File name:

2.ps1

Full analysis: https://app.any.run/tasks/5e0482f0-dd5f-4ab6-903b-c1611f13f92c
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: January 20, 2022, 20:39:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
remcos
keylogger
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

FD854C4DE72CCA89BDA6EC7362CB8047

SHA1:

CBC87F189AD4FE16808C3B718720852A16437A2C

SHA256:

E219E04F6DDD3EA4A3C3F5DD9251D1E86EA820694246F7E73695427ECEF1E4D6

SSDEEP:

6144:wWHEnPX+KPg7Ppxbu9d6fnmDVR7YFNQ+UUXd2Jdf6KlPhkXsKwiQ/DaKLP50lu1J:y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • powershell.exe (PID: 3052)
    • REMCOS was detected

      • RegAsm.exe (PID: 3876)
  • SUSPICIOUS

    • Reads the date of Windows installation

      • powershell.exe (PID: 3052)
    • Checks supported languages

      • RegAsm.exe (PID: 3876)
      • powershell.exe (PID: 3052)
    • Reads the computer name

      • RegAsm.exe (PID: 3876)
      • powershell.exe (PID: 3052)
    • Creates files in the user directory

      • RegAsm.exe (PID: 3876)
      • powershell.exe (PID: 3052)
    • PowerShell script executed

      • powershell.exe (PID: 3052)
    • Drops a file that was compiled in debug mode

      • powershell.exe (PID: 3052)
    • Reads Environment values

      • RegAsm.exe (PID: 3876)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3052)
    • Writes files like Keylogger logs

      • RegAsm.exe (PID: 3876)
  • INFO

    • Checks Windows Trust Settings

      • powershell.exe (PID: 3052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe #REMCOS regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3052"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\2.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3876"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\usp10.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
2 796
Read events
2 718
Write events
78
Delete events
0

Modification events

(PID) Process:(3052) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3052) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3052) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3052) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3052) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3876) RegAsm.exeKey:HKEY_CURRENT_USER\Software\JANBUILD-STZUMV
Operation:writeName:exepath
Value:
740C637515544928E4DF95F93076DDC988002584295522DCEC645B3F4627C86A4C383D2EEA9C1DC4F9449FC614F9DB692AEB05223E84956009D1E5A0EBD902EF78D6BA58543DB0147C7F8B1BCCECD5EB2BA9356D6F7C5B2B96D3084510C669F1D84838E21BC69DFA5B9A2A4F404983587596
(PID) Process:(3876) RegAsm.exeKey:HKEY_CURRENT_USER\Software\JANBUILD-STZUMV
Operation:writeName:licence
Value:
FDA2A20782EBD0A0B1004D41F9A29296
Executable files
2
Suspicious files
6
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:633630D4B472E897D6FE7BDB27290365
SHA256:0598A41B7BB73CF24BBC7AA4D62A61997ACD589555C045DBFEE9D2F1E6008B32
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2F0HUFFJML0EUY20JRO1.tempbinary
MD5:633630D4B472E897D6FE7BDB27290365
SHA256:0598A41B7BB73CF24BBC7AA4D62A61997ACD589555C045DBFEE9D2F1E6008B32
3052powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF193791.TMPbinary
MD5:CCFCF369F751CE8DA0370D84E52A7EED
SHA256:53922490C3F5A04667EC3605A01AF2A4F4F265782D1BCA519F63ACAD413F2ED9
3876RegAsm.exeC:\Users\admin\AppData\Roaming\JANBUILD\logs.datbinary
MD5:644593583D2D646FB6C81798466601A1
SHA256:FD98767F454CCFAD549C31DEAD052D53781124917A4C83A52F379744BE1ECB82
3052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
3052powershell.exeC:\Users\admin\AppData\Local\Temp\fxdexqao.pyf.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3052powershell.exeC:\Users\admin\AppData\Local\Temp\oslp5o4q.vyb.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
3052powershell.exeC:\Users\admin\AppData\Local\Temp\e0e22da2-dbf8-4303-b7f9-7620a5e9f357\AgileDotNetRT.dllexecutable
MD5:14FF402962AD21B78AE0B4C43CD1F194
SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
3052powershell.exeC:\Users\admin\AppData\Local\Temp\ac5c1527-e43f-46b1-9587-143b0e06e0d9\AgileDotNetRT.dllexecutable
MD5:14FF402962AD21B78AE0B4C43CD1F194
SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
94
DNS requests
99
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3876
RegAsm.exe
103.231.91.59:39207
saptransmissions.dvrlists.com
Intergrid Group Pty Ltd
AU
malicious
103.231.91.59:39207
saptransmissions.dvrlists.com
Intergrid Group Pty Ltd
AU
malicious

DNS requests

Domain
IP
Reputation
saptransmissions.dvrlists.com
  • 103.231.91.59
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info