File name: | CRYPTER PROTETOR DARKCOMET.zip |
Full analysis: | https://app.any.run/tasks/afcdbe98-32fc-4c1b-971b-255e55c6046a |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | May 24, 2019, 18:23:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 67CC2564524A4B6EB0E795E3396C5620 |
SHA1: | 31AE2BA8206FFD5CD6B14F6BCD925ED5F455AAEF |
SHA256: | FB37B866F3491A269EC5EA07D23D9F7BE2E5C7D5282ECA8B6C7F75A835E63A1C |
SSDEEP: | 24576:PkF3st3spqsulWWX5euBGEfcqR0YR0LuLRyOWqc3n8owEd:PkydspqzlL4CUq3yONBowe |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | Crypter.exe |
---|---|
ZipUncompressedSize: | 492684 |
ZipCompressedSize: | 488681 |
ZipCRC: | 0x321293cf |
ZipModifyDate: | 2019:05:24 20:08:10 |
ZipCompression: | Unknown (99) |
ZipBitFlag: | 0x0009 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CRYPTER PROTETOR DARKCOMET.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1060 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\Crypter.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\Crypter.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3364 | "C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe" | C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe | Crypter.exe | |
User: admin Integrity Level: MEDIUM | ||||
756 | "C:\Users\admin\AppData\Local\Temp\Crypter.exe" | C:\Users\admin\AppData\Local\Temp\Crypter.exe | — | Crypter.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.00 | ||||
552 | /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f | C:\Windows\System32\cmd.exe | — | FirefoxCrashReporters.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2680 | C:\Windows\system32\svchost.exe | C:\Windows\system32\svchost.exe | — | FirefoxCrashReporters.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1364 | C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3092 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\m™¥°ö¾¯h—ó.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\m™¥°ö¾¯h—ó.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221225547 Version: 1.00 | ||||
836 | "C:\Users\admin\Desktop\Crypter.exe" | C:\Users\admin\Desktop\Crypter.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2632 | "C:\Users\admin\Desktop\m™¥°ö¾¯h—ó.exe" | C:\Users\admin\Desktop\m™¥°ö¾¯h—ó.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221225547 Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3932.28168\m™¥°ö¾¯h—ó.exe | — | |
MD5:— | SHA256:— | |||
3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3932.29071\Crypter.exe | — | |
MD5:— | SHA256:— | |||
3364 | FirefoxCrashReporters.exe | C:\Users\admin\AppData\Roaming\remcos\logs.dat | text | |
MD5:10DB52C9D4E8624372003A6F2CD7CF6E | SHA256:2619BE4F950890A80E8DB5BE5CE66256409638803B6A55D5A20AA10C9517AD08 | |||
3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\Crypter.exe | executable | |
MD5:BB1E60A63533B1AF72FCDD553D2F452C | SHA256:4383B896FFF78C42960180194CE01C8CA190D81951E44B44C3D5F37225EE35AC | |||
1060 | Crypter.exe | C:\Users\admin\AppData\Local\Temp\FirefoxCrashReporters.exe | executable | |
MD5:6E629B7701C94C70B98AE945C6349F98 | SHA256:218E59A34B2997127027B5AB516B8F546BE740D203B733A4F5E9A250917C1EC1 | |||
3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.24875\m™¥°ö¾¯h—ó.exe | executable | |
MD5:E48D87189E20F46DFC2AEE97C6D35C9C | SHA256:725059DD86ADAEA2B4B57B9FC0ED07DAC5A99931D7EFAC9D3992288BB67CB430 | |||
3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\Crypter.exe | executable | |
MD5:BB1E60A63533B1AF72FCDD553D2F452C | SHA256:4383B896FFF78C42960180194CE01C8CA190D81951E44B44C3D5F37225EE35AC | |||
1060 | Crypter.exe | C:\Users\admin\AppData\Local\Temp\Crypter.exe | executable | |
MD5:3EA0ED459E2103E51E8EB217902BD3CD | SHA256:2C1A88D2386664852C7FE9623564E9F4A32A222953FBBEB0883E50E2CF06800D | |||
3932 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3932.26872\m™¥°ö¾¯h—ó.exe | executable | |
MD5:E48D87189E20F46DFC2AEE97C6D35C9C | SHA256:725059DD86ADAEA2B4B57B9FC0ED07DAC5A99931D7EFAC9D3992288BB67CB430 | |||
2836 | NOTEPAD.EXE | C:\Users\admin\Desktop\read mr scary rat man .txt | text | |
MD5:7B512F52437F1DF34CD98999A7E17E89 | SHA256:655240B72CB62670BD5B3BBBC1E45E6C5DC7DFBEB2583EABBB30B250AACA016F |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | FirefoxCrashReporters.exe | 79.49.182.223:2404 | calcio886.duckdns.org | Telecom Italia | IT | malicious |
Domain | IP | Reputation |
---|---|---|
calcio886.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |