| File name: | SaMarinDa Free (V3-VPS) (1).zip |
| Full analysis: | https://app.any.run/tasks/ce20ec04-75d4-49aa-9f9f-1aa2a585371d |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 29, 2024, 10:23:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 4A1FB389DE318C7EE4FEC0F8498450A0 |
| SHA1: | F61E20994ECCCFDF0C636F6D33F847B3227E41B0 |
| SHA256: | D5B7CAE94E6E84C39D8706B8CDA7195912EF203503F25411729D739734EF9F04 |
| SSDEEP: | 768:U3A58jP9V4+zz1+xkn4eWj/vMhvmgiY90:eA69S+zzwmiMhvmC90 |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3984)
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
HILOTI has been detected (SURICATA)
- TokenSMD.exe (PID: 1488)
SUSPICIOUS
Reads security settings of Internet Explorer
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
Connects to the server without a host name
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
Starts CMD.EXE for commands execution
- TokenSMD.exe (PID: 1488)
Executable content was dropped or overwritten
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
Uses WMIC.EXE to obtain BIOS management information
- cmd.exe (PID: 588)
Uses WMIC.EXE to obtain CPU information
- cmd.exe (PID: 1132)
Reads the Internet Settings
- WMIC.exe (PID: 1664)
- WMIC.exe (PID: 1944)
- WMIC.exe (PID: 1788)
- TokenSMD.exe (PID: 1488)
- LoaderSMD.exe (PID: 328)
Uses WMIC.EXE to obtain physical disk drive information
- cmd.exe (PID: 1824)
Checks Windows Trust Settings
- TokenSMD.exe (PID: 1488)
Start notepad (likely ransomware note)
- TokenSMD.exe (PID: 1488)
Reads settings of System Certificates
- TokenSMD.exe (PID: 1488)
INFO
Manual execution by a user
- LoaderSMD.exe (PID: 1024)
- wmpnscfg.exe (PID: 2080)
- chrome.exe (PID: 2520)
- LoaderSMD.exe (PID: 328)
Reads the machine GUID from the registry
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
Creates files or folders in the user directory
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
Create files in a temporary directory
- LoaderSMD.exe (PID: 328)
- TokenSMD.exe (PID: 1488)
Checks supported languages
- TokenSMD.exe (PID: 1488)
- wmpnscfg.exe (PID: 2080)
- LoaderSMD.exe (PID: 328)
Reads the computer name
- TokenSMD.exe (PID: 1488)
- wmpnscfg.exe (PID: 2080)
- LoaderSMD.exe (PID: 328)
Checks proxy server information
- TokenSMD.exe (PID: 1488)
- LoaderSMD.exe (PID: 328)
Reads the software policy settings
- TokenSMD.exe (PID: 1488)
Application launched itself
- chrome.exe (PID: 2520)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2024:04:20 16:49:00 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | SaMarinDa Free (V3-VPS)/ |
Total processes
66
Monitored processes
27
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 328 | "C:\Users\admin\Desktop\SaMarinDa Free (V3-VPS)\LoaderSMD.exe" | C:\Users\admin\Desktop\SaMarinDa Free (V3-VPS)\LoaderSMD.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 588 | C:\Windows\system32\cmd.exe /c wmic bios get serialnumber >> C:\Users\admin\AppData\Local\Temp\s15c.0 | C:\Windows\System32\cmd.exe | — | TokenSMD.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 848 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1540 --field-trial-handle=1140,i,6869854326115857340,18364732624464005570,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Version: 109.0.5414.120 Modules
| |||||||||||||||
| 960 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=1336 --field-trial-handle=1140,i,6869854326115857340,18364732624464005570,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1024 | "C:\Users\admin\Desktop\SaMarinDa Free (V3-VPS)\LoaderSMD.exe" | C:\Users\admin\Desktop\SaMarinDa Free (V3-VPS)\LoaderSMD.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 1132 | C:\Windows\system32\cmd.exe /c wmic cpu get processorid >> C:\Users\admin\AppData\Local\Temp\s15c.1 | C:\Windows\System32\cmd.exe | — | TokenSMD.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1488 | "C:\Users\admin\AppData\Local\Temp\SMD\TokenSMD.exe" | C:\Users\admin\AppData\Local\Temp\SMD\TokenSMD.exe | LoaderSMD.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 1612 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1140,i,6869854326115857340,18364732624464005570,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1664 | wmic bios get serialnumber | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1788 | wmic diskdrive get serialnumber | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
18 011
Read events
17 888
Write events
107
Delete events
16
Modification events
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SaMarinDa Free (V3-VPS) (1).zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
7
Suspicious files
32
Text files
27
Unknown types
30
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1488 | TokenSMD.exe | C:\Users\admin\AppData\Local\Temp\smd.mnth | — | |
MD5:— | SHA256:— | |||
| 2520 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10bd95.TMP | — | |
MD5:— | SHA256:— | |||
| 3984 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3984.6194\SaMarinDa Free (V3-VPS)\LoaderSMD.exe | executable | |
MD5:C2027FDA2FB478230E2E65CCC47E54CD | SHA256:D46A03007680E994E2C83008C55A90907B9A2F88E13B9B86A4F0585284CD0F92 | |||
| 1488 | TokenSMD.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464 | binary | |
MD5:495EC5342D65F0CD638391DFBAC59852 | SHA256:A05E19EA1CB4C8675A1933A953F3AD312013DDADBB2E1857FBD836DC4405E4CA | |||
| 1488 | TokenSMD.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\FileKey[1].mentah | executable | |
MD5:A28968F7072BF7CBA9B5192F3DC85681 | SHA256:4631387572369C467FF2C803676D521DF1FF3F296AAEABD6D0D09F3052EFE767 | |||
| 2520 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 588 | cmd.exe | C:\Users\admin\AppData\Local\Temp\s15c.0 | text | |
MD5:9025468F85256136F923096B01375964 | SHA256:D5418014FA8E6E17D8992FD12C0DFECAC8A34855603EA58133E87EA09C2130DF | |||
| 1824 | cmd.exe | C:\Users\admin\AppData\Local\Temp\s15c.2 | text | |
MD5:C3408CCDD8D9186DC57DF07903A42A11 | SHA256:7ED8892FF7AF0D59B4CDEDCECFF4209F1AA75CBE3393BA3B5C68C9D422715FE9 | |||
| 1132 | cmd.exe | C:\Users\admin\AppData\Local\Temp\s15c.1 | text | |
MD5:32EF13E6C24998526C128CD76EB6AA21 | SHA256:7562BA2F99E026E13DE3EEC64A25EA42EB5356F94BDA938C613B152560A3591F | |||
| 1488 | TokenSMD.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464 | der | |
MD5:8202A1CD02E7D69597995CABBE881A12 | SHA256:58F381C3A0A0ACE6321DA22E40BD44A597BD98B9C9390AB9258426B5CF75A7A5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
43
DNS requests
101
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
328 | LoaderSMD.exe | GET | 200 | 103.187.146.29:80 | http://103.187.146.29/samarinda/InjekKey.mentah | unknown | — | — | unknown |
1488 | TokenSMD.exe | GET | 200 | 103.187.146.29:80 | http://103.187.146.29/samarinda/FileKey.mentah | unknown | — | — | unknown |
1488 | TokenSMD.exe | GET | 301 | 188.114.96.3:80 | http://generatetoken.my.id/samarinda/Api/status1.php?e=58EC68DEEA78D0CA775A96491CA85B40&k=SMD | unknown | — | — | unknown |
1488 | TokenSMD.exe | GET | 304 | 104.85.249.155:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?20b9ad6b0f68bcbb | unknown | — | — | unknown |
1488 | TokenSMD.exe | GET | 200 | 216.58.206.67:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | — | — | unknown |
1488 | TokenSMD.exe | GET | 200 | 216.58.206.67:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
328 | LoaderSMD.exe | 103.187.146.29:80 | — | Cloud Host Pte Ltd | ID | unknown |
1488 | TokenSMD.exe | 103.187.146.29:80 | — | Cloud Host Pte Ltd | ID | unknown |
1488 | TokenSMD.exe | 188.114.96.3:80 | generatetoken.my.id | CLOUDFLARENET | NL | unknown |
1488 | TokenSMD.exe | 188.114.96.3:443 | generatetoken.my.id | CLOUDFLARENET | NL | unknown |
1488 | TokenSMD.exe | 104.85.249.155:80 | ctldl.windowsupdate.com | Akamai International B.V. | PL | unknown |
1488 | TokenSMD.exe | 216.58.206.67:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
generatetoken.my.id |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
update.googleapis.com |
| unknown |
www.samarindacheat.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1488 | TokenSMD.exe | Potentially Bad Traffic | ET HUNTING Hiloti Style GET to PHP with invalid terse MSIE headers |
960 | chrome.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 54 |