File name: | f1642209292.zip |
Full analysis: | https://app.any.run/tasks/977397cd-2f82-4b6a-ae8c-0a89fb5aae80 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 15, 2022, 01:15:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D1B2855320289D34316F45C6E3D59065 |
SHA1: | 6A976AC887AC14AC67B9B8CCDAC7B5D7C97D1F9E |
SHA256: | EFF7FD5659A327D68293C30DF9FED1D633877A722E02D2F534108939CA3A7099 |
SSDEEP: | 3072:9Dt49qUqvyQdPv/rN+EKleG+RJ22v7TFK89qu2HfbcRJey2Inx05vbo:9Dt4gJvy+xU+RTOu2Dc3T2Ix05Do |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0003 |
ZipCompression: | Unknown (99) |
ZipModifyDate: | 2022:01:15 04:01:01 |
ZipCRC: | 0x51fa9d48 |
ZipCompressedSize: | 137141 |
ZipUncompressedSize: | 137088 |
ZipFileName: | Setup.zip |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2172 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f1642209292.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
824 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIb2172.47376\password-is-485136.txt | C:\Windows\system32\NOTEPAD.EXE | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2260 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb2172.48236\Setup.zip | C:\Program Files\WinRAR\WinRAR.exe | WinRAR.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1420 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2260.48760\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2260.48760\Setup.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Setup Integrity Level: MEDIUM Description: Setup Exit code: 3221226540 Version: 1.0.0.1 Modules
| |||||||||||||||
1160 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2260.48760\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2260.48760\Setup.exe | WinRAR.exe | ||||||||||||
User: admin Company: Setup Integrity Level: HIGH Description: Setup Exit code: 1 Version: 1.0.0.1 Modules
| |||||||||||||||
2672 | "C:\Users\admin\AppData\Local\Temp\OracleSearch.exe" | C:\Users\admin\AppData\Local\Temp\OracleSearch.exe | Setup.exe | ||||||||||||
User: admin Company: React Integrity Level: HIGH Description: React Dispatcher Version: 1.11020.9.51 Modules
| |||||||||||||||
3568 | "C:\Users\admin\Pictures\Adobe Films\4WQLnK0dCeR3Lp2xf6O1LiM7.exe" | C:\Users\admin\Pictures\Adobe Films\4WQLnK0dCeR3Lp2xf6O1LiM7.exe | OracleSearch.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
2848 | "C:\Users\admin\Pictures\Adobe Films\zn2PumNkov9MCRtUxcQg3Flk.exe" | C:\Users\admin\Pictures\Adobe Films\zn2PumNkov9MCRtUxcQg3Flk.exe | — | OracleSearch.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
296 | "C:\Users\admin\Pictures\Adobe Films\ixT1donAxy7TlWzoGnObbGUw.exe" | C:\Users\admin\Pictures\Adobe Films\ixT1donAxy7TlWzoGnObbGUw.exe | — | OracleSearch.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3024 | "C:\Users\admin\Pictures\Adobe Films\iBvCPKCX4yF3fECm3p7Tp_z_.exe" | C:\Users\admin\Pictures\Adobe Films\iBvCPKCX4yF3fECm3p7Tp_z_.exe | OracleSearch.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\f1642209292.zip | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2172) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1160 | Setup.exe | C:\Users\admin\AppData\Local\Temp\OracleSearch.exe | executable | |
MD5:02721CC2C7B951DEE87DFF82FA87012E | SHA256:BF822CE98236C3F2BC05701DEFB708B5710BB9404408DAD421F1D47B9B3EFB5A | |||
2672 | OracleSearch.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\NiceProcessX32[1].bmp | executable | |
MD5:A89561ABD740E80AA85B8E86EFE9A210 | SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46 | |||
2672 | OracleSearch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:3BEFA0CDBC5158FFAF209081F52BBA4F | SHA256:6919F882EE0185F7CA7C74B45ABCA5D5332BD8E4E5E9DDE3298F255A1BAD61B8 | |||
2260 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2260.48760\bin0 | binary | |
MD5:8BAA182D2307FFE5B9FABFDF49A5D305 | SHA256:58BD35BCEC9A36A79A4778799F24808EA43B0AEEF11F37C1F8D46739CDA2CCF3 | |||
2172 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb2172.47376\password-is-485136.txt | text | |
MD5:9683880DB2FFBEC05BC75F9D697C776A | SHA256:345019657FD7F0473733333EDC275B195197774EF04D166C0CFA65EC7B76CBDB | |||
2260 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2260.48760\Setup.exe | executable | |
MD5:7EB73699144F23CDD8E5139F12BDEC8C | SHA256:2415FFFB7AD3A2090EB8C53DF0719E0CF268C9003F024E1AA3DFBCF286D84758 | |||
2672 | OracleSearch.exe | C:\Users\admin\Documents\Ei8DrAmaYu9K8ghN89CsjOW1.tmp | binary | |
MD5:57F492DB3101CA040176C4CEACCC8C5E | SHA256:9BFB00DFDF0BB2AD99D138F721260F2B3FB1BD7CDDEC20EC92291CF57EA63C4B | |||
2672 | OracleSearch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA | |||
2672 | OracleSearch.exe | C:\Users\admin\Pictures\Adobe Films\9EjFEV6qTIlMPihUeezSbSLl.exe | html | |
MD5:C8DDCE4DE7D2FD26927E6DB3D554AFD0 | SHA256:4A47941324BC9F45254B507AA228D2652064B7277C7FCB0674D1E5FE7DC68467 | |||
2672 | OracleSearch.exe | C:\Users\admin\Pictures\Adobe Films\4WQLnK0dCeR3Lp2xf6O1LiM7.exe | executable | |
MD5:A89561ABD740E80AA85B8E86EFE9A210 | SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2672 | OracleSearch.exe | HEAD | 404 | 212.193.30.45:80 | http://212.193.30.45/WW/file5.exe | RU | — | — | malicious |
2672 | OracleSearch.exe | HEAD | 200 | 45.144.225.57:80 | http://45.144.225.57/WW/search_target1kpd.exe | unknown | — | — | malicious |
2672 | OracleSearch.exe | HEAD | 200 | 185.215.113.208:80 | http://185.215.113.208/ferrari.exe | PT | — | — | malicious |
2672 | OracleSearch.exe | HEAD | 200 | 45.144.225.57:80 | http://45.144.225.57/download/NiceProcessX32.bmp | unknown | — | — | malicious |
2672 | OracleSearch.exe | HEAD | 404 | 45.144.225.57:80 | http://45.144.225.57/WW/sfx_123_310.exe | unknown | — | — | malicious |
2672 | OracleSearch.exe | HEAD | 404 | 212.193.30.29:80 | http://212.193.30.29/WW/file1.exe | RU | — | — | malicious |
2672 | OracleSearch.exe | GET | 400 | 212.193.30.45:80 | http://212.193.30.45/proxies.txt | RU | html | 301 b | malicious |
2672 | OracleSearch.exe | GET | 200 | 45.144.225.57:80 | http://45.144.225.57/download/NiceProcessX32.bmp | unknown | executable | 259 Kb | malicious |
2672 | OracleSearch.exe | GET | 400 | 45.144.225.57:80 | http://45.144.225.57/server.txt | unknown | html | 301 b | malicious |
2672 | OracleSearch.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 45.144.225.57:80 | — | — | — | malicious |
2672 | OracleSearch.exe | 162.159.129.233:80 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2672 | OracleSearch.exe | 2.56.59.42:80 | — | — | — | malicious |
2672 | OracleSearch.exe | 172.67.133.215:80 | wfsdragon.ru | — | US | malicious |
2672 | OracleSearch.exe | 212.193.30.45:80 | — | — | RU | malicious |
2672 | OracleSearch.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
2672 | OracleSearch.exe | 162.159.129.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2672 | OracleSearch.exe | 162.159.130.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2672 | OracleSearch.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2672 | OracleSearch.exe | 172.67.75.166:443 | db-ip.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
wfsdragon.ru |
| malicious |
cdn.discordapp.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ipinfo.io |
| shared |
db-ip.com |
| whitelisted |
api.db-ip.com |
| shared |
stylesheet.faseaegasdfase.com |
| malicious |
xmtbsj.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2672 | OracleSearch.exe | A Network Trojan was detected | ET MALWARE User-Agent (???) |
2672 | OracleSearch.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2672 | OracleSearch.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2672 | OracleSearch.exe | A Network Trojan was detected | ET MALWARE User-Agent (???) |
2672 | OracleSearch.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
2672 | OracleSearch.exe | Generic Protocol Command Decode | SURICATA Applayer Mismatch protocol both directions |
2672 | OracleSearch.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
2672 | OracleSearch.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
2672 | OracleSearch.exe | A Network Trojan was detected | ET TROJAN Win32/Unk.HRESQ! MultiDownloader Checkin |
2672 | OracleSearch.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |