analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://agen-slot.club/fab.php

Full analysis: https://app.any.run/tasks/cc388f51-2fc4-48ae-8016-bb725b1b5946
Verdict: Malicious activity
Analysis date: February 22, 2020, 10:55:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

E2AAACB02468B9C63D1D37535AF6228E

SHA1:

B95213FE7CB99011542FEAA0CAE2A9E22B392886

SHA256:

F09C931A1BC48993E5196238D86A287242D20BE413309549291CE4F267F9AC64

SSDEEP:

3:N8eLdbo:2eLFo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3924)
      • iexplore.exe (PID: 1832)
    • Changes internet zones settings

      • iexplore.exe (PID: 3924)
    • Application launched itself

      • iexplore.exe (PID: 3924)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1832)
    • Creates files in the user directory

      • iexplore.exe (PID: 1832)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1832)
      • iexplore.exe (PID: 3924)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3924)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3924"C:\Program Files\Internet Explorer\iexplore.exe" https://agen-slot.club/fab.phpC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1832"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3924 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
6 212
Read events
948
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
70
Text files
55
Unknown types
67

Dropped files

PID
Process
Filename
Type
1832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4
MD5:
SHA256:
3924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1832iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab8006.tmp
MD5:
SHA256:
1832iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar8007.tmp
MD5:
SHA256:
3924iexplore.exeC:\Users\admin\AppData\Local\Temp\CabC4EE.tmp
MD5:
SHA256:
3924iexplore.exeC:\Users\admin\AppData\Local\Temp\TarC4EF.tmp
MD5:
SHA256:
3924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE2B9.tmp
MD5:
SHA256:
1832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAbinary
MD5:6A2FB8D5DE5A167E6199F1B01C07446E
SHA256:AFDE0D213057B546A0E94675465F7714AB6FAE0753009824B9BAF219230B8194
1832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4der
MD5:BD71E02F5C466D35149B68EBE0A04E55
SHA256:CF3A2D15C2F3128892EDB29B2884280A1F801089BA23E16E57627A4EB156ACD6
1832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAder
MD5:21324AC6841B97BAC28FD30BA2BDFFB4
SHA256:0B10C68ADB90821EE8EF3DA10D53948B1A0046121EBDE43F0763718E2E330E4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
78
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1832
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
1832
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
3924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1832
iexplore.exe
GET
200
45.77.245.214:80
http://agen-slot.club/wp-content/uploads/2019/10/cai-shen-ye.png
US
image
80.3 Kb
suspicious
1832
iexplore.exe
GET
200
45.77.245.214:80
http://agen-slot.club/wp-content/uploads/2019/10/AGEN-SBOBET-mstar69.gif
US
image
80.1 Kb
suspicious
1832
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQCLjki1zp2PMJNgNUO3LK5%2B
US
der
280 b
whitelisted
1832
iexplore.exe
GET
200
45.77.245.214:80
http://agen-slot.club/wp-content/uploads/2019/10/agen-slot-online-terpercaya-di-indonesia.jpg
US
image
474 Kb
suspicious
1832
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3924
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3924
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3924
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1832
iexplore.exe
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
3924
iexplore.exe
45.77.245.214:443
US
suspicious
1832
iexplore.exe
45.77.245.214:443
US
suspicious
1832
iexplore.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1832
iexplore.exe
172.217.22.40:443
www.googletagmanager.com
Google Inc.
US
whitelisted
1832
iexplore.exe
45.77.245.214:80
US
suspicious
1832
iexplore.exe
172.217.22.14:443
www.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
agen-slot.club
  • 104.20.243.79
  • 104.20.242.79
suspicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.googletagmanager.com
  • 172.217.22.40
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info