvr32.exeFileZilla_3.50.0_win64_sponsored-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1884"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exe
FileZilla_3.50.0_win64_sponsored-setup.exe
User:
admin
Company:
FileZilla Project
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Exit code:
0
Version:
3, 50, 0, 0
2624"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- . C:\Users\admin\Desktop\old C:\Users\admin\Desktop\newC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Total events
1 257
Read events
1 150
Write events
107
Delete events
0

Modification events

(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2596) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\_.zip
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2596) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1600000016000000D60300000B020000
Executable files
31
Suspicious files
113
Text files
773
Unknown types
4

Dropped files

PID
Process
Filename
Type
1728FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\0018E327.log
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.6582\_\FileZilla_3.50.0_win64_sponsored-setup.exeexecutable
MD5:90F560CE71CC77FC2E121761EEEF265C
SHA256:D04BBCD2855D3BBA4627CBB1DA3A0E5FA79FE0B27B371024605FF1382EA94C58
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.6582\_\!.txttext
MD5:50411758798F11294A9C27DE6C37B4E9
SHA256:510FE6A59D8BBD8A7508C56A997D56A07632DF77FD934CB556D883C9CB8C3193
1728FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsh852B.tmp\nsdE04D.tmpexecutable
MD5:B7B1A495F08CF92743B57890CDDCBAB3
SHA256:6F86F098CEEE30D723AC2505B3C1A3C2C75246CFF14E3CBC10D92F2730F8DD95
1728FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsh852B.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1240FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsf7F9D.tmp\UAC.dllexecutable
MD5:ADB29E6B186DAA765DC750128649B63D
SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08
1728FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsd16310159593\css\main.csstext
MD5:9B27E2A266FE15A3AABFE635C29E8923
SHA256:166AA42BC5216C5791388847AE114EC0671A0D97B9952D14F29419B8BE3FB23F
1728FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsh852B.tmp\nsDialogs.dllexecutable
MD5:466179E1C8EE8A1FF5E4427DBB6C4A01
SHA256:1E40211AF65923C2F4FD02CE021458A7745D28E2F383835E3015E96575632172
1728FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsh852B.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
1240FileZilla_3.50.0_win64_sponsored-setup.exeC:\Users\admin\AppData\Local\Temp\nsf7F9D.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
532
svchost.exe
GET
200
49.12.121.47:443
https://offers.filezilla-project.org/offerinfo.php
IN
whitelisted
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
GET
200
143.204.94.91:80
http://cloud.nitehe-nutete.com/
US
whitelisted
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
POST
200
143.204.94.91:443
https://cloud.nitehe-nutete.com/
US
whitelisted
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
POST
200
143.204.94.91:443
https://cloud.nitehe-nutete.com/
US
whitelisted
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
POST
200
13.225.73.25:443
https://remote.nitehe-nutete.com/
US
binary
654 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
13.225.73.25:443
remote.nitehe-nutete.com
US
suspicious
1884
filezilla.exe
192.185.155.49:49890
CyrusOne LLC
US
malicious
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
49.12.121.47:443
offers.filezilla-project.org
IN
suspicious
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
143.204.94.91:80
cloud.nitehe-nutete.com
US
unknown
1728
FileZilla_3.50.0_win64_sponsored-setup.exe
143.204.94.91:443
cloud.nitehe-nutete.com
US
unknown
1884
filezilla.exe
49.12.121.47:443
offers.filezilla-project.org
IN
suspicious
1884
filezilla.exe
192.185.155.49:47566
CyrusOne LLC
US
malicious
1884
filezilla.exe
192.185.155.49:21
CyrusOne LLC
US
malicious
1884
filezilla.exe
192.185.155.49:48452
CyrusOne LLC
US
malicious
1884
filezilla.exe
192.185.155.49:38758
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
offers.filezilla-project.org
  • 49.12.121.47
whitelisted
cloud.nitehe-nutete.com
  • 143.204.94.91
  • 143.204.94.78
  • 143.204.94.47
  • 143.204.94.19
whitelisted
remote.nitehe-nutete.com
  • 13.225.73.25
  • 13.225.73.124
  • 13.225.73.126
  • 13.225.73.86
shared
update.filezilla-project.org
  • 49.12.121.47
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
_.zip