File name: | 1.zip |
Full analysis: | https://app.any.run/tasks/d4ae936f-ffc2-46c6-89d5-4d079b23608c |
Verdict: | Malicious activity |
Threats: | Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of. |
Analysis date: | January 18, 2019, 13:09:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FD331EE5DCA1704EB579B2A536CF124A |
SHA1: | B63D7B251ABB3C11BE9644FE1284D0CBB1DC2DAD |
SHA256: | D6CDCE2A29DCD4B15980E422411849BE36AE42DB724B877473C208B160E52812 |
SSDEEP: | 196608:gBBKFGrGBuUBLg7eRI1ONZUgJ+XK1akR+iU1w:UQklN7EOO35IX8xi2 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | 1.exe |
---|---|
ZipUncompressedSize: | 258048 |
ZipCompressedSize: | 214237 |
ZipCRC: | 0x2cb0ad60 |
ZipModifyDate: | 2019:01:11 12:34:04 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3176 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3448 | "C:\Users\admin\Desktop\tcmd921ax32_64.exe" | C:\Users\admin\Desktop\tcmd921ax32_64.exe | — | explorer.exe |
User: admin Company: Ghisler Software GmbH Integrity Level: MEDIUM Description: Total Commander Installer Exit code: 3221226540 Version: 9.21 | ||||
2188 | "C:\Users\admin\Desktop\tcmd921ax32_64.exe" | C:\Users\admin\Desktop\tcmd921ax32_64.exe | explorer.exe | |
User: admin Company: Ghisler Software GmbH Integrity Level: HIGH Description: Total Commander Installer Exit code: 0 Version: 9.21 | ||||
3772 | "C:\totalcmd\TOTALCMD.EXE" | C:\totalcmd\TOTALCMD.EXE | — | explorer.exe |
User: admin Company: Ghisler Software GmbH Integrity Level: MEDIUM Description: Total Commander 32 bit Version: 9.21 | ||||
1228 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2280 | "C:\Users\admin\Desktop\1.exe" | C:\Users\admin\Desktop\1.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3468 | C:\Users\admin\Desktop\1.exe --vwxyz | C:\Users\admin\Desktop\1.exe | 1.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
3176 | WinRAR.exe | C:\Users\admin\Desktop\tcmd921ax32_64.exe | executable | |
MD5:1024E52E635AE373453A49CC147992D9 | SHA256:5330B7A45E9881D885067BF7DFEFA37F4502088D9FD259BF1F2CC3FBDD9E304B | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\TOTALCMD.CHM | chm | |
MD5:B72CA543A8AD161DE623AC8B374DFE8E | SHA256:CB6AC9287C0E745C510D51A0F274E3B1112308BABBDCEF2895ABFA3104B91173 | |||
3176 | WinRAR.exe | C:\Users\admin\Desktop\1.exe | executable | |
MD5:632D1A50E4F75B12521C14E390596125 | SHA256:66C3A85AB2F34092FD15CF15E5C289CC70DD65BB86EDF8308CA7B5AE1363ABB5 | |||
2188 | tcmd921ax32_64.exe | C:\Users\admin\AppData\Roaming\GHISLER\wincmd.ini | text | |
MD5:926EB45A00D3C2C4AFEF6CE8AC07691B | SHA256:BF16FB4BAC9923E4327E3DD4F8398F0996B7395509123830F52A9B6EF66E3467 | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\LANGUAGE\WCMD_CZ.MNU | text | |
MD5:D4F6F50E42B366D2E279DC9DDC9053AC | SHA256:003D39A31BDE15416FED758EC1E29A8698154AE14919F7593B32F6768CD84D70 | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\SIZE!.TXT | text | |
MD5:9C46B722FA1FFAB6EAD573859ABB32BB | SHA256:2EA390F71ED637935463CFEB1E4B02BB83364A157E443644087E6D61DEAE12F7 | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\LANGUAGE\WCMD_CZ.INC | text | |
MD5:5FDDFCA4DF512D326DAD0E6B6E9996C2 | SHA256:B45C354D104DBCA8FC1CD64636B9CCAC7BB1A395BC914ECF0CC37C9EB327E102 | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\LANGUAGE\WCMD_ESP.LNG | text | |
MD5:788EC435276281E135A7FE55B06EFD71 | SHA256:EB187C08634AFB183082641FECB8C3DB99DA9BE61A1B00102FD5D6355A583EA9 | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\LANGUAGE\WCMD_CZ.LNG | text | |
MD5:ADAD053363D15B2EBD8973FC90D1ABA1 | SHA256:5177A6EA9053A1291CB3615F6A0821A3421B6727D9524904AD243D440BF57654 | |||
2188 | tcmd921ax32_64.exe | C:\totalcmd\LANGUAGE\WCMD_DEU.LNG | text | |
MD5:204FF34EBC1865D7CFB94EEC6F7D5929 | SHA256:86319A4E54FEA63005DB9CAB2C97DF951E89F3144A52C2E9C259BB703C76F837 |
Domain | IP | Reputation |
---|---|---|
drk.fm604.com |
| malicious |
Process | Message |
---|---|
1.exe | MP3 file corrupted |
1.exe | WMA 0 |
1.exe | OGG 0 |