analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| URL: | https://telegra.ph/Full-Version-02-13-3 |
| Full analysis: | https://app.any.run/tasks/16fbb7d7-40ec-4b9f-bdd3-c11ca9267620 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 03, 2023 at 13:07:43 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | EC8914FB1ED07373F14FBA6DE7CF6885 |
| SHA1: | 23A73FB27E6198A08D11A2A95E0DFE7AFD3073E6 |
| SHA256: | F2008DFF8DAB87DE85D32361209E78759D6A4CA0B42981586955EDE2E5DA5AB1 |
| SSDEEP: | 3:N8IsZxVYjn:2IkYjn |
MALICIOUS
Application was dropped or rewritten from another process
- ES85pZ32.exe (PID: 2568)
Connects to the CnC server
- sеt_uр.exe (PID: 3416)
RACCOON was detected
- sеt_uр.exe (PID: 3416)
Actions looks like stealing of personal data
- sеt_uр.exe (PID: 3416)
SUSPICIOUS
Reads the Internet Settings
- sеt_uр.exe (PID: 3416)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- firefox.exe (PID: 964)
Searches for installed software
- sеt_uр.exe (PID: 3416)
Reads browser cookies
- sеt_uр.exe (PID: 3416)
Process requests binary or script from the Internet
- sеt_uр.exe (PID: 3416)
Executable content was dropped or overwritten
- sеt_uр.exe (PID: 3416)
Connects to the server without a host name
- sеt_uр.exe (PID: 3416)
INFO
Reads the machine GUID from the registry
- sеt_uр.exe (PID: 3416)
Reads the computer name
- sеt_uр.exe (PID: 3416)
Checks proxy server information
- sеt_uр.exe (PID: 3416)
Checks supported languages
- sеt_uр.exe (PID: 3416)
Manual execution by a user
- WinRAR.exe (PID: 2512)
The process uses the downloaded file
- WinRAR.exe (PID: 2512)
- firefox.exe (PID: 964)
Create files in a temporary directory
- firefox.exe (PID: 964)
- sеt_uр.exe (PID: 3416)
Executable content was dropped or overwritten
- firefox.exe (PID: 964)
Application launched itself
- firefox.exe (PID: 2696)
- firefox.exe (PID: 964)
The process checks LSA protection
- sеt_uр.exe (PID: 3416)
Reads Environment values
- sеt_uр.exe (PID: 3416)
Reads product name
- sеt_uр.exe (PID: 3416)
Creates files or folders in the user directory
- sеt_uр.exe (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
49
Monitored processes
12
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2696 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://telegra.ph/Full-Version-02-13-3" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
| 964 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://telegra.ph/Full-Version-02-13-3 | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 3676 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.0.2096450082\874866336" -parentBuildID 20201112153044 -prefsHandle 908 -prefMapHandle 852 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 1168 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 2916 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.6.1633183708\1480054662" -childID 1 -isForBrowser -prefsHandle 2712 -prefMapHandle 2708 -prefsLen 181 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 2724 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 3396 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.13.332790593\1281994481" -childID 2 -isForBrowser -prefsHandle 3236 -prefMapHandle 3224 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 3248 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 1472 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.20.2085416330\1450960954" -childID 3 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 7378 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 3676 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 3040 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.27.635323560\314117425" -childID 4 -isForBrowser -prefsHandle 3708 -prefMapHandle 3796 -prefsLen 7378 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 3636 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 3748 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.34.145304367\1143763820" -childID 5 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 7720 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 4056 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 3372 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="964.41.2135024692\86519500" -childID 6 -isForBrowser -prefsHandle 7812 -prefMapHandle 8156 -prefsLen 9045 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 964 "\\.\pipe\gecko-crash-server-pipe.964" 7784 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
| 2512 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ver2.4_2023.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
Total events
31 704
Read events
31 558
Write events
146
Delete events
0
Modification events
| (PID) Process: | (2696) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: 09611C1E1E000000 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: AD681C1E1E000000 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
| Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (964) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000003D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
24
Suspicious files
254
Text files
96
Unknown types
76
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 964 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-wal | sqlite-wal | |
MD5:6809ADACAE512906F5F9E141000B312A | SHA256:C5EBE524FDAEA77A21D62EB4888BC29DAD40950A1A2ADB1FE6DC2D4FAB8AEAEB | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_16xedlgxNldUq1H | binary | |
MD5:89B1580F497BBEB70ED895FFB8BFEC8D | SHA256:5BBE90DE8ADBD879C7FD6167DD9BC7C3AD1ADFD5029F571A4CA1957D606C7476 | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:994A33896BB41A278A315D0D796422B6 | SHA256:54EC50A20FFF8CC016710E49437CF6A11D3FE5EE7B28C185E4A9AAFEE2908B63 | |||
| 964 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:299A2B747C11E4BDA194E563FEA4A699 | SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
174
DNS requests
336
Threats
45
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
964 | firefox.exe | POST | — | 172.64.155.188:80 | http://ocsp.sectigo.com/ | US | — | — | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
964 | firefox.exe | POST | — | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | — | — | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/s/gts1d4/C9sIyVCC2ts | US | der | 472 b | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
964 | firefox.exe | POST | 200 | 142.250.186.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
964 | firefox.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
964 | firefox.exe | 192.124.249.22:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
964 | firefox.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | malicious |
964 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
964 | firefox.exe | 142.250.185.202:443 | safebrowsing.googleapis.com | GOOGLE | US | whitelisted |
964 | firefox.exe | 35.241.9.150:443 | firefox.settings.services.mozilla.com | GOOGLE | US | suspicious |
964 | firefox.exe | 149.154.164.13:443 | telegra.ph | Telegram Messenger Inc | GB | suspicious |
964 | firefox.exe | 95.101.54.114:80 | r3.o.lencr.org | Akamai International B.V. | DE | suspicious |
964 | firefox.exe | 54.187.233.68:443 | location.services.mozilla.com | AMAZON-02 | US | unknown |
964 | firefox.exe | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | GOOGLE | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
telegra.ph |
| malicious |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
ocsp.godaddy.com.akadns.net |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
— | — | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
— | — | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
— | — | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) |
— | — | Potentially Bad Traffic | ET INFO Observed Abused Content Delivery Network Domain (btloader .com in TLS SNI) |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) |
— | — | Potentially Bad Traffic | ET INFO Commonly Abused Content Delivery Network Domain in DNS Lookup (btloader .com) |