analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

f9ff1847-2ddc-445a-b2b6-4d74626df083.zip

Full analysis: https://app.any.run/tasks/014072e4-4355-4159-8643-a52d78af0dc9
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 20:03:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
adware
installcore
pup
addrop
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

88C9511CB449A85AB0E78DDDA423EA69

SHA1:

9D93E122DED8A9FCFC0A806A05CF5EF231A5A0EE

SHA256:

E645D18D739E06ED5D690E2DF7B2D34D1044BB3F02A65120008FB212086333E0

SSDEEP:

24576:g3U5pjVeSB/jwB60Tv6l4cQquiZKUEnoD+gh0JMLVgvydtxxkVU0qgLu5VDjmA/k:gE5pjVe48BtcbulkyOwoKydPxIsJlCAc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • adobe_flash_setup_2286150208.exe (PID: 3116)
      • adobe_flash_setup_2286150208.exe (PID: 2780)
      • adobe_flash_setup_2286150208.exe (PID: 3188)

    • INSTALLCORE was detected

      • adobe_flash_setup_2286150208.exe (PID: 3116)

    • Connects to CnC server

      • adobe_flash_setup_2286150208.exe (PID: 3116)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3276)

    • Reads the machine GUID from the registry

      • adobe_flash_setup_2286150208.exe (PID: 3116)

    • Application launched itself

      • adobe_flash_setup_2286150208.exe (PID: 2780)
      • adobe_flash_setup_2286150208.exe (PID: 3116)

    • Reads CPU info

      • adobe_flash_setup_2286150208.exe (PID: 3116)

    • Reads Windows Product ID

      • adobe_flash_setup_2286150208.exe (PID: 3116)

    • Reads internet explorer settings

      • adobe_flash_setup_2286150208.exe (PID: 3116)

    • Reads Environment values

      • adobe_flash_setup_2286150208.exe (PID: 3116)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2017:10:14 22:50:28
ZipCRC: 0x91b98f3c
ZipCompressedSize: 1543528
ZipUncompressedSize: 1569483
ZipFileName: Users/legag/Desktop/adobe_flash_setup_2286150208.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe adobe_flash_setup_2286150208.exe no specs #INSTALLCORE adobe_flash_setup_2286150208.exe adobe_flash_setup_2286150208.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3276"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\f9ff1847-2ddc-445a-b2b6-4d74626df083.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2780"C:\Users\admin\Desktop\adobe_flash_setup_2286150208.exe" C:\Users\admin\Desktop\adobe_flash_setup_2286150208.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Nonaranelu Setup
Exit code:
0
Version:
3116"C:\Users\admin\Desktop\adobe_flash_setup_2286150208.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnlC:\Users\admin\Desktop\adobe_flash_setup_2286150208.exe
adobe_flash_setup_2286150208.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Nonaranelu Setup
Exit code:
4294967206
Version:
3188"C:\Users\admin\Desktop\adobe_flash_setup_2286150208.exe" /_ShowProgress /PrTxt:TG9hZGluZy4uLg== /mnlC:\Users\admin\Desktop\adobe_flash_setup_2286150208.exeadobe_flash_setup_2286150208.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Nonaranelu Setup
Exit code:
259
Version:
Total events
505
Read events
451
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
97
Unknown types
0

Dropped files

PID
Process
Filename
Type
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\0010D534.log
MD5:
SHA256:
3276WinRAR.exeC:\Users\admin\Desktop\adobe_flash_setup_2286150208.exeexecutable
MD5:E9C02D7E635CA05B3F698B20239355EC
SHA256:CC973A058030F30DC8F555F4367757C05A8167A4378169518D9B20BA0408581A
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\css\ie6_main.csstext
MD5:8B8C57A3E345CA7FC4D5DA5133046F38
SHA256:59C4426E8DF1955BF62C6B4FC8392460276132A65FB2F511C1DC8C34E351E7F8
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\css\sdk-ui\browse.csstext
MD5:6009D6E864F60AEA980A9DF94C1F7E1C
SHA256:5EF48A8C8C3771B4F233314D50DD3B5AFDCD99DD4B74A9745C8FE7B22207056D
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\css\sdk-ui\progress-bar.csstext
MD5:5335F1C12201B5F7CF5F8B4F5692E3D1
SHA256:974CD89E64BDAA85BF36ED2A50AF266D245D781A8139F5B45D7C55A0B0841DDA
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\css\sdk-ui\images\progress-bg2.pngimage
MD5:B582D9A67BFE77D523BA825FD0B9DAE3
SHA256:AB4EEB3EA1EEF4E84CB61ECCB0BA0998B32108D70B3902DF3619F4D9393F74C3
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\images\Close.pngimage
MD5:C222A4F3D309721C0898606960120266
SHA256:F638CC042B7ADE6F43F2FAF0077E020137562E559178396B7E975DB39AC13DF6
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\images\Color_Button.pngimage
MD5:B2B464997F4DB222765A07F8BA7909B2
SHA256:38DE61D53651A817708FFF0552AAC6F9122E722B92DA9AB1A455B547FAE91123
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\form.bmp.Maskbinary
MD5:D2FC989F9C2043CD32332EC0FAD69C70
SHA256:27DD029405CBFB0C3BF8BAC517BE5DB9AA83E981B1DC2BD5C5D6C549FA514101
2780adobe_flash_setup_2286150208.exeC:\Users\admin\AppData\Local\Temp\inH110315651648\css\sdk-ui\checkbox.csstext
MD5:64773C6B0E3413C81AEBC46CCE8C9318
SHA256:B09504C1BF0486D3EC46500592B178A3A6C39284672AF8815C3687CC3D29560D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3116
adobe_flash_setup_2286150208.exe
POST
18.203.190.76:80
http://info.notatolol2.com/?ciko=0
US
malicious
3116
adobe_flash_setup_2286150208.exe
POST
200
52.214.73.247:80
http://rp.notatolol2.com/
IE
malicious
3116
adobe_flash_setup_2286150208.exe
POST
200
52.214.73.247:80
http://rp.notatolol2.com/
IE
malicious
3116
adobe_flash_setup_2286150208.exe
POST
200
52.214.73.247:80
http://rp.notatolol2.com/
IE
malicious
3116
adobe_flash_setup_2286150208.exe
POST
200
52.214.73.247:80
http://rp.notatolol2.com/
IE
malicious
3116
adobe_flash_setup_2286150208.exe
POST
18.203.190.76:80
http://info.notatolol2.com/?xeciyef=2
US
malicious
3116
adobe_flash_setup_2286150208.exe
POST
500
18.203.190.76:80
http://info.notatolol2.com/?fejev=1
US
text
21 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3116
adobe_flash_setup_2286150208.exe
52.214.73.247:80
rp.notatolol2.com
Amazon.com, Inc.
IE
malicious
3116
adobe_flash_setup_2286150208.exe
18.203.190.76:80
info.notatolol2.com
US
malicious

DNS requests

Domain
IP
Reputation
rp.notatolol2.com
  • 52.214.73.247
  • 54.194.149.175
malicious
info.notatolol2.com
  • 18.203.190.76
  • 52.212.157.66
  • 52.209.116.64
malicious

Threats

PID
Process
Class
Message
3116
adobe_flash_setup_2286150208.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3116
adobe_flash_setup_2286150208.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3116
adobe_flash_setup_2286150208.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3116
adobe_flash_setup_2286150208.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3116
adobe_flash_setup_2286150208.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
3116
adobe_flash_setup_2286150208.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
f9ff1847-2ddc-445a-b2b6-4d74626df083.zip