| File name: | Crypto Brutoforce.zip |
| Full analysis: | https://app.any.run/tasks/0d82f56a-dc81-41c3-8de1-f1280721a0d1 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | February 25, 2024, 12:47:37 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 45B344877303B3CA013527531672394C |
| SHA1: | 4C3F99D158E93DA98A44B955B2314EC9267EF19C |
| SHA256: | D57F51EA9FE46C6C14AE9B0AB84175A16BFC049811CD66F82E70E83B6C5378C8 |
| SSDEEP: | 98304:yl8+rk3PW2Eig0YBCdxZ+G/1B/ngX46GS0J6nMc3/nkv15QL2Ojo2e12yJpKIuDZ:ooSayj |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 4052)
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
Actions looks like stealing of personal data
- Client.exe (PID: 3276)
Steals credentials
- Client.exe (PID: 3276)
Steals credentials from Web Browsers
- Client.exe (PID: 3276)
Starts NET.EXE to view/add/change user profiles
- powershell.exe (PID: 2408)
- net.exe (PID: 2596)
Starts NET.EXE to view/change users localgroup
- net.exe (PID: 2320)
- powershell.exe (PID: 3544)
- powershell.exe (PID: 1236)
- net.exe (PID: 844)
SUSPICIOUS
Executable content was dropped or overwritten
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
Reads the Internet Settings
- SeedBrutoforce .exe (PID: 3228)
- SeedBrutoforce.exe (PID: 2328)
- Both.exe (PID: 2304)
- RDP.exe (PID: 3964)
- Client.exe (PID: 3276)
Reads security settings of Internet Explorer
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
- RDP.exe (PID: 3964)
Starts POWERSHELL.EXE for commands execution
- RDP.exe (PID: 3964)
Write to the desktop.ini file (may be used to cloak folders)
- Client.exe (PID: 3276)
Searches for installed software
- Client.exe (PID: 3276)
Reads settings of System Certificates
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Reads browser cookies
- Client.exe (PID: 3276)
Executing commands from ".cmd" file
- RDP.exe (PID: 3964)
Starts CMD.EXE for commands execution
- RDP.exe (PID: 3964)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 316)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Checks for external IP
- RDP.exe (PID: 3964)
- Client.exe (PID: 3276)
Accesses Microsoft Outlook profiles
- Client.exe (PID: 3276)
INFO
Manual execution by a user
- SeedBrutoforce .exe (PID: 3228)
Reads the computer name
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
- SeedBrutoforce.exe (PID: 2328)
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Checks supported languages
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
- SeedBrutoforce.exe (PID: 2328)
- RDP.exe (PID: 3964)
- Client.exe (PID: 3276)
Create files in a temporary directory
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4052)
Reads the machine GUID from the registry
- SeedBrutoforce .exe (PID: 3228)
- Both.exe (PID: 2304)
- SeedBrutoforce.exe (PID: 2328)
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Reads Environment values
- SeedBrutoforce.exe (PID: 2328)
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Creates files or folders in the user directory
- Client.exe (PID: 3276)
Reads the software policy settings
- Client.exe (PID: 3276)
- RDP.exe (PID: 3964)
Reads CPU info
- Client.exe (PID: 3276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2024:02:25 12:12:02 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | Crypto Brutoforce/ |
Total processes
59
Monitored processes
17
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 316 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp600F.tmp.cmd"" | C:\Windows\System32\cmd.exe | — | RDP.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 764 | timeout 4 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 844 | "C:\Windows\system32\net.exe" localgroup Remote Desktop Users ThanksEgalsa /add | C:\Windows\System32\net.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1236 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup administrators ThanksEgalsa /add | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | RDP.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1784 | C:\Windows\system32\net1 localgroup Remote Desktop Users ThanksEgalsa /add | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1860 | C:\Windows\system32\net1 user ThanksEgalsa ThanksEgalsa /add | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2304 | "C:\Users\admin\AppData\Local\Temp\Both.exe" | C:\Users\admin\AppData\Local\Temp\Both.exe | SeedBrutoforce .exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: WindowsFormsApp1 Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2320 | "C:\Windows\system32\net.exe" localgroup administrators ThanksEgalsa /add | C:\Windows\System32\net.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2328 | "C:\Users\admin\AppData\Local\Temp\SeedBrutoforce.exe" | C:\Users\admin\AppData\Local\Temp\SeedBrutoforce.exe | SeedBrutoforce .exe | ||||||||||||
User: admin Company: Microsoft Integrity Level: MEDIUM Description: SeedBrutoforce Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2408 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net user ThanksEgalsa ThanksEgalsa /add | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | RDP.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
Total events
33 637
Read events
33 527
Write events
110
Delete events
0
Modification events
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Crypto Brutoforce.zip | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (4052) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
6
Suspicious files
24
Text files
43
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4052 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.26014\Crypto Brutoforce\SeedBrutoforce .exe | executable | |
MD5:4E085BA5B9F87E84E3DDBD88595FF82B | SHA256:B2DA8B0FC695B60B07EBFAB78B13DB0A7C7767564035A31DC05ABAAAFA4890B0 | |||
| 3228 | SeedBrutoforce .exe | C:\Users\admin\AppData\Local\Temp\Both.exe | executable | |
MD5:6DA9F969F03217C94526FCD30B024A67 | SHA256:9676D9BF3222562CDCE6B4D53B818AF50A3A40EE2B7A41250778EC8C59997CD0 | |||
| 2304 | Both.exe | C:\Users\admin\AppData\Local\Temp\ImageFile1.UK | text | |
MD5:91FE33A8BAC0A89ECCAEF42FAEAB2A27 | SHA256:F9C8427F7AFC93719EACA0B4E3C4B6A5525B215714B9AC35D802744B80EA5175 | |||
| 3276 | Client.exe | C:\Users\admin\AppData\Local\Temp\places.raw | — | |
MD5:— | SHA256:— | |||
| 4052 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa4052.26014\Crypto Brutoforce\SeedBrutoforce.pdb | pdb | |
MD5:EDE98034EA827C5853B91496384CA4A2 | SHA256:5FF20871B944BE42A2999178A67A0D55549A3089E6A1B857B078511DBC7F6D16 | |||
| 3228 | SeedBrutoforce .exe | C:\Users\admin\AppData\Local\Temp\SeedBrutoforce.exe | executable | |
MD5:0463286A155E3C612FA43183D5CDDE5C | SHA256:D9F57C97D6E0CAE4A18D9DB1EFF6701A926C6C99BE8261A11984429BA90D0E27 | |||
| 2304 | Both.exe | C:\Users\admin\AppData\Local\Temp\ImageFile2.UK | text | |
MD5:26FC605B0A0E4D04B50E9D764BB32BCB | SHA256:B804F473B30957FD110EBEB7088772E78ECB4C1BEA353F71C92AF097EC7A618B | |||
| 2304 | Both.exe | C:\Users\admin\AppData\Local\Temp\Client.exe | executable | |
MD5:4D0A2B6834670F59DE7F11518DA39304 | SHA256:2ED252FDF9CB6C8AE84FCE7CC4B8103D2088C4195537BB36A8D98334943D6F73 | |||
| 3276 | Client.exe | C:\Users\admin\AppData\Local\USER-PC\FileGrabber\Desktop\desktop.ini | text | |
MD5:9E36CC3537EE9EE1E3B10FA4E761045B | SHA256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026 | |||
| 3276 | Client.exe | C:\Users\admin\AppData\Local\USER-PC\FileGrabber\Desktop\booksjust.png | image | |
MD5:78BA643CA43B46A025236EFBE523EC0F | SHA256:DB3C920DB336A5371C13D7C7A2E658651D720EB853386EDCE2942BF068529BE5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
760
TCP/UDP connections
25
DNS requests
13
Threats
46
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
2328 | SeedBrutoforce.exe | GET | 200 | 2.21.20.155:80 | http://www.msftncsi.com/ncsi.txt | unknown | text | 14 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2328 | SeedBrutoforce.exe | 2.21.20.155:80 | www.msftncsi.com | Akamai International B.V. | DE | unknown |
3276 | Client.exe | 188.114.97.3:443 | freegeoip.app | CLOUDFLARENET | NL | unknown |
3276 | Client.exe | 162.125.69.15:443 | dl.dropboxusercontent.com | DROPBOX | US | unknown |
3276 | Client.exe | 172.67.209.71:443 | ipbase.com | CLOUDFLARENET | US | unknown |
3964 | RDP.exe | 34.117.118.44:443 | www.ifconfig.me | GOOGLE-CLOUD-PLATFORM | US | unknown |
3964 | RDP.exe | 184.24.77.202:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
3964 | RDP.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
dns.msftncsi.com |
| shared |
www.msftncsi.com |
| whitelisted |
dl.dropboxusercontent.com |
| shared |
freegeoip.app |
| whitelisted |
ipbase.com |
| unknown |
www.ifconfig.me |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
api.telegram.org |
| shared |
api.ipify.org |
| shared |
ip-api.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Download Access over SSL M2 |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Download Access over SSL M2 |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com) |
3276 | Client.exe | Potentially Bad Traffic | ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI) |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Download Access over SSL M2 |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) |
3276 | Client.exe | Misc activity | ET INFO DropBox User Content Download Access over SSL M2 |
3 ETPRO signatures available at the full report