analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Archive.zip

Full analysis: https://app.any.run/tasks/5b718259-340e-455c-be23-9e651ced5211
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 11, 2019, 06:11:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F85984FB7C179FA2360D6570FA41A24E

SHA1:

AD1D3668439EFC4873DA463286DEC4DD28224386

SHA256:

D3CF9357E8CB5EEE5CCA2530986BB6D8361FDDF692E37E20D6F85FD0AA7AA73C

SSDEEP:

1536:Ndm9XVT9surZ/TlAbZ2hAHXchBa/gnQADyEFXeWp/:NdmXPZ/Tls+Ash6gnsExeG/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • WScript.exe (PID: 3872)
    • Uses BITADMIN.EXE for downloading application

      • WScript.exe (PID: 3872)
  • SUSPICIOUS

    • Executed via COM

      • explorer.exe (PID: 3264)
  • INFO

    • Manual execution by user

      • cmd.exe (PID: 576)
      • WScript.exe (PID: 3872)
      • WinRAR.exe (PID: 2372)
      • notepad.exe (PID: 3300)
    • Reads the hosts file

      • RdrCEF.exe (PID: 3536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: italiano.bat
ZipUncompressedSize: 2367
ZipCompressedSize: 1107
ZipCRC: 0xbba13d23
ZipModifyDate: 2019:08:21 15:19:14
ZipCompression: Deflated
ZipBitFlag: 0x0008
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
17
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs tzutil.exe no specs certutil.exe no specs regedit.exe no specs regedit.exe no specs regedit.exe winrar.exe no specs wscript.exe explorer.exe no specs explorer.exe no specs acrord32.exe no specs acrord32.exe no specs bitsadmin.exe no specs rdrcef.exe no specs rdrcef.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3692"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Archive.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
576cmd /c ""C:\Users\admin\Desktop\italiano.bat" "C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2936tzutil /s "W. Europe Standard Time"C:\Windows\system32\tzutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Zone Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3504certutil /decode "C:\Users\admin\AppData\Local\Temp\b64" "C:\Users\admin\AppData\Local\Temp\decoded" C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2380regedit.exe /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2832"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3560"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\Temp\decoded"C:\Windows\regedit.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2372"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\IT07631835943_382cqs.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3872"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\IT40082176881.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2944"C:\Windows\explorer.exe" C:\Users\admin\Desktop\IT40082176881.pdfC:\Windows\explorer.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
749
Read events
588
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
7
Unknown types
5

Dropped files

PID
Process
Filename
Type
3696AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3696AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.3696
MD5:
SHA256:
3696AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.3696
MD5:
SHA256:
3696AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagessqlite
MD5:213FB73326D24A80BF86030CB2814E51
SHA256:D28739F54BC371790EC2C7801CEFA181FBD28CB10EB13F38F102CC1EFE132D80
576cmd.exeC:\Users\admin\AppData\Local\Temp\b64text
MD5:31D3914C66095D867C9A84C8FAE369B0
SHA256:97FF2CFDC676C831EBCBD0440DE720647FB8B22367344279E57BBECFAAB4E859
3692WinRAR.exeC:\Users\admin\Desktop\italiano.battext
MD5:573CB46FF1FA6FA404891C3C92DBF0B2
SHA256:BB3F4856FC2DB1144A4123CDC3A0231B9ABC6E89122529BCB87A63D44FF3217C
3756AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lstps
MD5:2C40CFB782E47878A20CFF20930386F4
SHA256:6D6F202383724B5687C2CB377E7920B42BDE2CDF436590DD0842D3EB5A9517DD
3756AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lstps
MD5:45E4A0AC18B8170528EAD071A4D8427F
SHA256:38E8D8F188599D8B4692C5D091F4FB492AEE18368617810F9B13D6A211A896E6
3696AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.datbinary
MD5:E724D72264DA270D3DA2293F7579F7CC
SHA256:3516E878C6EF18D6D7DF8F3D01B63D7E7E87C865D822F62358B96C0576456975
3756AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lstps
MD5:25E48F152F9DB94DD9AAE6C296E3C98D
SHA256:A26C91DE905EBB8932CA931DBB68D589D058E7DEDFFAD02039FC8740E9E7BEB5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.185.24.95:443
carpediem123.com
First Colo GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
carpediem123.com
  • 185.185.24.95
unknown

Threats

No threats detected
No debug info