analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

azur.zip

Full analysis: https://app.any.run/tasks/652af1c7-21d2-4462-9288-fa216bdedf60
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 24, 2019, 08:24:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
loader
ransomware
troldesh
shade
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

184776A3FABD0168306AAD8692748201

SHA1:

03C5A858AF6BB97B2624CEFBEB29BF628E36F220

SHA256:

F709FC633BBFEB532E2D3FE18A8F4859DAC53C98A38859E2ABD7BD843B4B15B5

SSDEEP:

24:Ha3zVgGwFCLX6J5qJcgfIbL9iomlMZLFFVacmJuZtz8o1IWPiDAos6zJjjaMjq7Z:63mGwG6vPMw9iNMT/aeo0PiRjeUM2s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radFCF3C.tmp (PID: 2660)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 1592)
    • TROLDESH was detected

      • radFCF3C.tmp (PID: 2660)
    • Changes the autorun value in the registry

      • radFCF3C.tmp (PID: 2660)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 1592)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3788)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 1592)
      • radFCF3C.tmp (PID: 2660)
    • Executes scripts

      • WinRAR.exe (PID: 2916)
    • Creates files in the program directory

      • radFCF3C.tmp (PID: 2660)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radfcf3c.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2916"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\azur.zip.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1592"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2916.31516\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3788"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radFCF3C.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2660C:\Users\admin\AppData\Local\Temp\radFCF3C.tmpC:\Users\admin\AppData\Local\Temp\radFCF3C.tmp
cmd.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Registry Defrag
Version:
5.0.0.14
Total events
591
Read events
555
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2660radFCF3C.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2660radFCF3C.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:27C6AB511CC22CD0B2B4E88AF1A58F3F
SHA256:1823EAB2D936618739A39CF2730EDF79A52F0EB9BB0EF6C4CF427836D6C7C059
2916WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2916.31516\Подробности заказа ОАО Авиакомпания Уральские авиалинии.jstext
MD5:70B301BD968B77445E188482DAC6D16A
SHA256:D14BD64DF8188714E7E487EA79F03996100860A37526EAA87EAB6BB8395FEF00
1592WScript.exeC:\Users\admin\AppData\Local\Temp\radFCF3C.tmpexecutable
MD5:C722F0A20113BB1488382DAEFDA9A358
SHA256:3D4D462DBC7DBFD12AF693F8176E9FD6814560ED763448FA75FA6DAD026567F4
1592WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1c[1].jpgexecutable
MD5:C722F0A20113BB1488382DAEFDA9A358
SHA256:3D4D462DBC7DBFD12AF693F8176E9FD6814560ED763448FA75FA6DAD026567F4
2660radFCF3C.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:C722F0A20113BB1488382DAEFDA9A358
SHA256:3D4D462DBC7DBFD12AF693F8176E9FD6814560ED763448FA75FA6DAD026567F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1592
WScript.exe
GET
200
96.44.130.194:80
http://muslimeventsbd.com/wp-content/themes/oceanwp/languages/1c.jpg
US
executable
1.19 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2660
radFCF3C.tmp
154.35.32.5:443
Rethem Hosting LLC
US
suspicious
1592
WScript.exe
96.44.130.194:80
muslimeventsbd.com
QuadraNet, Inc
US
malicious

DNS requests

Domain
IP
Reputation
muslimeventsbd.com
  • 96.44.130.194
malicious

Threats

PID
Process
Class
Message
1592
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
1592
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
1592
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2 ETPRO signatures available at the full report
No debug info