File name: | [Private]BTC-Claimer.rar |
Full analysis: | https://app.any.run/tasks/cd2ffa32-cab0-4a46-8a72-a02611fa3431 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | March 14, 2019, 13:09:18 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 887FAC71DC7E038BC73DC9362585BF70 |
SHA1: | 6E4F33DF315B30C3F14B2E69DCEDFA55E72C7F44 |
SHA256: | 00F7ACB31C7E2C7B2BA3F3267007F8A2AC708A89F5A8B6641E650E9AF03D8BB6 |
SSDEEP: | 24576:/uiF4t+1z4vkmH0NUOXv+5SukrRU8+8GQRkyS7UbmKJsgmbzyg5y5HnY3ZPrejWt:fF4YmvkmH+UOXvO2drRpguJsgm55QqNN |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2876 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\[Private]BTC-Claimer.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3208 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.49501\[Private]BTC-Claimer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2876.49501\[Private]BTC-Claimer.exe | WinRAR.exe | |
User: admin Company: Список контактов удаленного помощника Integrity Level: MEDIUM Description: Динамическая библиотека службы Net Logon Exit code: 0 Version: 67.57.54.24 | ||||
2576 | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.exe | [Private]BTC-Claimer.exe | |
User: admin Company: Список контактов удаленного помощника Integrity Level: MEDIUM Description: Динамическая библиотека службы Net Logon Version: 67.57.54.24 | ||||
3676 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | rpcrt4.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2248 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | rpcrt4.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2784 | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe a -y -mx9 -ssw "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\ENU_6887FE9730D2535E9D41.7z" "C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\*" | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe | — | rpcrt4.exe |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Reduced Standalone Console Exit code: 0 Version: 19.00 | ||||
3216 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | rpcrt4.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\[Private]BTC-Claimer.rar | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2876) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3208 | [Private]BTC-Claimer.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\ENU_6887FE9730D2535E9D41 | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Local\Temp\aut27E7.tmp | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.sqlite3.module.dll.5 | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.sqlite3.module.dll | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\Information.txt | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Local\Temp\aut3362.tmp | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe.5 | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\rpcrt4.module.exe | — | |
MD5:— | SHA256:— | |||
2576 | rpcrt4.exe | C:\Users\admin\AppData\Roaming\amd64_microsoft-windows-t..ices-msrdpwebaccess\1\Cookies\Google Chrome (1).txt | text | |
MD5:D5A225FCE6B8BFFE2C27701A5FB23E2E | SHA256:DA30B10C652631475042FA47E82B342F7C36FB471E6D69CACF9FC38F27591E34 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2576 | rpcrt4.exe | CONNECT | — | 89.191.233.38:65233 | http://api.telegram.org:443 | GB | — | — | suspicious |
2576 | rpcrt4.exe | CONNECT | — | 89.191.233.38:65233 | http://api.telegram.org:443 | GB | — | — | suspicious |
2576 | rpcrt4.exe | CONNECT | — | 89.191.233.38:65233 | http://api.telegram.org:443 | GB | — | — | suspicious |
2576 | rpcrt4.exe | CONNECT | — | 89.191.233.38:65233 | http://api.telegram.org:443 | GB | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2576 | rpcrt4.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger LLP | GB | malicious |
2576 | rpcrt4.exe | 104.25.210.99:443 | ipapi.co | Cloudflare Inc | US | shared |
2576 | rpcrt4.exe | 89.191.233.38:65233 | — | RackSRV Communications Limited | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
api.telegram.org |
| shared |
ipapi.co |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup) |
2576 | rpcrt4.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2576 | rpcrt4.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2576 | rpcrt4.exe | Generic Protocol Command Decode | SURICATA TLS handshake invalid length |
2576 | rpcrt4.exe | Generic Protocol Command Decode | SURICATA TLS handshake invalid length |
2576 | rpcrt4.exe | A Network Trojan was detected | MALWARE [PTsecurity] Malicious SSL connection (Formbook/Upatre Downloader CnC) |