download:

SpyEye.zip

Full analysis: https://app.any.run/tasks/2dfe65e3-dc76-456c-9e28-05829f90f2cf
Verdict: Malicious activity
Analysis date: October 16, 2020, 09:02:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

2E0BB844572DE2E88CBD23D76101BD16

SHA1:

8152E5A5187413EE20B36F4F059C47D594590A3C

SHA256:

FA3B854F0E4C0D35CA9A5647BC6935EE1E6A3920D9B951C51B2CB7BC1588C904

SSDEEP:

24576:xx83QwgESJLldWfsqI4/rWhZPG44yuJoy7SHoIO1:IAwg7+sqI4/OZ/To7iox1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • malware.exe (PID: 984)
      • malware.exe (PID: 3328)
      • malware.exe (PID: 3880)
      • cleansweep.exe (PID: 2088)
      • malware.exe (PID: 3044)
      • malware.exe (PID: 3032)
      • malware.exe (PID: 1948)
      • malware.exe (PID: 3312)
      • malware.exe (PID: 1836)
      • malware.exe (PID: 1500)
      • malware.exe (PID: 3320)
      • malware.exe (PID: 3348)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 392)

    • Application was injected by another process

      • dwm.exe (PID: 128)
      • ctfmon.exe (PID: 688)
      • taskeng.exe (PID: 1996)
      • explorer.exe (PID: 392)
      • taskhost.exe (PID: 1980)

    • Runs injected code in another process

      • explorer.exe (PID: 392)
      • cleansweep.exe (PID: 2088)

  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 392)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4092)
      • malware.exe (PID: 3880)
      • WinRAR.exe (PID: 2820)
      • WinRAR.exe (PID: 2604)
      • WinRAR.exe (PID: 4004)
      • WinRAR.exe (PID: 2516)
      • WinRAR.exe (PID: 3676)

    • Reads Internet Cache Settings

      • taskhost.exe (PID: 1980)
      • explorer.exe (PID: 392)

  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 3196)
      • malware.exe (PID: 984)
      • malware.exe (PID: 3328)
      • WinRAR.exe (PID: 3936)
      • WinRAR.exe (PID: 4092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2010:03:30 22:05:25
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Spyeye/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
26
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start inject inject inject inject drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs winrar.exe no specs malware.exe malware.exe winrar.exe no specs winrar.exe malware.exe cleansweep.exe no specs explorer.exe dwm.exe ctfmon.exe taskhost.exe taskeng.exe winrar.exe malware.exe no specs winrar.exe malware.exe no specs winrar.exe malware.exe no specs malware.exe no specs winrar.exe malware.exe no specs winrar.exe malware.exe no specs malware.exe no specs malware.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
392C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
688C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
984"C:\Users\admin\Desktop\malware.exe" C:\Users\admin\Desktop\malware.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft CleanSweep
Exit code:
0
Version:
1, 1, 3, 14
Modules
Images
c:\users\admin\desktop\malware.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
1500"C:\Users\admin\AppData\Local\Temp\Rar$EXa2516.47485\malware.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2516.47485\malware.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2516.47485\malware.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1836"C:\Users\admin\AppData\Local\Temp\Rar$EXa2516.47219\malware.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2516.47219\malware.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2516.47219\malware.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1948"C:\Users\admin\AppData\Local\Temp\Rar$EXa2604.41202\malware.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2604.41202\malware.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2604.41202\malware.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
1980"taskhost.exe"C:\Windows\System32\taskhost.exe
services.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1996taskeng.exe {9FFF9F18-B475-4F9C-BA26-08811E66DE84}C:\Windows\System32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskeng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
2088"C:\cleansweep.exe\cleansweep.exe"C:\cleansweep.exe\cleansweep.exemalware.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft CleanSweep
Exit code:
0
Version:
1, 1, 3, 14
Modules
Images
c:\cleansweep.exe\cleansweep.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
Total events
8 237
Read events
7 739
Write events
487
Delete events
11

Modification events

(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2452) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SpyEye.zip
(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2452) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(392) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(392) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
Executable files
15
Suspicious files
11
Text files
0
Unknown types
20

Dropped files

PID
Process
Filename
Type
392explorer.exeC:\Users\admin\Desktop\Spyeye
MD5:
SHA256:
3196WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3196.33072\malware.exe
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\Desktop\Spyeye\__rzi_3936.37944
MD5:
SHA256:
392explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:
SHA256:
392explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:
SHA256:
2452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2452.28469\Spyeye\2b8a408b56eaf3ce0198c9d1d8a75ec0.zipcompressed
MD5:46AFF61C6E52847E67B4247BDD6AED72
SHA256:F21428B9856F55A5B582A1D248A200AC5D110599C2295CC0B88C4B741A2C20D3
2452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2452.28469\Spyeye\9d2a48be1a553984a4fda1a88ed4f8ee.zipcompressed
MD5:912E3BA19E79F46723BA98B2067FC56F
SHA256:F8A3DA69C8A2D5276BF5E13513F0AF28BC3481B9AE18C9AB843809D5F01BCA60
392explorer.exeC:\Users\admin\Desktop\2b8a408b56eaf3ce0198c9d1d8a75ec0.zipcompressed
MD5:46AFF61C6E52847E67B4247BDD6AED72
SHA256:F21428B9856F55A5B582A1D248A200AC5D110599C2295CC0B88C4B741A2C20D3
2452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2452.28469\Spyeye\d64ca15261c53279a7288616b3cb1a92.zipcompressed
MD5:DF56431376AEBC88228098ECF2A03BD7
SHA256:9866A9B24EBBE307D7C14AB08361D44AF22A83C7EA124BAE975CB3B0FFDBC882
2452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2452.28469\Spyeye\7779f923da8c1418764fecc7d1ba86cf.zipcompressed
MD5:D5E3F04C2A786F8C1C979B3403733356
SHA256:4CE9B8B4785483AED81B2FCD8563AF683A8239D7DF2CBE2089A2E95D6C2F0C08
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
3
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
392
explorer.exe
GET
200
104.75.89.181:80
http://www.microsoft.com/
NL
html
1020 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
392
explorer.exe
104.75.89.181:80
www.microsoft.com
Akamai Technologies, Inc.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.secureantibot.net
unknown
www.microsoft.com
  • 104.75.89.181
whitelisted

Threats

PID
Process
Class
Message
392
explorer.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
392
explorer.exe
A Network Trojan was detected
ET POLICY Microsoft user-agent automated process response to automated request
Process
Message
malware.exe
*Dropper* : BOT_VERSION = 10060, PID = 984, szModuleFileName = "C:\Users\admin\Desktop\malware.exe"
malware.exe
*Dropper* : BOT_VERSION = 10060, PID = 3328, szModuleFileName = "C:\Users\admin\Desktop\malware.exe"
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpyEye.zip