analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

freeformatter-decoded(5).rar

Full analysis: https://app.any.run/tasks/c6fc3953-1728-4723-8aec-1544f7b776fe
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 23, 2019, 09:47:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

4517BE9F5FC22F516D22B892924B0BAD

SHA1:

2AD663E20D0090E9664CBF12D285AC830681921D

SHA256:

EF270D63F2106B949A7888757EB9068DCB24FBEB1BEFAEAE0DC68D05D70E4BEC

SSDEEP:

24:HInztwpAWnwgRy+Kxk88L5FFb2LFX7WCLjtYoNjmpG4paaX3xt2na94DquKV:ovWHtAkTLX8FX7iodD4sanynaW6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radB8CCA.tmp (PID: 3708)

    • Downloads executable files with a strange extension

      • WScript.exe (PID: 3888)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3888)

    • Changes the autorun value in the registry

      • radB8CCA.tmp (PID: 3708)

    • TROLDESH was detected

      • radB8CCA.tmp (PID: 3708)

    • Runs app for hidden code execution

      • radB8CCA.tmp (PID: 3708)

    • Deletes shadow copies

      • radB8CCA.tmp (PID: 3708)

    • Dropped file may contain instructions of ransomware

      • radB8CCA.tmp (PID: 3708)

    • Actions looks like stealing of personal data

      • radB8CCA.tmp (PID: 3708)

    • Modifies files in Chrome extension folder

      • radB8CCA.tmp (PID: 3708)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • radB8CCA.tmp (PID: 3708)
      • WScript.exe (PID: 3888)

    • Executes scripts

      • WinRAR.exe (PID: 2432)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2792)
      • cmd.exe (PID: 300)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3888)
      • radB8CCA.tmp (PID: 3708)

    • Creates files in the program directory

      • radB8CCA.tmp (PID: 3708)

    • Checks for external IP

      • radB8CCA.tmp (PID: 3708)

    • Creates files in the user directory

      • radB8CCA.tmp (PID: 3708)

    • Creates files like Ransomware instruction

      • radB8CCA.tmp (PID: 3708)

  • INFO

    • Dropped object may contain URL to Tor Browser

      • radB8CCA.tmp (PID: 3708)

    • Dropped object may contain TOR URL's

      • radB8CCA.tmp (PID: 3708)

    • Dropped object may contain Bitcoin addresses

      • radB8CCA.tmp (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
15
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radb8cca.tmp cmd.exe no specs explorer.exe no specs vssadmin.exe no specs Copy/Move/Rename/Delete/Link Object no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2432"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\freeformatter-decoded(5).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3888"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2432.40497\ЗАО Авиакомпания Балтийские авиалинии информация о заказе.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2792"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radB8CCA.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3708C:\Users\admin\AppData\Local\Temp\radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\radB8CCA.tmp
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Enhanced Storage Password Authentication Program
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1216"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4076"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2564C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exeradB8CCA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2352C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3492certutil -hashfile c:\m.js MD5C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2280certutil -hashfile c:\m.js SHA1C:\Windows\system32\certutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CertUtil.exe
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
747
Read events
692
Write events
55
Delete events
0

Modification events

(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2432) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\freeformatter-decoded(5).rar
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2432) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2432) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\System32\wshext.dll,-4804
Value:
JScript Script File
Executable files
3
Suspicious files
1 064
Text files
51
Unknown types
25

Dropped files

PID
Process
Filename
Type
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:699A859EFFF7E105DB5AD645BC09BB04
SHA256:F5AB8367CA902BF46B02105A800E9B683E7AA37D8A313CDDE34C07B5CEF59974
2432WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2432.40497\ЗАО Авиакомпания Балтийские авиалинии информация о заказе.jstext
MD5:285CD029250A9D109E2892CA9EDF71D7
SHA256:C3D1D18405CE861F62F7E5FEC26A80EBE5C9ADCC09CF83FFFB71F3C182A6DEA9
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:DD61E852447E384A8F1D31F49627705E
SHA256:F95664B77674D9CEF12FD17895DD1F8EC83FF4AA3BD0C65312F5AABDDAD1B7E6
3708radB8CCA.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:699A859EFFF7E105DB5AD645BC09BB04
SHA256:F5AB8367CA902BF46B02105A800E9B683E7AA37D8A313CDDE34C07B5CEF59974
3888WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1[1].pdfexecutable
MD5:821DB42AED5076881F1CCF04FB9F3025
SHA256:C0D789259CF588B03A0B557BB2E012D5954D76C8757670B0DA23BADE68E0F5CC
3708radB8CCA.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:821DB42AED5076881F1CCF04FB9F3025
SHA256:C0D789259CF588B03A0B557BB2E012D5954D76C8757670B0DA23BADE68E0F5CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3708
radB8CCA.tmp
GET
200
104.18.34.131:80
http://whatsmyip.net/
US
html
7.35 Kb
shared
3888
WScript.exe
GET
200
91.215.216.26:80
http://ketogenic.racevmarketing.com/wp-includes/ID3/1.pdf
BG
executable
982 Kb
malicious
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3708
radB8CCA.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3708
radB8CCA.tmp
76.73.17.194:9090
Cogent Communications
US
malicious
3708
radB8CCA.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
3708
radB8CCA.tmp
193.11.164.243:9001
SUNET SUNET Swedish University Network
SE
malicious
3708
radB8CCA.tmp
85.229.161.39:443
Telenor Norge AS
SE
suspicious
3708
radB8CCA.tmp
129.13.131.140:443
Karlsruhe Institute of Technology
DE
suspicious
3888
WScript.exe
91.215.216.26:80
ketogenic.racevmarketing.com
Internet Corporated Networks Ltd.
BG
suspicious
3708
radB8CCA.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3708
radB8CCA.tmp
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3708
radB8CCA.tmp
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
ketogenic.racevmarketing.com
  • 91.215.216.26
malicious
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.34.131
  • 104.18.35.131
shared

Threats

PID
Process
Class
Message
3888
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3888
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3888
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] JS/Agent.WL2!Eldorado Executable as PDF
3888
WScript.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3708
radB8CCA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185
3708
radB8CCA.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3708
radB8CCA.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3708
radB8CCA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121
3708
radB8CCA.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3708
radB8CCA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644
23 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
freeformatter-decoded(5).rar