analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://mega.nz/#!yq4FgapS!t1RinzzZoEyas1hjT_QrnQBJ_1iHD183jdh49F9CWgc

Full analysis: https://app.any.run/tasks/7ea05e27-f660-46d8-a548-dff69b415152
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 16:34:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

854433F4EA7748E3F70FD865952D5086

SHA1:

448D2DD93FD763042EB012AB0DE586BD663EF69E

SHA256:

E25B115A35072E47D10A653FAEF3A9B8C5399EA386F6FF55E3E5FB529262C44D

SSDEEP:

3:N8X/iGELRtX3gUPxfQnvEhUUdcjiFn:29OnQUN8IUzQn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AntiPublic.exe (PID: 676)
      • AntiPublic Updater.exe (PID: 3680)
      • AntiPublic.exe (PID: 3692)
      • ConsoleRegChecker.exe (PID: 1840)

    • Loads dropped or rewritten executable

      • AntiPublic.exe (PID: 676)
      • AntiPublic.exe (PID: 3692)
      • WerFault.exe (PID: 3772)
      • AntiPublic Updater.exe (PID: 3680)
      • ConsoleRegChecker.exe (PID: 1840)

    • Downloads executable files from the Internet

      • AntiPublic Updater.exe (PID: 3680)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • AntiPublic.exe (PID: 676)
      • WinRAR.exe (PID: 3504)
      • AntiPublic Updater.exe (PID: 3680)

    • Reads Environment values

      • AntiPublic.exe (PID: 3692)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3580)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3456)

    • Application launched itself

      • AcroRd32.exe (PID: 1920)
      • iexplore.exe (PID: 3456)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3580)
      • iexplore.exe (PID: 3332)

    • Changes internet zones settings

      • iexplore.exe (PID: 3456)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3456)
      • iexplore.exe (PID: 3580)

    • Creates files in the user directory

      • iexplore.exe (PID: 3456)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3456)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs winrar.exe antipublic.exe werfault.exe antipublic updater.exe antipublic.exe msoxmled.exe no specs iexplore.exe no specs consoleregchecker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3456"C:\Program Files\Internet Explorer\iexplore.exe" "https://mega.nz/#!yq4FgapS!t1RinzzZoEyas1hjT_QrnQBJ_1iHD183jdh49F9CWgc"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3580"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3456 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2140"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3580C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
1920"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3580C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
4068"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3580C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3504"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Myrz AntiPublic.rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
676"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.42244\Myrz AntiPublic\AntiPublic.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.42244\Myrz AntiPublic\AntiPublic.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3762504530
Version:
0.0.0.0
3772C:\Windows\system32\WerFault.exe -u -p 676 -s 1296C:\Windows\system32\WerFault.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3680"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.44979\Myrz AntiPublic\AntiPublic Updater.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.44979\Myrz AntiPublic\AntiPublic Updater.exe
WinRAR.exe
User:
admin
Company:
Newtonsoft
Integrity Level:
MEDIUM
Description:
Json.NET
Exit code:
0
Version:
9.0.1.19813
3692"C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.44979\Myrz AntiPublic\AntiPublic.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3504.44979\Myrz AntiPublic\AntiPublic.exe
AntiPublic Updater.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
Total events
7 719
Read events
3 107
Write events
0
Delete events
0

Modification events

No data
Executable files
30
Suspicious files
44
Text files
97
Unknown types
27

Dropped files

PID
Process
Filename
Type
3456iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3580iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabA512.tmp
MD5:
SHA256:
3580iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarA513.tmp
MD5:
SHA256:
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4der
MD5:282D9008EC4C74647B24100E4E77064C
SHA256:22CE16F8B821412E0DAE738C0C6D134352DA0D2F2A0148DD2E0B3DA7A94BF779
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4binary
MD5:52570E5798729242147AE15A09BC6CC1
SHA256:94A6A9F57096128095EF3EDF6E4CF61E3052922F2808F4842686E7937783397B
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C7DBB7F7DCFB05483EA77D02F0FB338der
MD5:DA00AB9D84CA42CC7BCFF965541750CA
SHA256:B3F31AA3B4C5FC4F55ED8CF7285526D5F35295726116F7DD7EC8B85AEAF65526
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C7DBB7F7DCFB05483EA77D02F0FB338binary
MD5:F250E8C7831E86C0E7733BCFEDA1F971
SHA256:24B2012335D7957725623F6F9242C4E31458A6F839C2BACF8D16236BA457BD3E
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\N1UZ7L2E\mega[1].xmltext
MD5:C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA256:B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4der
MD5:90CC8FC123C6481D30C2042ABC09E171
SHA256:BDB5509FAAF8DF7447552FD00F3B9248EC92A2435F45ADCEC46AC8B5D005695B
3580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\9XO440Z8.htmhtml
MD5:FA6821D8096E6591F386553FD292B9D1
SHA256:BDBFBD837C526CFB7E0B1545C0D635D8BA5C35331F41628D9A738ADCDA8823C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
40
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3580
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
US
der
727 b
whitelisted
3456
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3580
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEGan3iXcwakJX6A2HBCC7Jw%3D
US
der
471 b
whitelisted
3580
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
US
der
727 b
whitelisted
3580
iexplore.exe
GET
200
2.16.186.27:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgNQ1oHPkj%2Fix2WUmft9rVv0%2BQ%3D%3D
unknown
der
527 b
whitelisted
3580
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
3580
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQCWqo32v01TJjW%2FjQoM7TAf
US
der
472 b
whitelisted
676
AntiPublic.exe
GET
200
87.98.186.90:80
http://myrz.org/api/check_updates.php?do=version
FR
text
18 b
whitelisted
3456
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3456
iexplore.exe
204.79.197.200:80
mega.nz
Microsoft Corporation
US
whitelisted
3580
iexplore.exe
31.216.148.10:443
Datacenter Luxembourg S.A.
LU
unknown
3580
iexplore.exe
192.35.177.64:80
crl.identrust.com
IdenTrust
US
malicious
3456
iexplore.exe
31.216.148.10:443
Datacenter Luxembourg S.A.
LU
unknown
3580
iexplore.exe
2.16.186.9:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
3580
iexplore.exe
89.44.169.132:443
eu.static.mega.co.nz
Datacenter Luxembourg S.A.
LU
suspicious
3580
iexplore.exe
2.16.186.27:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted
3580
iexplore.exe
31.216.147.132:443
g.api.mega.co.nz
Cyprus Telecommunications Authority
LU
unknown
3580
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3456
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
mega.nz
  • 204.79.197.200
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.9
  • 2.16.186.11
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl.identrust.com
  • 192.35.177.64
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted
eu.static.mega.co.nz
  • 89.44.169.132
  • 31.216.148.13
  • 31.216.148.11
  • 89.44.169.134
shared
g.api.mega.co.nz
  • 31.216.147.132
  • 31.216.147.136
  • 31.216.147.134
  • 31.216.147.135
  • 31.216.147.133
shared
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted

Threats

PID
Process
Class
Message
3680
AntiPublic Updater.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3680
AntiPublic Updater.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://mega.nz/#!yq4FgapS!t1RinzzZoEyas1hjT_QrnQBJ_1iHD183jdh49F9CWgc