analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

podatek_4.zip

Full analysis: https://app.any.run/tasks/3bfcb2b3-0adc-49e5-8b75-f94f7f7c35a0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 22, 2019, 12:31:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
gozi
ursnif
evasion
stealer
dreambot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A542ECD6CC69DC891544A417A89CB9A5

SHA1:

F98AFE8196D210DF51A6EFF2BB5208426A793403

SHA256:

D9125399A886F86C6A1B623A1E335372BD0D9BE23924519919B1C65686C98044

SSDEEP:

96:sV4yJc2ErxVxMx5qQFw4dq0JqIYte1Vkt:e4lhd8qNW1Ct

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 648385.exe (PID: 2652)
      • 648385.exe (PID: 3128)

    • Detected URSNIF Trojan

      • 648385.exe (PID: 2652)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3240)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 1696)

    • Runs injected code in another process

      • 648385.exe (PID: 2652)

    • Application was injected by another process

      • explorer.exe (PID: 1696)

    • URSNIF Shellcode was detected

      • explorer.exe (PID: 1696)

    • Stealing of credential data

      • explorer.exe (PID: 1696)

    • Connects to CnC server

      • explorer.exe (PID: 1696)

  • SUSPICIOUS

    • Executes scripts

      • explorer.exe (PID: 1696)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 1696)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3240)

    • Creates files in the user directory

      • WScript.exe (PID: 3240)
      • notepad++.exe (PID: 1816)
      • explorer.exe (PID: 1696)
      • 648385.exe (PID: 2652)

    • Application launched itself

      • 648385.exe (PID: 3128)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2940)

    • Runs Chrome without HTTP2 support

      • explorer.exe (PID: 1696)
      • chrome.exe (PID: 2940)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1696)

    • Checks for external IP

      • nslookup.exe (PID: 2636)
      • nslookup.exe (PID: 180)

  • INFO

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1628)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1628)

    • Application launched itself

      • chrome.exe (PID: 2940)

    • Application was crashed

      • chrome.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Load_4.js
ZipUncompressedSize: 8464
ZipCompressedSize: 3430
ZipCRC: 0xdcf219d9
ZipModifyDate: 2019:03:20 19:10:20
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
36
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start inject winrar.exe no specs wscript.exe 648385.exe no specs notepad++.exe gup.exe #URSNIF 648385.exe no specs #URSNIF explorer.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs cmd.exe no specs nslookup.exe nslookup.exe cmd.exe no specs cmd.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1408"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\podatek_4.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3240"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Load_4.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3128"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\648385.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\648385.exeWScript.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BathingCorn
Exit code:
0
Version:
1.0.0.0
1816"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\Load_4.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
304"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
2652C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\648385.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\648385.exe
648385.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BathingCorn
Exit code:
0
Version:
1.0.0.0
1696C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2940"C:\Program Files\Google\Chrome\Application\chrome.exe" --use-spdy=off --disable-http2C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2548"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x114,0x118,0x11c,0x110,0x120,0x6f890f18,0x6f890f28,0x6f890f34 --use-spdy=off --disable-http2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
1
Version:
73.0.3683.75
3568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2832 --on-initialized-event-handle=440 --parent-handle=444 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
Total events
3 067
Read events
2 745
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
111
Text files
187
Unknown types
12

Dropped files

PID
Process
Filename
Type
2652648385.exeC:\Users\admin\AppData\Roaming\Microsoft\Devivmgr\crypptsp.exe
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
2940chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
1696explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019032220190323\index.datdat
MD5:7219FD4FD37A29AF87F9B33CB4DDC5DB
SHA256:5128DDE93849D20F56DCF8D9A57295EC0CC014440D6048B818EC2A77C0F78F95
1696explorer.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:4D9EE63DF877734B95C42C28E09D575B
SHA256:FF7889A462F38D99EC3894CC9AF7BEE5946FEAB853AC04837B66F8EA62516C52
1696explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Load_4.js.lnklnk
MD5:B3087B0E6EABD22A5F7F80753C4803AE
SHA256:10A158D935C6E09F823EFAD083FE71A00BC79B1ECEDD9DF2721BD6DB2793E31E
3240WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\648385.exeexecutable
MD5:CB0D704698A605C498ADE80CC33EA60F
SHA256:103795A0C8F885D801808B2C78435A297C4926A05B0212BF07942C5C5D07639B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
61
DNS requests
35
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1696
explorer.exe
GET
181.197.131.40:80
http://interruption.ru/jd/t32.bin
PA
malicious
GET
200
173.223.106.89:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
NL
der
727 b
whitelisted
1628
chrome.exe
GET
200
173.194.150.219:80
http://r5---sn-5goeen7r.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=82.102.22.104&mm=28&mn=sn-5goeen7r&ms=nvh&mt=1553258062&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
1696
explorer.exe
POST
200
87.116.78.110:80
http://investingfutureram.ac.ug/images/FkzA3EFiwJN9eOjSoG8/5obcCKym6siUVw8GVtRBxY/nExNbM7XBnkNH/tcU_2FPB/nz6DmG31cgTw9zTR0cQ6gFd/h_2BuKI3wp/DpILAgDCqA2mTkP7d/xLHv0etU1fcG/ctCHK859D7n/aKXvbtnC_2FEta/8czlbb7rcatV_2FirHXXH/C6ieYXr18seL2TkI/BGVxx19WNz6z79e/w5jr6PtbZa/N7SlJJ1qdo/1.bmp
BG
malicious
1696
explorer.exe
GET
200
87.116.78.110:80
http://investingfutureram.ac.ug/images/qYL_2B6aRZL51P/cVbEYpXZOit9DhfgBAcu4/wKw_2FRxwDDpKQKf/9nSQ8jtEZ95Ns8z/4rCfi_2Bvp9hgrYZuv/YTVc4SNhs/xUCvg3RgJZpGi7rIAFe5/xRGtIuzbGELvpBvQx6q/eBI6TOYb4A4wnDLEtWSKGG/bjCfWx1N4ZstA/r7CUS19I/bKGIYRzIovFBXhNXYFp_2F5/AF.gif
BG
malicious
3300
WerFault.exe
GET
40.67.186.102:80
http://watson.microsoft.com/StageOne/chrome_exe/73_0_3683_75/5c8499d0/StackHash_2d54/0_0_0_0/00000000/80000001/001b33ba.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
GET
200
173.223.106.89:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
NL
der
471 b
whitelisted
1628
chrome.exe
GET
302
216.58.207.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
504 b
whitelisted
1696
explorer.exe
POST
200
87.116.78.110:80
http://investingfutureram.ac.ug/images/SMGVPjSZ/qQwP5py87Z3yx9FFb4Xi0Gs/SZC8Q9nAPZ/hk4AWtCpzFxCZDKCc/ZxpkM3lwVpCG/025iLronShm/bpTupQ_2FCsIdF/zoWDPINs7CvMbgIy54Bki/yAYqKWIWWfHeHuJ5/4PYSdBSME_2Ff8a/QWHS_2FBUSPOK13lQs/gr0y_2FSX/ns108xQhy5RjJDqcdTA3/X2y0gsZ_2FsZhYN_2BC/WuThTKall/KRi1.bmp
BG
malicious
3240
WScript.exe
GET
200
181.197.131.40:80
http://interruption.ru/hello.rar
PA
executable
472 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1628
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
173.223.106.89:80
ocsp.usertrust.com
Akamai International B.V.
NL
whitelisted
3240
WScript.exe
181.197.131.40:80
interruption.ru
Cable Onda
PA
suspicious
304
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
1628
chrome.exe
172.217.23.164:443
www.google.com
Google Inc.
US
whitelisted
1696
explorer.exe
181.197.131.40:80
interruption.ru
Cable Onda
PA
suspicious
1628
chrome.exe
216.58.208.35:443
www.gstatic.com
Google Inc.
US
whitelisted
1628
chrome.exe
216.58.207.78:80
redirector.gvt1.com
Google Inc.
US
whitelisted
1628
chrome.exe
216.58.208.45:443
accounts.google.com
Google Inc.
US
whitelisted
1628
chrome.exe
172.217.22.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
interruption.ru
  • 181.197.131.40
  • 186.74.208.84
  • 62.141.241.11
  • 37.247.216.118
  • 80.80.165.93
  • 213.222.130.75
  • 87.116.78.110
  • 178.48.154.38
  • 181.39.233.180
  • 95.158.162.200
malicious
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 173.223.106.89
  • 173.223.106.136
whitelisted
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
www.google.com
  • 172.217.23.164
whitelisted
accounts.google.com
  • 216.58.208.45
shared
ssl.gstatic.com
  • 172.217.22.99
whitelisted
clients2.google.com
  • 172.217.16.142
whitelisted
www.gstatic.com
  • 216.58.208.35
whitelisted
redirector.gvt1.com
  • 216.58.207.78
whitelisted

Threats

PID
Process
Class
Message
3240
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3240
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
180
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2636
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
180
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2636
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
1696
explorer.exe
A Network Trojan was detected
ET TROJAN Ursnif Variant CnC Beacon
1696
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
1696
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP
1696
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
6 ETPRO signatures available at the full report
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
podatek_4.zip