analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://79.124.78.74/Delivery-Receipt.pdf.exe

Full analysis: https://app.any.run/tasks/d1713a30-9ed3-4173-b073-c48bc4f8915d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 17, 2019, 15:52:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

BE227F81D10E3D22D1ED1A6895F5F2F3

SHA1:

0613ABEC2396417C4497051D3930D6E1A8F7F17B

SHA256:

D60C267E24BE640AB33259B45880A19129C105D6A3A35A5BF39B6A4437868021

SSDEEP:

3:N1KSLVAJSAX5tVRLV10C:CSGJSAXJ2C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from IP

      • iexplore.exe (PID: 3288)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3680)

    • Application was dropped or rewritten from another process

      • Delivery-Receipt.pdf[1].exe (PID: 3328)
      • Delivery-Receipt.pdf[1].exe (PID: 2444)
      • dhl-receipt3657.exe (PID: 2956)
      • dhl-receipt3657.exe (PID: 3380)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3288)

    • Loads dropped or rewritten executable

      • dhl-receipt3657.exe (PID: 3380)
      • Delivery-Receipt.pdf[1].exe (PID: 2444)

  • SUSPICIOUS

    • Loads Python modules

      • Delivery-Receipt.pdf[1].exe (PID: 2444)
      • dhl-receipt3657.exe (PID: 3380)

    • Application launched itself

      • Delivery-Receipt.pdf[1].exe (PID: 3328)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3288)
      • iexplore.exe (PID: 2716)
      • Delivery-Receipt.pdf[1].exe (PID: 3328)
      • Delivery-Receipt.pdf[1].exe (PID: 2444)
      • dhl-receipt3657.exe (PID: 2956)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3496)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 3524)
      • cmd.exe (PID: 2340)

    • Starts CMD.EXE for commands execution

      • Delivery-Receipt.pdf[1].exe (PID: 2444)
      • dhl-receipt3657.exe (PID: 3380)

    • Connects to unusual port

      • dhl-receipt3657.exe (PID: 3380)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2716)

    • Changes internet zones settings

      • iexplore.exe (PID: 2716)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
18
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe delivery-receipt.pdf[1].exe delivery-receipt.pdf[1].exe cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs tasklist.exe no specs find.exe no specs find.exe no specs cmd.exe no specs taskkill.exe no specs cmd.exe no specs dhl-receipt3657.exe dhl-receipt3657.exe cmd.exe no specs tasklist.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2716"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3288"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2716 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3328"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Delivery-Receipt.pdf[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Delivery-Receipt.pdf[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
2444"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Delivery-Receipt.pdf[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Delivery-Receipt.pdf[1].exe
Delivery-Receipt.pdf[1].exe
User:
admin
Integrity Level:
MEDIUM
3680C:\Windows\system32\cmd.exe /c net stop "Security Center"C:\Windows\system32\cmd.exeDelivery-Receipt.pdf[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2160net stop "Security Center"C:\Windows\system32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2812C:\Windows\system32\net1 stop "Security Center"C:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3524C:\Windows\system32\cmd.exe /c TASKLIST /FI "STATUS eq RUNNING" | find /V "Image Name" | find /V "="C:\Windows\system32\cmd.exeDelivery-Receipt.pdf[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2056TASKLIST /FI "STATUS eq RUNNING" C:\Windows\system32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2228find /V "Image Name" C:\Windows\system32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
656
Read events
604
Write events
0
Delete events
0

Modification events

No data
Executable files
31
Suspicious files
1
Text files
9
Unknown types
2

Dropped files

PID
Process
Filename
Type
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2716iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2716iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8D6F9FCDF6809B6C.TMP
MD5:
SHA256:
3288iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Delivery-Receipt.pdf[1].exeexecutable
MD5:36A0492D5FA4D56BA2CCB5D87A0AF8C2
SHA256:D253ECE136D5BF7C466C518255DCF2765ED1BE55E4BBB82ACE4696215052EE97
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Delivery-Receipt.pdf[1].exeexecutable
MD5:36A0492D5FA4D56BA2CCB5D87A0AF8C2
SHA256:D253ECE136D5BF7C466C518255DCF2765ED1BE55E4BBB82ACE4696215052EE97
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{EEEC2A20-1A6F-11E9-BAD8-5254004A04AF}.datbinary
MD5:F75997EBC6FBEFF979C4E581E396A799
SHA256:372E6023570D64F868845B4D7D91D2F6B6F467EFB7D3416860F3356BA0C9A1A3
3288iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019011720190118\index.datdat
MD5:26533191E58660B54FDD553260D70C21
SHA256:AA718FB566F4AA1D9EA9F8AA238BB5D22D148160446E5A24BCEF9FC47094693D
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011720190118\index.datdat
MD5:CB97433C737F5A5E33CF12C65872C8CD
SHA256:5DBB26575A26AA8D23555D467C8F56221309C5373B2C4D8E2C7A297916ABF6FD
2444Delivery-Receipt.pdf[1].exeC:\users\admin\appdata\local\temp\3fp1vp
MD5:
SHA256:
2716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\Delivery-Receipt.pdf[1].exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2444
Delivery-Receipt.pdf[1].exe
GET
200
79.124.78.74:80
http://79.124.78.74/dhl.png
BG
image
20.6 Kb
suspicious
2444
Delivery-Receipt.pdf[1].exe
GET
79.124.78.74:80
http://79.124.78.74/dhl.exe
BG
suspicious
3380
dhl-receipt3657.exe
GET
200
145.239.41.132:1338
http://145.239.41.132:1338//payloads/whq.py
FR
text
118 Kb
suspicious
3288
iexplore.exe
GET
200
79.124.78.74:80
http://79.124.78.74/Delivery-Receipt.pdf.exe
BG
executable
4.75 Mb
suspicious
3380
dhl-receipt3657.exe
GET
200
145.239.41.132:1338
http://145.239.41.132:1338//stagers/whq.py
FR
text
2.15 Kb
suspicious
2716
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2716
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2444
Delivery-Receipt.pdf[1].exe
79.124.78.74:80
BlueAngelHost Pvt. Ltd
BG
suspicious
3380
dhl-receipt3657.exe
145.239.41.132:1338
OVH SAS
FR
suspicious
3380
dhl-receipt3657.exe
145.239.41.132:1339
OVH SAS
FR
suspicious
3288
iexplore.exe
79.124.78.74:80
BlueAngelHost Pvt. Ltd
BG
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3288
iexplore.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3288
iexplore.exe
Potentially Bad Traffic
ET POLICY SUSPICIOUS *.pdf.exe in HTTP URL
3288
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3288
iexplore.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2444
Delivery-Receipt.pdf[1].exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2444
Delivery-Receipt.pdf[1].exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
2444
Delivery-Receipt.pdf[1].exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
2444
Delivery-Receipt.pdf[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2444
Delivery-Receipt.pdf[1].exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2444
Delivery-Receipt.pdf[1].exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://79.124.78.74/Delivery-Receipt.pdf.exe