analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CRYPTER PROTETOR DARKCOMET.zip

Full analysis: https://app.any.run/tasks/afcdbe98-32fc-4c1b-971b-255e55c6046a
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Analysis date: May 24, 2019, 18:23:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
keylogger
rat
remcos
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

67CC2564524A4B6EB0E795E3396C5620

SHA1:

31AE2BA8206FFD5CD6B14F6BCD925ED5F455AAEF

SHA256:

FB37B866F3491A269EC5EA07D23D9F7BE2E5C7D5282ECA8B6C7F75A835E63A1C

SSDEEP:

24576:PkF3st3spqsulWWX5euBGEfcqR0YR0LuLRyOWqc3n8owEd:PkydspqzlL4CUq3yONBowe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • FirefoxCrashReporters.exe (PID: 3364)
      • m™¥°ö¾¯h—ó.exe (PID: 3092)
      • Crypter.exe (PID: 756)
      • Crypter.exe (PID: 1060)
      • Crypter.exe (PID: 836)
      • m™¥°ö¾¯h—ó.exe (PID: 2632)
      • m™¥°ö¾¯h—ó.exe (PID: 1372)
      • m™¥°ö¾¯h—ó.exe (PID: 892)
      • Crypter.exe (PID: 2208)
      • Crypter.exe (PID: 772)
      • Crypter.exe (PID: 3512)
    • Uses SVCHOST.EXE for hidden code execution

      • FirefoxCrashReporters.exe (PID: 3364)
    • REMCOS RAT was detected

      • FirefoxCrashReporters.exe (PID: 3364)
    • Detected logs from REMCOS RAT

      • FirefoxCrashReporters.exe (PID: 3364)
    • Changes the autorun value in the registry

      • FirefoxCrashReporters.exe (PID: 3364)
    • Changes the login/logoff helper path in the registry

      • FirefoxCrashReporters.exe (PID: 3364)
  • SUSPICIOUS

    • Writes files like Keylogger logs

      • Crypter.exe (PID: 1060)
      • FirefoxCrashReporters.exe (PID: 3364)
    • Executable content was dropped or overwritten

      • Crypter.exe (PID: 1060)
      • WinRAR.exe (PID: 3932)
    • Starts CMD.EXE for commands execution

      • FirefoxCrashReporters.exe (PID: 3364)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 552)
    • Creates files in the user directory

      • FirefoxCrashReporters.exe (PID: 3364)
  • INFO

    • Manual execution by user

      • Crypter.exe (PID: 836)
      • Crypter.exe (PID: 2208)
      • m™¥°ö¾¯h—ó.exe (PID: 892)
      • m™¥°ö¾¯h—ó.exe (PID: 1372)
      • m™¥°ö¾¯h—ó.exe (PID: 2632)
      • Crypter.exe (PID: 3512)
      • NOTEPAD.EXE (PID: 2836)
      • Crypter.exe (PID: 772)
      • SndVol.exe (PID: 2752)
      • NOTEPAD.EXE (PID: 2620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Crypter.exe
ZipUncompressedSize: 492684
ZipCompressedSize: 488681
ZipCRC: 0x321293cf
ZipModifyDate: 2019:05:24 20:08:10
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
18
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start winrar.exe crypter.exe #REMCOS firefoxcrashreporters.exe crypter.exe no specs cmd.exe no specs svchost.exe no specs reg.exe no specs m™¥°ö¾¯h—ó.exe no specs crypter.exe no specs m™¥°ö¾¯h—ó.exe no specs crypter.exe no specs m™¥°ö¾¯h—ó.exe no specs m™¥°ö¾¯h—ó.exe crypter.exe no specs crypter.exe notepad.exe no specs notepad.exe no specs sndvol.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3932"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CRYPTER PROTETOR DARKCOMET.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1060"C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\Crypter.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\Crypter.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3364"C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe" C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe
Crypter.exe
User:
admin
Integrity Level:
MEDIUM
756"C:\Users\admin\AppData\Local\Temp\Crypter.exe" C:\Users\admin\AppData\Local\Temp\Crypter.exeCrypter.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
552/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\cmd.exeFirefoxCrashReporters.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2680C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeFirefoxCrashReporters.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1364C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3092"C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\m™¥°ö¾¯h—ó.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\m™¥°ö¾¯h—ó.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
Version:
1.00
836"C:\Users\admin\Desktop\Crypter.exe" C:\Users\admin\Desktop\Crypter.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2632"C:\Users\admin\Desktop\m™¥°ö¾¯h—ó.exe" C:\Users\admin\Desktop\m™¥°ö¾¯h—ó.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225547
Version:
1.00
Total events
1 408
Read events
911
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
0
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
3932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3932.28168\m™¥°ö¾¯h—ó.exe
MD5:
SHA256:
3932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3932.29071\Crypter.exe
MD5:
SHA256:
3364FirefoxCrashReporters.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:10DB52C9D4E8624372003A6F2CD7CF6E
SHA256:2619BE4F950890A80E8DB5BE5CE66256409638803B6A55D5A20AA10C9517AD08
3932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\Crypter.exeexecutable
MD5:BB1E60A63533B1AF72FCDD553D2F452C
SHA256:4383B896FFF78C42960180194CE01C8CA190D81951E44B44C3D5F37225EE35AC
1060Crypter.exeC:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exeexecutable
MD5:6E629B7701C94C70B98AE945C6349F98
SHA256:218E59A34B2997127027B5AB516B8F546BE740D203B733A4F5E9A250917C1EC1
3932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\m™¥°ö¾¯h—ó.exeexecutable
MD5:E48D87189E20F46DFC2AEE97C6D35C9C
SHA256:725059DD86ADAEA2B4B57B9FC0ED07DAC5A99931D7EFAC9D3992288BB67CB430
3932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\Crypter.exeexecutable
MD5:BB1E60A63533B1AF72FCDD553D2F452C
SHA256:4383B896FFF78C42960180194CE01C8CA190D81951E44B44C3D5F37225EE35AC
1060Crypter.exeC:\Users\admin\AppData\Local\Temp\Crypter.exeexecutable
MD5:3EA0ED459E2103E51E8EB217902BD3CD
SHA256:2C1A88D2386664852C7FE9623564E9F4A32A222953FBBEB0883E50E2CF06800D
3932WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\m™¥°ö¾¯h—ó.exeexecutable
MD5:E48D87189E20F46DFC2AEE97C6D35C9C
SHA256:725059DD86ADAEA2B4B57B9FC0ED07DAC5A99931D7EFAC9D3992288BB67CB430
2836NOTEPAD.EXEC:\Users\admin\Desktop\read mr scary rat man .txttext
MD5:7B512F52437F1DF34CD98999A7E17E89
SHA256:655240B72CB62670BD5B3BBBC1E45E6C5DC7DFBEB2583EABBB30B250AACA016F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
FirefoxCrashReporters.exe
79.49.182.223:2404
calcio886.duckdns.org
Telecom Italia
IT
malicious

DNS requests

Domain
IP
Reputation
calcio886.duckdns.org
  • 79.49.182.223
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info