analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Calculation-307219079-10162020.zip

Full analysis: https://app.any.run/tasks/533a3304-d382-4007-b980-586f88aeedad
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 02:27:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
qbot
maldoc-42
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2378BE22DE7553ED077217D4F55D0484

SHA1:

6696C5A13430A3F01576AE2EB294D3F4BC0797C1

SHA256:

DF9783141A675026DF29AB63F7C5A1372D3775269A4436B66ABFDB28AC48C73A

SSDEEP:

384:NbFC1xmM/CLFbR2CJpdqEzjzblzydQ6tPBYYWrWL0jjqAmKwOCC8xF3fFt:NpcxL2bk6dq8lmFPBYYcjjMXnFPFt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2148)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 2148)

    • Application was dropped or rewritten from another process

      • nosto.exe (PID: 1508)
      • nosto.exe (PID: 2744)
      • ytfovlym.exe (PID: 2628)
      • ytfovlym.exe (PID: 2236)

    • QBOT was detected

      • nosto.exe (PID: 2744)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 4032)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 1136)

    • Application launched itself

      • nosto.exe (PID: 2744)
      • ytfovlym.exe (PID: 2628)

    • Executable content was dropped or overwritten

      • nosto.exe (PID: 2744)
      • cmd.exe (PID: 4032)

    • Creates files in the user directory

      • nosto.exe (PID: 2744)

    • Starts itself from another location

      • nosto.exe (PID: 2744)

    • Starts CMD.EXE for commands execution

      • nosto.exe (PID: 2744)

  • INFO

    • Reads Internet Cache Settings

      • EXCEL.EXE (PID: 2148)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2148)

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 4032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Calculation-307219079-10162020.xlsb
ZipUncompressedSize: 26674
ZipCompressedSize: 21415
ZipCRC: 0xae5c9407
ZipModifyDate: 2020:10:19 16:21:25
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs excel.exe #QBOT nosto.exe nosto.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1136"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Calculation-307219079-10162020.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2148"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2744"C:\Hromo\Nivadalo\nosto.exe" C:\Hromo\Nivadalo\nosto.exe
EXCEL.EXE
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
1508C:\Hromo\Nivadalo\nosto.exe /CC:\Hromo\Nivadalo\nosto.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
2628C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exenosto.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
4032"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Hromo\Nivadalo\nosto.exe"C:\Windows\System32\cmd.exe
nosto.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4040ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2236C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
QIHU 360 SOFTWARE CO. LIMITED
Integrity Level:
MEDIUM
Description:
360 SystemRegistryClean
Exit code:
0
Version:
1, 0, 0, 1003
116C:\Windows\explorer.exeC:\Windows\explorer.exeytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 143
Read events
1 077
Write events
55
Delete events
11

Modification events

(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1136) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Calculation-307219079-10162020.zip
(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1136) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1136) WinRAR.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:EXCELFiles
Value:
1364459553
(PID) Process:(2148) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:writeName:*#<
Value:
2A233C0064080000010000000000000000000000
Executable files
4
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2148EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR57AA.tmp.cvr
MD5:
SHA256:
1136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa1136.20155\Calculation-307219079-10162020.xlsbdocument
MD5:A868B43C3A150C594FA5D75B40B4A78A
SHA256:608910CAE9A8A0F98A1C87E65C61B94C83B7D1C3611669FD371023E963867AC4
116explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:574A616B7ED4609689E57FF8CAD76F05
SHA256:8F30979EF476EF08EE8008DEBA54008C31E7131267684B78A0E39643EE68F917
2744nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:2FB7CF03D84D75CB33D9A9C9F79AD8A0
SHA256:2A0A96686F6AD74DCCDF96F7E93B0E39D15A33BDCA93E99D6132FC294E96AC05
2148EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\3415201[1].pngexecutable
MD5:E3776B7B05951B2C68495315E836729E
SHA256:7968E439B30C14367919BD4844AB1E1775CDE9F57160650C37522BCD614FED88
2148EXCEL.EXEC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:E3776B7B05951B2C68495315E836729E
SHA256:7968E439B30C14367919BD4844AB1E1775CDE9F57160650C37522BCD614FED88
2744nosto.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:E3776B7B05951B2C68495315E836729E
SHA256:7968E439B30C14367919BD4844AB1E1775CDE9F57160650C37522BCD614FED88
4032cmd.exeC:\Hromo\Nivadalo\nosto.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2148
EXCEL.EXE
GET
200
162.241.75.141:80
http://mpsync.com.br/tcgicbzy/3415201.png
US
executable
1.02 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2148
EXCEL.EXE
162.241.75.141:80
mpsync.com.br
CyrusOne LLC
US
malicious

DNS requests

Domain
IP
Reputation
mpsync.com.br
  • 162.241.75.141
malicious

Threats

PID
Process
Class
Message
2148
EXCEL.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2148
EXCEL.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2148
EXCEL.EXE
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2148
EXCEL.EXE
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
2148
EXCEL.EXE
Misc activity
ET INFO EXE - Served Attached HTTP
2148
EXCEL.EXE
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Calculation-307219079-10162020.zip