analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Soporte_De_Pago.uu

Full analysis: https://app.any.run/tasks/2018550c-bf65-4eee-9a98-454c5593f2a8
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: May 20, 2019, 12:19:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

7A7AD8A92D03624B672FD0DE4FFCFCDB

SHA1:

ACD3E9726A4887AB01FC47C8D9A2EB53A2F19724

SHA256:

FF810B48A60D964A5D5DA15ADD5862F42B3ED44E5FBE303B85DA66D8C48FAB77

SSDEEP:

768:ojUKmcaMutrc79Tpaj8LoxTOebmRy8ZsT9u:ojadM+QsjjTOucy8ZsI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2408)
      • wscript.exe (PID: 2168)
      • wscript.exe (PID: 984)
    • Writes to a start menu file

      • WScript.exe (PID: 2408)
      • wscript.exe (PID: 2168)
      • wscript.exe (PID: 984)
    • Connects to CnC server

      • wscript.exe (PID: 2168)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2524)
      • WScript.exe (PID: 2408)
      • wscript.exe (PID: 2168)
      • wscript.exe (PID: 984)
    • Executes scripts

      • WScript.exe (PID: 2408)
      • wscript.exe (PID: 984)
    • Application launched itself

      • WScript.exe (PID: 2408)
      • wscript.exe (PID: 984)
    • Creates files in the user directory

      • WScript.exe (PID: 2408)
      • wscript.exe (PID: 2168)
    • Reads Internet Cache Settings

      • wscript.exe (PID: 2168)
      • wscript.exe (PID: 984)
  • INFO

    • Manual execution by user

      • WScript.exe (PID: 2408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 24788
UncompressedSize: 59578
OperatingSystem: Win32
ModifyDate: 2019:05:17 15:02:08
PackingMethod: Normal
ArchivedFileName: Factura.vbs
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Soporte_De_Pago.uu.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2408"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Factura.vbs" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2168"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hstNbGTZoK.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
984"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\Factura.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2668"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\hstNbGTZoK.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
1 066
Read events
1 010
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2408WScript.exeC:\Users\admin\AppData\Local\Temp\Factura.vbstext
MD5:E046E8E12CE0DEA6A4FD6B145AAD89C8
SHA256:088D90EF6C5CB8261B3C3072EEFCF96E30D28F8A7F1E2F6D1238346BB2AE8A52
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.31691\Factura.vbstext
MD5:E046E8E12CE0DEA6A4FD6B145AAD89C8
SHA256:088D90EF6C5CB8261B3C3072EEFCF96E30D28F8A7F1E2F6D1238346BB2AE8A52
2168wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hstNbGTZoK.vbstext
MD5:E9731FE41ECED3BBA5B0E2CBE5B07C96
SHA256:1082A1258D67C157DD96CEBCA86F447847B30E0099EF6E933694B46766F10159
2408WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Factura.vbstext
MD5:E046E8E12CE0DEA6A4FD6B145AAD89C8
SHA256:088D90EF6C5CB8261B3C3072EEFCF96E30D28F8A7F1E2F6D1238346BB2AE8A52
984wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Factura.vbstext
MD5:E046E8E12CE0DEA6A4FD6B145AAD89C8
SHA256:088D90EF6C5CB8261B3C3072EEFCF96E30D28F8A7F1E2F6D1238346BB2AE8A52
2408WScript.exeC:\Users\admin\AppData\Roaming\hstNbGTZoK.vbstext
MD5:E9731FE41ECED3BBA5B0E2CBE5B07C96
SHA256:1082A1258D67C157DD96CEBCA86F447847B30E0099EF6E933694B46766F10159
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2168
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
2168
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
2168
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
2168
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
2168
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2168
wscript.exe
23.105.131.225:3456
savelifes.tech
Nobis Technology Group, LLC
US
malicious
984
wscript.exe
181.59.155.41:2016
type1989.duckdns.org
Telmex Colombia S.A.
CO
unknown

DNS requests

Domain
IP
Reputation
type1989.duckdns.org
  • 181.59.155.41
malicious
savelifes.tech
  • 23.105.131.225
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2168
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
No debug info