File name: | Фотo и видeо Мoрaны(Паpoль - 123).rar |
Full analysis: | https://app.any.run/tasks/d51c0d2a-94f6-42e8-9447-35557f69249b |
Verdict: | Malicious activity |
Threats: | Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. |
Analysis date: | October 09, 2019, 13:45:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, flags: EncryptedBlockHeader |
MD5: | E1BEEDA81A62EC7ED470935BBD1F328C |
SHA1: | B6D7CB1788CE88B0F11BF74D042B219898FE19E1 |
SHA256: | FECEAA65FF00A143F81DAA3EDF763C1FA89E362FDFEDD007FB839EB59467ED91 |
SSDEEP: | 196608:D3fuGxsAzDbNMoVN8hWLpwAp7oGazoQgHcfkUl:h7zDlVsWLpiBzNg8sUl |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3148 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Фотo и видeо Мoрaны(Паpoль - 123).rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3464 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3288 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | "C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30759\video_2019-03-05_21-46-52.mp4.scr" /S | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30759\video_2019-03-05_21-46-52.mp4.scr | — | WinRAR.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Exit code: 0 | ||||
3688 | "C:\Windows\system32\dllhost.exe" | C:\Windows\system32\dllhost.exe | video_2019-03-05_21-46-52.mp4.scr | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2760 | "C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.32723\video_2019-03-05_21-46-52.mp4.scr" /S | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.32723\video_2019-03-05_21-46-52.mp4.scr | — | WinRAR.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Exit code: 0 | ||||
2120 | "C:\Windows\system32\dllhost.exe" | C:\Windows\system32\dllhost.exe | video_2019-03-05_21-46-52.mp4.scr | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.28662\photo_2019-03-05_21-14-34.jpg | image | |
MD5:8357C711F89EDBE4BFC4F76ED008312F | SHA256:9BF339ECABFCF432792D4BC0CEDECF180B7ADA5194EE151D6DC2912590F59B24 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30759\video_2019-03-05_21-46-52.mp4.scr | executable | |
MD5:A8C7467C481D33D2E764839D05054B26 | SHA256:7F3A13E7C9DE9864695BCBD01E34CD448B91BE57B7B6D4E20DE34D843CE893C8 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.26959\photo_2019-03-05_21-12-47.jpg | image | |
MD5:73F79EE27EB044AAB232E7D6343EADA5 | SHA256:7D0653D99A0D6414B43B0A4A03667E69B6B37AA6DC4B57C2057C771B4F2FA96B | |||
3688 | dllhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tveebsorg[1].txt | text | |
MD5:D93AD38114A9F28A5D603178F96D172A | SHA256:67594A6ED2F29C211F146766DDE834AE70A0D766AF78E21FA2CDDBBE08A29DB0 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.32723\video_2019-03-05_21-46-52.mp4.scr | executable | |
MD5:A8C7467C481D33D2E764839D05054B26 | SHA256:7F3A13E7C9DE9864695BCBD01E34CD448B91BE57B7B6D4E20DE34D843CE893C8 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.29122\photo_2019-03-05_21-18-37.jpg | image | |
MD5:A3C284F323AD55BA372DA9AE5ADCF8E8 | SHA256:A3B33D36BBF1DAC59B0131EDC68B0BCBC5182F81EDA24D3C7A65F0F1566A4793 | |||
3688 | dllhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30348\photo_2019-03-05_21-43-33.jpg | image | |
MD5:5840CAB9550DD6CD883A8A7A1E65218A | SHA256:DFD43CD8939D794E76231E17E6A1A375C369DF2366BAF85F7361D8114995661C | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.27761\photo_2019-03-05_21-13-46.jpg | image | |
MD5:3BA095470D920285E9447279D2EED077 | SHA256:4C15E3291FAF26809E295164A336FC021F2272CED3768B17158C8284BFA0AEB5 | |||
3148 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.29923\photo_2019-03-05_21-34-15.jpg | image | |
MD5:8FA363F33F6AA70CD562D89CD7834F62 | SHA256:4FB2FDFD20EA67AFBB077A2BF7FB977CDD102DF653A18B88B019E7C53A82585D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2120 | dllhost.exe | POST | 200 | 185.212.130.9:80 | http://tveebsorg.su/api/check.get | NL | text | 132 b | malicious |
3688 | dllhost.exe | POST | 200 | 185.212.130.9:80 | http://tveebsorg.su/api/check.get | NL | text | 132 b | malicious |
3688 | dllhost.exe | POST | 200 | 185.212.130.9:80 | http://tveebsorg.su/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0 | NL | binary | 1 b | malicious |
2120 | dllhost.exe | POST | 200 | 185.212.130.9:80 | http://tveebsorg.su/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0 | NL | text | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3688 | dllhost.exe | 185.212.130.9:80 | tveebsorg.su | Virtual Trade Ltd | NL | malicious |
2120 | dllhost.exe | 185.212.130.9:80 | tveebsorg.su | Virtual Trade Ltd | NL | malicious |
Domain | IP | Reputation |
---|---|---|
tveebsorg.su |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
3688 | dllhost.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
3688 | dllhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
3688 | dllhost.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
2120 | dllhost.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |
2120 | dllhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
2120 | dllhost.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |