analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SPAM2.zip

Full analysis: https://app.any.run/tasks/f39b7c5d-97b5-46e7-a25d-663f73f50a55
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 13:49:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
macros
macros-on-open
trojan
stealer
predator
gozi
ursnif
dreambot
loader
maldoc-3
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3D89429CC52FE696A27D4B3BA6A14BE0

SHA1:

27E199C2B2657FD2EABA028D7E29142B8FD7ED1E

SHA256:

F61562EB774E0BD7D47C584A74E1AD8F5C2CA163C114037EA641FAB0500BCEDB

SSDEEP:

12288:R/8/YO3uKaDSC+swLJWSvXo73JLGPvDChecFUWb7prC:RE/t3uKaD1y1veZLGTXcCMRC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Toqis.exe (PID: 1952)
      • Toqis.exe (PID: 2176)
      • icath1.exe (PID: 988)
      • 20435.exe (PID: 2672)

    • Connects to CnC server

      • Toqis.exe (PID: 1952)
      • IEXPLORE.EXE (PID: 2380)
      • 20435.exe (PID: 2672)
      • IEXPLORE.EXE (PID: 2472)

    • PREDATOR was detected

      • Toqis.exe (PID: 1952)
      • 20435.exe (PID: 2672)

    • Executes scripts

      • WINWORD.EXE (PID: 1844)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 1844)

    • URSNIF was detected

      • IEXPLORE.EXE (PID: 2380)
      • WScript.exe (PID: 1048)
      • IEXPLORE.EXE (PID: 2472)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 1048)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 600)
      • WScript.exe (PID: 1048)

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 600)
      • WScript.exe (PID: 1048)

    • Creates files in the user directory

      • Toqis.exe (PID: 1952)

    • Reads the cookies of Google Chrome

      • Toqis.exe (PID: 1952)
      • 20435.exe (PID: 2672)

    • Searches for installed software

      • Toqis.exe (PID: 1952)
      • 20435.exe (PID: 2672)

    • Starts CMD.EXE for self-deleting

      • Toqis.exe (PID: 1952)
      • 20435.exe (PID: 2672)

    • Starts CMD.EXE for commands execution

      • Toqis.exe (PID: 1952)
      • 20435.exe (PID: 2672)

    • Reads Internet Cache Settings

      • WScript.exe (PID: 1048)

    • Executed via COM

      • iexplore.exe (PID: 2960)
      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2760)

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 1844)

    • Creates files in the program directory

      • WScript.exe (PID: 1048)

  • INFO

    • Manual execution by user

      • Toqis.exe (PID: 1952)
      • Toqis.exe (PID: 2176)
      • icath1.exe (PID: 988)
      • WINWORD.EXE (PID: 1844)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 1844)
      • iexplore.exe (PID: 2960)
      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2760)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1844)

    • Reads settings of System Certificates

      • WScript.exe (PID: 1048)
      • iexplore.exe (PID: 2960)
      • iexplore.exe (PID: 2136)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1844)
      • IEXPLORE.EXE (PID: 2472)

    • Changes internet zones settings

      • iexplore.exe (PID: 2960)
      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2760)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2380)
      • IEXPLORE.EXE (PID: 2472)
      • IEXPLORE.EXE (PID: 2728)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2960)
      • iexplore.exe (PID: 2136)
      • iexplore.exe (PID: 2760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.kmz | Google Earth saved working session (60)
.zip | ZIP compressed archive (40)

EXIF

ZIP

ZipFileName: icath1.exe
ZipUncompressedSize: 181248
ZipCompressedSize: 134508
ZipCRC: 0x25cb2223
ZipModifyDate: 2019:10:09 15:47:02
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
17
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe #PREDATOR toqis.exe toqis.exe icath1.exe no specs cmd.exe no specs ping.exe no specs winword.exe no specs #URSNIF wscript.exe iexplore.exe #URSNIF iexplore.exe #PREDATOR 20435.exe cmd.exe no specs ping.exe no specs iexplore.exe iexplore.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
600"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1952"C:\Users\admin\Desktop\Toqis.exe" C:\Users\admin\Desktop\Toqis.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2176"C:\Users\admin\Desktop\Toqis.exe" C:\Users\admin\Desktop\Toqis.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
988"C:\Users\admin\Desktop\icath1.exe" C:\Users\admin\Desktop\icath1.exeexplorer.exe
User:
admin
Company:
Anpart Nitro
Integrity Level:
MEDIUM
Description:
ByWater
Exit code:
0
Version:
7.6.12.94
1704"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\admin\Desktop\Toqis.exe"C:\Windows\SysWOW64\cmd.exeToqis.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2536ping 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1844"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\info_10_09.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.5123.5000
1048"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\vnxvmqlysc.js" C:\Windows\System32\WScript.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2960"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2380"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:267521 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
3 116
Read events
2 362
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
5
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
1844WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR5E13.tmp.cvr
MD5:
SHA256:
2960iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC3F39C7F600BA65F.TMP
MD5:
SHA256:
2960iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF86779776EE740A9D.TMP
MD5:
SHA256:
2960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FA19023C-EA9B-11E9-9008-5254004AAD21}.dat
MD5:
SHA256:
1844WINWORD.EXEC:\Windows\Temp\vnxvmqlysc.jstext
MD5:48C2C5F2077215C26EC2A62F36A87994
SHA256:20890C36004884FE2A0B5E2B0E2D250AB005937FF9A32B89C32C7DD58D86B36E
600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa600.5887\Toqis.exeexecutable
MD5:D54DFBF928D1364872E93A4E48F87271
SHA256:3EA62E2C2337F27784B7726FB704914A9DD0E5E6D6F4254B7971C058CC2C01E6
2136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
MD5:
SHA256:
2136iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1844WINWORD.EXEC:\Users\admin\Desktop\~$fo_10_09.docpgc
MD5:FD0837FE0ED1B86CF49CC63A3834D5D1
SHA256:A3EA3F5AA6687F9BCF2A44285CF7698CD29C6479228CDCCD86894F16B9488FBF
600WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa600.5887\info_10_09.docdocument
MD5:8EA2E0FF3AE39C33C9A9EFE6213352A0
SHA256:8D4CB3EE4870CAB44F234EF41A4C9B7FC7522D45F657149F9270C5690FD78281
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
22
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1048
WScript.exe
GET
200
162.244.32.162:80
http://seetelcury.com/Toqis.php
US
executable
538 Kb
suspicious
1048
WScript.exe
GET
404
184.30.217.76:443
https://www.trendmicro.com/de_de/404.html
NL
html
72.4 Kb
whitelisted
1048
WScript.exe
GET
404
104.109.84.249:443
https://docs.microsoft.com/en-us/aspnet/index/404
NL
html
16.6 Kb
whitelisted
1048
WScript.exe
GET
404
85.143.222.152:80
http://zelinopats.com/angosz/cecolf.php?l=icath1.tar
RU
malicious
2960
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
US
whitelisted
2472
IEXPLORE.EXE
GET
200
176.119.156.135:80
http://t7763jykqeiy.com/images/TmOTddMa_/2Bkf6LSQJ_2FzOZ7yW5M/r_2FJtEtIrsS8B04xE6/_2FgM_2F8lUanl3zG1pn_2/Bd5WKeSb_2F_2/BjYn_2FN/6v55yxyovJ304ABLT4V9qE3/h3fnyhuJVt/LoO2O0nnZ3dARQhR7/tHyFGplL7O9f/aOBUc7aRXcH/0ZpX.avi
unknown
malicious
1952
Toqis.exe
POST
200
47.88.101.83:80
http://gacraze0710.com/api/check.get
US
text
152 b
malicious
2960
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin
US
whitelisted
1048
WScript.exe
GET
404
104.109.84.249:443
https://docs.microsoft.com/en-us/office/index/404
NL
html
16.6 Kb
whitelisted
2960
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
US
xml
351 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2380
IEXPLORE.EXE
172.217.21.206:80
google.com
Google Inc.
US
whitelisted
2380
IEXPLORE.EXE
172.217.21.228:80
www.google.com
Google Inc.
US
whitelisted
1048
WScript.exe
184.30.217.76:443
www.trendmicro.com
Akamai International B.V.
NL
unknown
1952
Toqis.exe
47.88.101.83:80
gacraze0710.com
Alibaba (China) Technology Co., Ltd.
US
malicious
1048
WScript.exe
104.109.84.249:443
docs.microsoft.com
Akamai International B.V.
NL
whitelisted
2960
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1048
WScript.exe
162.244.32.162:80
seetelcury.com
Hosting Solution Ltd.
US
suspicious
2136
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1048
WScript.exe
85.143.222.152:80
zelinopats.com
Trader soft LLC
RU
malicious
2672
20435.exe
47.88.101.83:80
gacraze0710.com
Alibaba (China) Technology Co., Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
gacraze0710.com
  • 47.88.101.83
malicious
docs.microsoft.com
  • 104.109.84.249
whitelisted
www.trendmicro.com
  • 184.30.217.76
whitelisted
google.com
  • 172.217.21.206
whitelisted
www.google.com
  • 172.217.21.228
whitelisted
zelinopats.com
  • 85.143.222.152
malicious
seetelcury.com
  • 162.244.32.162
suspicious
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
q982yeq23.xyz
unknown

Threats

PID
Process
Class
Message
1952
Toqis.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
2380
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
1048
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] MalDoc Requesting Ursnif Payload
1048
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2672
20435.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
2472
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM2.zip