File name:

formulario_citas.zip

Full analysis: https://app.any.run/tasks/01a9620f-b06d-4c78-ae28-c08f32f1711f
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: December 14, 2023, 16:06:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
hijackloader
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

36C592E2C16894B460E24A11D57BAD54

SHA1:

A0350454A70B90616C0415BFE3ED1AFD9CC6A40B

SHA256:

DAD45D7A2A70939FCE66C56F92B0AD29E4D1498EBFBE4DA29D249E8E52B8A69F

SSDEEP:

98304:NGfSFN0b6JvW65tTIIaaD0nLqLEokevoZCKY+zFs4IA8YOzwZDC1G3PJSMCNNLHn:Jgsjn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • Ba.exe (PID: 3784)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 1864)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1864)

    • Checks supported languages

      • Ba.exe (PID: 3784)

    • Reads the computer name

      • Ba.exe (PID: 3784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:12:13 10:36:48
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: formulario_citas/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs #HIJACKLOADER ba.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\formulario_citas.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3784"C:\Users\admin\AppData\Local\Temp\Rar$EXb1864.2620\formulario_citas\Ba.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1864.2620\formulario_citas\Ba.exe
WinRAR.exe
User:
admin
Company:
Babylon Ltd.
Integrity Level:
MEDIUM
Description:
Babylon Information Tool
Exit code:
0
Version:
6.0.1.36
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1864.2620\formulario_citas\ba.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
1 050
Read events
1 032
Write events
18
Delete events
0

Modification events

(PID) Process:(1864) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1864) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
12
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.374\formulario_citas\carrageenan.msgbinary
MD5:34B85CB6023F667510D36D6D1E2DADE1
SHA256:5704BA83B6B87236C8C1538D61189724477149AED84E3379001FC38930A3DE4D
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.1149\formulario_citas\BException.dllexecutable
MD5:7D76AD450C469A6653EA69B0F668D98B
SHA256:E19B1D03F9C273A41BD45E9006980A644B1762D0EC2DAC663268F14FF79C71CE
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.1149\formulario_citas\Ba.exeexecutable
MD5:E3703E90CDA08FA041B7B06B05990210
SHA256:A52DD8B15AACED29EB7FE2681C08E6466D8AB29E7735B439303BA90C60701F60
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.1149\formulario_citas\carrageenan.msgbinary
MD5:34B85CB6023F667510D36D6D1E2DADE1
SHA256:5704BA83B6B87236C8C1538D61189724477149AED84E3379001FC38930A3DE4D
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.1149\formulario_citas\BabyServices.dllexecutable
MD5:C9672AFA0D259340CEAAD484AD06BEC8
SHA256:2576E33A14B53ADB45FAA295483C919200C4FFA8D2CBAAF77D6602ACEA86DB45
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.2620\formulario_citas\carrageenan.msgbinary
MD5:34B85CB6023F667510D36D6D1E2DADE1
SHA256:5704BA83B6B87236C8C1538D61189724477149AED84E3379001FC38930A3DE4D
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.1149\formulario_citas\formulario_agendamiento_citas.exeexecutable
MD5:8D981CB9E3DE72C43A6719B0ED5720A9
SHA256:CCD13453CD900E21FB348F7E83EEC9DFC9A42FCD4F314E2762A38FCF5366C969
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.374\formulario_citas\BabyServices.dllexecutable
MD5:C9672AFA0D259340CEAAD484AD06BEC8
SHA256:2576E33A14B53ADB45FAA295483C919200C4FFA8D2CBAAF77D6602ACEA86DB45
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.374\formulario_citas\Ba.exeexecutable
MD5:E3703E90CDA08FA041B7B06B05990210
SHA256:A52DD8B15AACED29EB7FE2681C08E6466D8AB29E7735B439303BA90C60701F60
1864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1864.2620\formulario_citas\BabyServices.dllexecutable
MD5:C9672AFA0D259340CEAAD484AD06BEC8
SHA256:2576E33A14B53ADB45FAA295483C919200C4FFA8D2CBAAF77D6602ACEA86DB45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
formulario_citas.zip