analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

azur.zip

Full analysis: https://app.any.run/tasks/9f4783b6-fe71-4d01-8bed-e0b6ebb55b52
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 09:20:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

184776A3FABD0168306AAD8692748201

SHA1:

03C5A858AF6BB97B2624CEFBEB29BF628E36F220

SHA256:

F709FC633BBFEB532E2D3FE18A8F4859DAC53C98A38859E2ABD7BD843B4B15B5

SSDEEP:

24:Ha3zVgGwFCLX6J5qJcgfIbL9iomlMZLFFVacmJuZtz8o1IWPiDAos6zJjjaMjq7Z:63mGwG6vPMw9iNMT/aeo0PiRjeUM2s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radFE6AA.tmp (PID: 3452)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 2228)

    • Changes the autorun value in the registry

      • radFE6AA.tmp (PID: 3452)

    • TROLDESH was detected

      • radFE6AA.tmp (PID: 3452)

    • Deletes shadow copies

      • radFE6AA.tmp (PID: 3452)

    • Dropped file may contain instructions of ransomware

      • radFE6AA.tmp (PID: 3452)

    • Runs app for hidden code execution

      • radFE6AA.tmp (PID: 3452)

    • Actions looks like stealing of personal data

      • radFE6AA.tmp (PID: 3452)

    • Modifies files in Chrome extension folder

      • radFE6AA.tmp (PID: 3452)

  • SUSPICIOUS

    • Executes scripts

      • WinRAR.exe (PID: 2088)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2228)
      • radFE6AA.tmp (PID: 3452)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2228)
      • radFE6AA.tmp (PID: 3452)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3072)
      • cmd.exe (PID: 2820)

    • Creates files in the program directory

      • radFE6AA.tmp (PID: 3452)

    • Executed as Windows Service

      • vssvc.exe (PID: 2860)

    • Creates files like Ransomware instruction

      • radFE6AA.tmp (PID: 3452)

    • Checks for external IP

      • radFE6AA.tmp (PID: 3452)

    • Creates files in the user directory

      • radFE6AA.tmp (PID: 3452)

  • INFO

    • Dropped object may contain URL to Tor Browser

      • radFE6AA.tmp (PID: 3452)

    • Manual execution by user

      • taskmgr.exe (PID: 2288)

    • Dropped object may contain TOR URL's

      • radFE6AA.tmp (PID: 3452)

    • Dropped object may contain Bitcoin addresses

      • radFE6AA.tmp (PID: 3452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe cmd.exe no specs #TROLDESH radfe6aa.tmp vssadmin.exe no specs taskmgr.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\azur.zip.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2228"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2088.20250\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3072"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radFE6AA.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3452C:\Users\admin\AppData\Local\Temp\radFE6AA.tmpC:\Users\admin\AppData\Local\Temp\radFE6AA.tmp
cmd.exe
User:
admin
Company:
Glarysoft Ltd
Integrity Level:
MEDIUM
Description:
Registry Defrag
Version:
5.0.0.14
1480C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exeradFE6AA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2288"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3876"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
radFE6AA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2860C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2820C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exeradFE6AA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1424chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
722
Read events
653
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
1 061
Text files
47
Unknown types
25

Dropped files

PID
Process
Filename
Type
3452radFE6AA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3452radFE6AA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3452radFE6AA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
3452radFE6AA.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
3452radFE6AA.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
3452radFE6AA.tmpC:\Users\Public\Videos\Sample Videos\p2YPp1XrgtBzQsCyYipOfupM6e1nBNRs0JbbR-uhcCI=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
3452radFE6AA.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
2088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2088.20250\Подробности заказа ОАО Авиакомпания Уральские авиалинии.jstext
MD5:70B301BD968B77445E188482DAC6D16A
SHA256:D14BD64DF8188714E7E487EA79F03996100860A37526EAA87EAB6BB8395FEF00
3452radFE6AA.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:3EC726F763A2BC295B292863737BCDDD
SHA256:DFF04FF697B85597C241039A615C32C47680B487F16E2F0A3DD00E9558B2B69B
3452radFE6AA.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:C722F0A20113BB1488382DAEFDA9A358
SHA256:3D4D462DBC7DBFD12AF693F8176E9FD6814560ED763448FA75FA6DAD026567F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
17
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
2228
WScript.exe
GET
200
96.44.130.194:80
http://muslimeventsbd.com/wp-content/themes/oceanwp/languages/1c.jpg
US
executable
1.19 Mb
malicious
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3452
radFE6AA.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
radFE6AA.tmp
92.222.22.99:9001
OVH SAS
FR
suspicious
3452
radFE6AA.tmp
86.59.21.38:443
Tele2 Telecommunication GmbH
AT
malicious
3452
radFE6AA.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
3452
radFE6AA.tmp
163.172.169.253:9001
Online S.a.s.
FR
suspicious
2228
WScript.exe
96.44.130.194:80
muslimeventsbd.com
QuadraNet, Inc
US
malicious
3452
radFE6AA.tmp
94.23.150.81:443
OVH SAS
NL
suspicious
3452
radFE6AA.tmp
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3452
radFE6AA.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
muslimeventsbd.com
  • 96.44.130.194
malicious
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
2228
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2228
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2228
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3452
radFE6AA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182
3452
radFE6AA.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3452
radFE6AA.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3452
radFE6AA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644
3452
radFE6AA.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3452
radFE6AA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 704
3452
radFE6AA.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173
25 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
azur.zip