File name:	SPAM2.zip
Full analysis:	https://app.any.run/tasks/b463a247-0b16-4307-b5d2-c11ed54aa00f
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 13:06:03
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan stealer eredel baldr
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	D0993B2DF29528FFEE79D50A52BD4A08
SHA1:	34FD23F4729E2A6B63D8D1DC311188D2188E6EF9
SHA256:	DB29691E24F2660DDB8C7EEB4E5B50D0C96C65806CE6B94958CC57F90DEAEE2A
SSDEEP:	98304:CxFOmH/EmaB8knUxODI4/Fe5nWplHsQ1aNNGyTnWEPgoZm3DM:SImHfaBZnPDNgCH31aNNGyTnDPgIm3DM

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2019:10:09 15:04:04
ZipCRC:	0x6b5af83a
ZipCompressedSize:	1512447
ZipUncompressedSize:	1622016
ZipFileName:	stepa.asyx.rulogin (1).exe


(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SPAM2.zip
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1856) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(1980) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1980) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:

PID	Process	Filename		Type
2260	stepa.asyx.rulogin (1).exe	C:\Users\admin\AppData\Local\Temp\976c.77e4a0		—
		MD5:—	SHA256:—
2260	stepa.asyx.rulogin (1).exe	C:\Users\admin\AppData\Local\Temp\86c7.ab7670		—
		MD5:—	SHA256:—
2124	stepa.asyx.rulogin (2).exe	C:\Users\admin\AppData\Local\Temp\fb88b745.ae37		—
		MD5:—	SHA256:—
2124	stepa.asyx.rulogin (2).exe	C:\Users\admin\AppData\Local\Temp\1a7a4ebc.8ad8		—
		MD5:—	SHA256:—
2260	stepa.asyx.rulogin (1).exe	C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\Cookies\Chrome.txt		text
		MD5:—	SHA256:—
1980	WinRAR.exe	C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (1).exe		executable
		MD5:—	SHA256:—
1980	WinRAR.exe	C:\Users\admin\Desktop\SPAM2\stepa.asyx.rulogin (4).exe		executable
		MD5:—	SHA256:—
2260	stepa.asyx.rulogin (1).exe	C:\Users\admin\AppData\Local\Temp\74ee.d876ce		sqlite
		MD5:—	SHA256:—
2260	stepa.asyx.rulogin (1).exe	C:\Users\admin\AppData\Local\Temp\93582306dd4c46f5a14f68e0d8cbdc09\passwords.log		text
		MD5:—	SHA256:—
1420	stepa.asyx.rulogin (3).exe	C:\Users\admin\AppData\Local\Temp\f881.fd840e		—
		MD5:—	SHA256:—

PID	Process	IP	Domain	ASN	CN	Reputation
2260	stepa.asyx.rulogin (1).exe	178.33.33.187:80	stepa.asyx.ru	OVH SAS	DE	malicious
2124	stepa.asyx.rulogin (2).exe	178.33.33.187:80	stepa.asyx.ru	OVH SAS	DE	malicious
2156	stepa.asyx.rulogin (4).exe	178.33.33.187:80	stepa.asyx.ru	OVH SAS	DE	malicious
1420	stepa.asyx.rulogin (3).exe	178.33.33.187:80	stepa.asyx.ru	OVH SAS	DE	malicious

PID	Process	Class	Message
2260	stepa.asyx.rulogin (1).exe	A Network Trojan was detected	ET TROJAN Trojan Generic - POST To gate.php with no referer
2260	stepa.asyx.rulogin (1).exe	A Network Trojan was detected	ET TROJAN MSIL/Eredel Stealer CnC Checkin
2260	stepa.asyx.rulogin (1).exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan-Spy.MSIL.Agent.gen (Eredel Stealer)
2260	stepa.asyx.rulogin (1).exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan.PWS.Stealer.Gen.Baldr
2260	stepa.asyx.rulogin (1).exe	A Network Trojan was detected	ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2260	stepa.asyx.rulogin (1).exe	Potentially Bad Traffic	ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)
2124	stepa.asyx.rulogin (2).exe	A Network Trojan was detected	ET TROJAN Trojan Generic - POST To gate.php with no referer
2124	stepa.asyx.rulogin (2).exe	A Network Trojan was detected	ET TROJAN MSIL/Eredel Stealer CnC Checkin
2124	stepa.asyx.rulogin (2).exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan-Spy.MSIL.Agent.gen (Eredel Stealer)
2124	stepa.asyx.rulogin (2).exe	A Network Trojan was detected	MALWARE [PTsecurity] Trojan.PWS.Stealer.Gen.Baldr

Process	Message
stepa.asyx.rulogin (1).exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
stepa.asyx.rulogin (4).exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

SPAM2.zip

D0993B2DF29528FFEE79D50A52BD4A08

34FD23F4729E2A6B63D8D1DC311188D2188E6EF9

DB29691E24F2660DDB8C7EEB4E5B50D0C96C65806CE6B94958CC57F90DEAEE2A

98304:CxFOmH/EmaB8knUxODI4/Fe5nWplHsQ1aNNGyTnWEPgoZm3DM:SImHfaBZnPDNgCH31aNNGyTnDPgIm3DM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Connects to CnC server

EREDEL was detected

Actions looks like stealing of personal data

Stealing of credential data

SUSPICIOUS

Executable content was dropped or overwritten

Uses WMIC.EXE to obtain a system information

Searches for installed software

Reads the cookies of Google Chrome

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings