analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Фотo и видeо Мoрaны(Паpoль - 123).rar

Full analysis: https://app.any.run/tasks/d51c0d2a-94f6-42e8-9447-35557f69249b
Verdict: Malicious activity
Threats:

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Analysis date: October 09, 2019, 13:45:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
predator
Indicators:
MIME: application/x-rar
File info: RAR archive data, flags: EncryptedBlockHeader
MD5:

E1BEEDA81A62EC7ED470935BBD1F328C

SHA1:

B6D7CB1788CE88B0F11BF74D042B219898FE19E1

SHA256:

FECEAA65FF00A143F81DAA3EDF763C1FA89E362FDFEDD007FB839EB59467ED91

SSDEEP:

196608:D3fuGxsAzDbNMoVN8hWLpwAp7oGazoQgHcfkUl:h7zDlVsWLpiBzNg8sUl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • video_2019-03-05_21-46-52.mp4.scr (PID: 2372)
      • video_2019-03-05_21-46-52.mp4.scr (PID: 2760)
    • Connects to CnC server

      • dllhost.exe (PID: 3688)
      • dllhost.exe (PID: 2120)
    • PREDATOR was detected

      • dllhost.exe (PID: 3688)
      • dllhost.exe (PID: 2120)
  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 3288)
      • DllHost.exe (PID: 3464)
    • Reads the cookies of Google Chrome

      • dllhost.exe (PID: 3688)
      • dllhost.exe (PID: 2120)
    • Creates files in the user directory

      • dllhost.exe (PID: 3688)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 3148)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3148)
    • Reads the cookies of Mozilla Firefox

      • dllhost.exe (PID: 2120)
      • dllhost.exe (PID: 3688)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe PhotoViewer.dll no specs PhotoViewer.dll no specs video_2019-03-05_21-46-52.mp4.scr no specs #PREDATOR dllhost.exe video_2019-03-05_21-46-52.mp4.scr no specs #PREDATOR dllhost.exe

Process information

PID
CMD
Path
Indicators
Parent process
3148"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Фотo и видeо Мoрaны(Паpoль - 123).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3464C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3288C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2372"C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30759\video_2019-03-05_21-46-52.mp4.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30759\video_2019-03-05_21-46-52.mp4.scrWinRAR.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Exit code:
0
3688"C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe
video_2019-03-05_21-46-52.mp4.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2760"C:\Users\admin\AppData\Local\Temp\Rar$DIb3148.32723\video_2019-03-05_21-46-52.mp4.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.32723\video_2019-03-05_21-46-52.mp4.scrWinRAR.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Exit code:
0
2120"C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe
video_2019-03-05_21-46-52.mp4.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
640
Read events
579
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
7
Unknown types
1

Dropped files

PID
Process
Filename
Type
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.28662\photo_2019-03-05_21-14-34.jpgimage
MD5:8357C711F89EDBE4BFC4F76ED008312F
SHA256:9BF339ECABFCF432792D4BC0CEDECF180B7ADA5194EE151D6DC2912590F59B24
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30759\video_2019-03-05_21-46-52.mp4.screxecutable
MD5:A8C7467C481D33D2E764839D05054B26
SHA256:7F3A13E7C9DE9864695BCBD01E34CD448B91BE57B7B6D4E20DE34D843CE893C8
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.26959\photo_2019-03-05_21-12-47.jpgimage
MD5:73F79EE27EB044AAB232E7D6343EADA5
SHA256:7D0653D99A0D6414B43B0A4A03667E69B6B37AA6DC4B57C2057C771B4F2FA96B
3688dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@tveebsorg[1].txttext
MD5:D93AD38114A9F28A5D603178F96D172A
SHA256:67594A6ED2F29C211F146766DDE834AE70A0D766AF78E21FA2CDDBBE08A29DB0
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.32723\video_2019-03-05_21-46-52.mp4.screxecutable
MD5:A8C7467C481D33D2E764839D05054B26
SHA256:7F3A13E7C9DE9864695BCBD01E34CD448B91BE57B7B6D4E20DE34D843CE893C8
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.29122\photo_2019-03-05_21-18-37.jpgimage
MD5:A3C284F323AD55BA372DA9AE5ADCF8E8
SHA256:A3B33D36BBF1DAC59B0131EDC68B0BCBC5182F81EDA24D3C7A65F0F1566A4793
3688dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.30348\photo_2019-03-05_21-43-33.jpgimage
MD5:5840CAB9550DD6CD883A8A7A1E65218A
SHA256:DFD43CD8939D794E76231E17E6A1A375C369DF2366BAF85F7361D8114995661C
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.27761\photo_2019-03-05_21-13-46.jpgimage
MD5:3BA095470D920285E9447279D2EED077
SHA256:4C15E3291FAF26809E295164A336FC021F2272CED3768B17158C8284BFA0AEB5
3148WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3148.29923\photo_2019-03-05_21-34-15.jpgimage
MD5:8FA363F33F6AA70CD562D89CD7834F62
SHA256:4FB2FDFD20EA67AFBB077A2BF7FB977CDD102DF653A18B88B019E7C53A82585D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
dllhost.exe
POST
200
185.212.130.9:80
http://tveebsorg.su/api/check.get
NL
text
132 b
malicious
3688
dllhost.exe
POST
200
185.212.130.9:80
http://tveebsorg.su/api/check.get
NL
text
132 b
malicious
3688
dllhost.exe
POST
200
185.212.130.9:80
http://tveebsorg.su/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0
NL
binary
1 b
malicious
2120
dllhost.exe
POST
200
185.212.130.9:80
http://tveebsorg.su/api/gate.get?p1=2&p2=5&p3=0&p4=2&p5=0&p6=0&p7=0&p8=0&p9=0
NL
text
132 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3688
dllhost.exe
185.212.130.9:80
tveebsorg.su
Virtual Trade Ltd
NL
malicious
2120
dllhost.exe
185.212.130.9:80
tveebsorg.su
Virtual Trade Ltd
NL
malicious

DNS requests

Domain
IP
Reputation
tveebsorg.su
  • 185.212.130.9
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3688
dllhost.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3688
dllhost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
3688
dllhost.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2120
dllhost.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2120
dllhost.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
2120
dllhost.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
4 ETPRO signatures available at the full report
No debug info