File name: | d6a479704bd6b481edc8c53ab9601c34bff8558fb7a90389e7259c879c96d7df |
Full analysis: | https://app.any.run/tasks/b3d959ab-8d5d-4e82-acde-cf18fa9f2190 |
Verdict: | Malicious activity |
Threats: | Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. |
Analysis date: | December 06, 2018, 16:07:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/msword |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Little Pig, Template: Normal.dotm, Last Saved By: Little Pig, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Thu Nov 29 17:41:00 2018, Last Saved Time/Date: Thu Nov 29 17:42:00 2018, Number of Pages: 2, Number of Words: 0, Number of Characters: 3, Security: 0 |
MD5: | 4B6977F65207F40A703CC3108BD616DA |
SHA1: | A26152C2CF2E8880D1EC730F574F1D80E329E6FC |
SHA256: | D6A479704BD6B481EDC8C53AB9601C34BFF8558FB7A90389E7259C879C96D7DF |
SSDEEP: | 6144:UXA5ivBFLyG4AcLXmeJUguD4Bl7XnpSHLW7W/bMlj:OA5ivOPDRuDm7X8qsb2 |
.doc | | | Microsoft Word document (80) |
---|
CompObjUserType: | - |
---|---|
CompObjUserTypeLen: | - |
HeadingPairs: |
|
TitleOfParts: | - |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 14 |
CharCountWithSpaces: | 3 |
Paragraphs: | 1 |
Lines: | 1 |
Company: | Microsoft |
CodePage: | Unicode (UTF-8) |
Security: | None |
Characters: | 3 |
Words: | - |
Pages: | 2 |
ModifyDate: | 2018:11:29 17:42:00 |
CreateDate: | 2018:11:29 17:41:00 |
TotalEditTime: | 1.0 minutes |
Software: | Microsoft Office Word |
RevisionNumber: | 1 |
LastModifiedBy: | Little Pig |
Template: | Normal.dotm |
Author: | Little Pig |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2972 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\d6a479704bd6b481edc8c53ab9601c34bff8558fb7a90389e7259c879c96d7df.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1760 | C:\Users\Public\ubyj.exe | C:\Users\Public\ubyj.exe | — | WINWORD.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
856 | C:\Users\Public\ubyj.exe | C:\Users\Public\ubyj.exe | ubyj.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
712 | "C:\ProgramData\UANZQNJNPV.exe" | C:\ProgramData\UANZQNJNPV.exe | — | ubyj.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3216 | "C:\Windows\System32\cmd.exe" /c taskkill /im ubyj.exe /f & erase C:\Users\Public\ubyj.exe & exit | C:\Windows\System32\cmd.exe | — | ubyj.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3600 | "C:\ProgramData\UANZQNJNPV.exe" | C:\ProgramData\UANZQNJNPV.exe | UANZQNJNPV.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2416 | taskkill /im ubyj.exe /f | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA888.tmp.cvr | — | |
MD5:— | SHA256:— | |||
856 | ubyj.exe | C:\ProgramData\EZSFTVFMC4137HO8J9HP\c-shm | — | |
MD5:— | SHA256:— | |||
856 | ubyj.exe | C:\ProgramData\EZSFTVFMC4137HO8J9HP\history | — | |
MD5:— | SHA256:— | |||
856 | ubyj.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\169[1].txt | text | |
MD5:A6036C9DD4E0FD015412B652744DC1B4 | SHA256:B7ED3BBF8CF92DE7F2EC0E0BCB3957B0A6314C703BAAA9348C6F89A0AEDA0EA7 | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\AU3_EXE[1].exe | executable | |
MD5:EDF874AC0F20AE735D14A033A590A281 | SHA256:46014241FF27B8BFC974F49684EBF4D2025FBDBA9172D4DEB745DE778B167E60 | |||
856 | ubyj.exe | C:\ProgramData\EZSFTVFMC4137HO8J9HP\history-shm | — | |
MD5:— | SHA256:— | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:32CA13FE69C2270F4F0B5DB85CD58DD7 | SHA256:20D4E0981933360A07ED8556C072B9E0871C26ADAEBB51BC2EDE902CD2407690 | |||
2972 | WINWORD.EXE | C:\Users\Public\ubyj.exe | executable | |
MD5:EDF874AC0F20AE735D14A033A590A281 | SHA256:46014241FF27B8BFC974F49684EBF4D2025FBDBA9172D4DEB745DE778B167E60 | |||
856 | ubyj.exe | C:\ProgramData\EZSFTVFMC4137HO8J9HP\c | sqlite | |
MD5:33FAA3C0AB3E0E5F8E5446ED0D52CA32 | SHA256:2AE728D9D195C37B8041CC088F9A28BB666B670E1A2410EFAEE5B26047C08BBF | |||
2972 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$a479704bd6b481edc8c53ab9601c34bff8558fb7a90389e7259c879c96d7df.doc | pgc | |
MD5:65487C27981B0C8FCA0F268876BF2CDF | SHA256:EF979079943671D222B008873A4377BF42BBE7243251E8FDBA0F2C8BA7CB90C0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2972 | WINWORD.EXE | GET | 200 | 122.10.96.66:80 | http://linyidyhg.com/data/cache/listcache/ae/c5/3b/AU3_EXE.exe | HK | executable | 697 Kb | suspicious |
856 | ubyj.exe | GET | 200 | 79.143.28.114:80 | http://benderio.com/nss3.dll | RU | executable | 1.19 Mb | malicious |
856 | ubyj.exe | POST | 200 | 79.143.28.114:80 | http://benderio.com/ | RU | text | 94 b | malicious |
856 | ubyj.exe | GET | 200 | 79.143.28.114:80 | http://benderio.com/msvcp140.dll | RU | executable | 429 Kb | malicious |
856 | ubyj.exe | GET | 200 | 91.194.60.236:80 | http://www.bsprotection.fr/modules/gridextjs/extjs/resources/images/default/progress/imag.exe | FR | executable | 309 Kb | suspicious |
856 | ubyj.exe | GET | 200 | 79.143.28.114:80 | http://benderio.com/freebl3.dll | RU | executable | 326 Kb | malicious |
856 | ubyj.exe | GET | 200 | 79.143.28.114:80 | http://benderio.com/softokn3.dll | RU | executable | 141 Kb | malicious |
856 | ubyj.exe | GET | 200 | 79.143.28.114:80 | http://benderio.com/mozglue.dll | RU | executable | 133 Kb | malicious |
856 | ubyj.exe | POST | 200 | 79.143.28.114:80 | http://benderio.com/169 | RU | text | 156 b | malicious |
856 | ubyj.exe | POST | 200 | 185.194.141.58:80 | http://ip-api.com/line/ | DE | text | 115 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
856 | ubyj.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
856 | ubyj.exe | 91.194.60.236:80 | www.bsprotection.fr | Octopuce s.a.r.l. | FR | suspicious |
856 | ubyj.exe | 79.143.28.114:80 | benderio.com | Frame Design Ltd | RU | malicious |
3600 | UANZQNJNPV.exe | 185.198.57.181:80 | — | Host Sailor Ltd. | NL | malicious |
2972 | WINWORD.EXE | 122.10.96.66:80 | linyidyhg.com | Hutchison Global Communications | HK | suspicious |
Domain | IP | Reputation |
---|---|---|
linyidyhg.com |
| suspicious |
benderio.com |
| malicious |
ip-api.com |
| shared |
www.bsprotection.fr |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2972 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
856 | ubyj.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.PWS.Stealer.23869 (Arkei) |
856 | ubyj.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
856 | ubyj.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.PWS.Stealer.23869 (Arkei) |
856 | ubyj.exe | A Network Trojan was detected | MALWARE [PTsecurity] Nocturnal Stealer |
856 | ubyj.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
856 | ubyj.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.PWS.Stealer.23869 (Arkei) |
856 | ubyj.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3600 | UANZQNJNPV.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3600 | UANZQNJNPV.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |