analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

f7516a775124dc575b7bd912376779da3e96d8a2c1091ec44c6774ccb1ef50da

Full analysis: https://app.any.run/tasks/85694df2-abc5-4cc9-b18c-d94fe01fc78b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 12, 2020, 11:05:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
stealer
masslogger
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B692C10B7F6B8F49C62AADB9E6F2E489

SHA1:

9979D91A56853ED4292F6EAFFBF3952FB63D7378

SHA256:

F7516A775124DC575B7BD912376779DA3E96D8A2C1091EC44C6774CCB1EF50DA

SSDEEP:

12288:17OIRn4iuBcib6750tkbW0ozCYIRsMwFVz3OolrKYQpH/T0D1juZCAPQ/aVLl9q:9fuBciG02WW3HwFYv/T08Zy/az9q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Attached AWB.exe (PID: 920)

    • Actions looks like stealing of personal data

      • Attached AWB.exe (PID: 920)

    • Stealing of credential data

      • Attached AWB.exe (PID: 920)

  • SUSPICIOUS

    • Reads Environment values

      • Attached AWB.exe (PID: 920)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2184)

    • Checks for external IP

      • Attached AWB.exe (PID: 920)

    • Checks supported languages

      • Attached AWB.exe (PID: 920)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:07:10 02:24:03
ZipCRC: 0x499becd4
ZipCompressedSize: 838398
ZipUncompressedSize: 965632
ZipFileName: Attached AWB.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe attached awb.exe

Process information

PID
CMD
Path
Indicators
Parent process
2184"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\f7516a775124dc575b7bd912376779da3e96d8a2c1091ec44c6774ccb1ef50da.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
920"C:\Users\admin\AppData\Local\Temp\Rar$EXa2184.30194\Attached AWB.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2184.30194\Attached AWB.exe
WinRAR.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
HotelManagementSystemRoom
Version:
1.0.0.0
Total events
504
Read events
464
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
920Attached AWB.exeC:\Users\admin\AppData\Local\D04F4D4D0D\DotNetZip-434zkskh.tmp
MD5:
SHA256:
920Attached AWB.exeC:\Users\admin\AppData\Local\D04F4D4D0D\admin_United States_D04F4D4D0D_07-12-2020 12.6.57.zipcompressed
MD5:C806B0936C55E08BE1774F2B3CFC2E71
SHA256:D0E422C9A430642154071D610EB06894B4C980E312B95CD2891A1028802C8C26
920Attached AWB.exeC:\Users\admin\AppData\Local\D04F4D4D0D\Log.txttext
MD5:3B383A2CA2E2147DED0E29B71F10D824
SHA256:6F4D11B17E6DABCD28A65095ADEA55DD52B7A38C058348F23DFFB3FBC110158C
2184WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2184.30194\Attached AWB.exeexecutable
MD5:63AE3D497FC808BA1F4C5109D76C457F
SHA256:10939877F109569DFF853EEF9DDB462DDA69871BC04B44D45D1A784A21A208BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
920
Attached AWB.exe
GET
200
204.236.231.159:80
http://api.ipify.org/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
920
Attached AWB.exe
204.236.231.159:80
api.ipify.org
Amazon.com, Inc.
US
malicious
920
Attached AWB.exe
77.88.21.158:587
smtp.yandex.ru
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 204.236.231.159
  • 54.221.234.156
  • 107.22.188.116
  • 54.235.83.248
  • 23.21.153.210
  • 54.225.182.172
  • 174.129.255.253
  • 54.243.162.249
shared
smtp.yandex.ru
  • 77.88.21.158
shared

Threats

PID
Process
Class
Message
920
Attached AWB.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
f7516a775124dc575b7bd912376779da3e96d8a2c1091ec44c6774ccb1ef50da