Malware analysis ConsoleSniffer v4.1 installer.rar Malicious activity

Add for printing

File name:	ConsoleSniffer v4.1 installer.rar
Full analysis:	https://app.any.run/tasks/f742c842-c0e1-48b5-a468-12c8962ad773
Verdict:	Malicious activity
Analysis date:	September 03, 2019, 08:46:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v4, os: Win32
MD5:	0DEB777E98CFA9392BCB4E9E4892C86A
SHA1:	35F246C76270CB5362376C24CB5CED196EE87C5E
SHA256:	05E99DAEF083250077998999CF1A01AA39BBD80C7605186DAE27D2A12928BBAB
SSDEEP:	196608:RRqzBmyrYVWxqyNSocpgqkG0Jbxbnzi/BxIpmLzp:/qUyrY0VNSNJk5WDIpup

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - ConsoleSniffer v4.1 installer.exe (PID: 3364)
  - ConsoleSniffer v4.1 installer.exe (PID: 3876)
  - vcredist_x86 - 2012 update 4.exe (PID: 356)
  - vcredist_x86 - 2012 update 4.exe (PID: 3412)
  - Launcher.exe (PID: 2952)
  - Launcher.exe (PID: 2348)
  - Launcher.exe (PID: 3144)
- Loads dropped or rewritten executable
  - vcredist_x86 - 2012 update 4.exe (PID: 3412)
  - Launcher.exe (PID: 2952)
  - Launcher.exe (PID: 3144)
- Changes the autorun value in the registry
  - vcredist_x86 - 2012 update 4.exe (PID: 356)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3700)
  - ConsoleSniffer v4.1 installer.exe (PID: 3876)
  - vcredist_x86 - 2012 update 4.exe (PID: 3412)
  - vcredist_x86 - 2012 update 4.exe (PID: 356)
  - msiexec.exe (PID: 3264)
- Searches for installed software
  - vcredist_x86 - 2012 update 4.exe (PID: 3412)
  - vcredist_x86 - 2012 update 4.exe (PID: 356)
- Creates a software uninstall entry
  - ConsoleSniffer v4.1 installer.exe (PID: 3876)
  - vcredist_x86 - 2012 update 4.exe (PID: 356)
- Creates files in the program directory
  - ConsoleSniffer v4.1 installer.exe (PID: 3876)
  - vcredist_x86 - 2012 update 4.exe (PID: 356)
- Creates files in the user directory
  - ConsoleSniffer v4.1 installer.exe (PID: 3876)
- Executed as Windows Service
  - vssvc.exe (PID: 3716)
- Executed via COM
  - DrvInst.exe (PID: 3540)
- Creates files in the Windows directory
  - msiexec.exe (PID: 3264)
- Starts Microsoft Installer
  - Launcher.exe (PID: 3144)
INFO
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 3716)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3264)
- Manual execution by user
  - Launcher.exe (PID: 2348)
  - Launcher.exe (PID: 3144)
- Searches for installed software
  - msiexec.exe (PID: 3264)
- Application launched itself
  - msiexec.exe (PID: 3264)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v-4.x) (58.3)
.rar	\|	RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize:	383
UncompressedSize:	491
OperatingSystem:	Win32
ModifyDate:	2016:08:09 10:21:23
PackingMethod:	Normal
ArchivedFileName:	READ THIS IF YOU HAVE PROBLEMS.txt

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

356

"C:\Program Files\Spy Proof Solutions\Console Sniffer\vcredist_x86 - 2012 update 4.exe" /passive /norestart

C:\Program Files\Spy Proof Solutions\Console Sniffer\vcredist_x86 - 2012 update 4.exe

ConsoleSniffer v4.1 installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030

Exit code:

Version:

11.0.61030.0

Modules

Images
c:\program files\spy proof solutions\console sniffer\vcredist_x86 - 2012 update 4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

2348

"C:\Program Files\Spy Proof Solutions\Console Sniffer\Launcher.exe"

C:\Program Files\Spy Proof Solutions\Console Sniffer\Launcher.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Launcher

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\program files\spy proof solutions\console sniffer\launcher.exe
c:\systemroot\system32\ntdll.dll

2952

"C:\Program Files\Spy Proof Solutions\Console Sniffer\Launcher.exe"

C:\Program Files\Spy Proof Solutions\Console Sniffer\Launcher.exe

—

ConsoleSniffer v4.1 installer.exe

User:

admin

Integrity Level:

HIGH

Description:

Launcher

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\spy proof solutions\console sniffer\launcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

3144

"C:\Program Files\Spy Proof Solutions\Console Sniffer\Launcher.exe"

C:\Program Files\Spy Proof Solutions\Console Sniffer\Launcher.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Launcher

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\spy proof solutions\console sniffer\launcher.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

3264

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

3364

"C:\Users\admin\AppData\Local\Temp\Rar$EXa3700.38989\ConsoleSniffer v4.1 installer.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa3700.38989\ConsoleSniffer v4.1 installer.exe

—

WinRAR.exe

User:

admin

Company:

Spy Proof Solutions

Integrity Level:

MEDIUM

Description:

Console Sniffer 4.00 Installation

Exit code:

3221226540

Version:

4.00

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa3700.38989\consolesniffer v4.1 installer.exe
c:\systemroot\system32\ntdll.dll

3412

"C:\Program Files\Spy Proof Solutions\Console Sniffer\vcredist_x86 - 2012 update 4.exe" /passive /norestart -burn.unelevated BurnPipe.{26511C5C-153D-497E-B608-B32F1F912B77} {7370DCF8-3514-4619-88C2-F7D08D75F180} 356

C:\Program Files\Spy Proof Solutions\Console Sniffer\vcredist_x86 - 2012 update 4.exe

vcredist_x86 - 2012 update 4.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030

Exit code:

Version:

11.0.61030.0

Modules

Images
c:\program files\spy proof solutions\console sniffer\vcredist_x86 - 2012 update 4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

3540

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000004B8" "000005B8"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

3700

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v4.1 installer.rar"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

3716

C:\Windows\system32\vssvc.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

1 824

Read events

1 247

Write events

553

Delete events

Modification events


(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\ConsoleSniffer v4.1 installer.rar
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3700) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3876	ConsoleSniffer v4.1 installer.exe	C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp		—
		MD5:—	SHA256:—
3700	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3700.38989\READ THIS IF YOU HAVE PROBLEMS.txt		text
		MD5:—	SHA256:—
3876	ConsoleSniffer v4.1 installer.exe	C:\Users\admin\AppData\Local\Temp\$inst\5.tmp		image
		MD5:AB2021E67E0E08657288D880ABFBAA72	SHA256:331D997E586CBA40D4DA0587887FC4CAA4CC44E53421737DAFA67E67445E6753
3876	ConsoleSniffer v4.1 installer.exe	C:\Users\admin\AppData\Local\Temp\$inst\2.tmp		compressed
		MD5:AF5DE111142A20EA6F01AB6E1606FDC2	SHA256:4DE4CAC91A55053A0C29AD262588B411C19C3FA625C421EF7B95B9EE4F9E3310
3700	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3700.38989\ConsoleSniffer v4.1 installer.exe		executable
		MD5:9E24D7787ACBB9AB91536FC82EC84C6C	SHA256:6B84979505ECF68D5FEEFBC4C47B4770E5ABC1FB18E1CE54503E05FC637812B3
3876	ConsoleSniffer v4.1 installer.exe	C:\Users\admin\AppData\Local\Temp\$inst\4.tmp		image
		MD5:0D8DBE5CD39F3369265D93195E5C6449	SHA256:FD17CA05FA0587FBF2D1AB722EBBF4A4B254F2EC0048E9CDAE20655F7DE06A39
3876	ConsoleSniffer v4.1 installer.exe	C:\Users\admin\AppData\Local\Temp\$inst\8.tmp		image
		MD5:BAC172B887BC7D09DB5E14CE26A4943E	SHA256:AAA3BEE9EBD3640C05B8A70F22C9FBDB8EA0E61CA3762DB5A4583E94D46A5C79
3876	ConsoleSniffer v4.1 installer.exe	C:\Program Files\Spy Proof Solutions\Console Sniffer\ConsoleSniffer.exe		executable
		MD5:24BFA107CD277DCED68B9DB818F8D773	SHA256:A59FCC0B7AD4D48DEEDEC39DFF096CF4FAA0E93526A3A44A96C4F451C33A74A0
3876	ConsoleSniffer v4.1 installer.exe	C:\Program Files\Spy Proof Solutions\Console Sniffer\c		executable
		MD5:382CD65512DE4F47E3F6809A90DCDB7C	SHA256:1D9E26121EFD940B15BDFC96EB42EB56C364F37F26E4A437DA817C0DF897F695
3876	ConsoleSniffer v4.1 installer.exe	C:\Program Files\Spy Proof Solutions\Console Sniffer\PcapDotNet.Base.dll		executable
		MD5:6F2E6B9046E7ED3CE43A34A7B701FBF9	SHA256:39D850B2412D78580EA842730BB56F59474A8DE4C2D9218D7593CD5B96AC9BAF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
356	vcredist_x86 - 2012 update 4.exe	GET	200	2.16.186.74:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	der	555 b	whitelisted
356	vcredist_x86 - 2012 update 4.exe	GET	200	2.16.186.74:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	der	550 b	whitelisted
356	vcredist_x86 - 2012 update 4.exe	GET	200	2.16.186.74:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	der	781 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
356	vcredist_x86 - 2012 update 4.exe	2.16.186.74:80	crl.microsoft.com	Akamai International B.V.	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.186.74 2.16.186.120	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

ConsoleSniffer v4.1 installer.rar

0DEB777E98CFA9392BCB4E9E4892C86A

35F246C76270CB5362376C24CB5CED196EE87C5E

05E99DAEF083250077998999CF1A01AA39BBD80C7605186DAE27D2A12928BBAB

196608:RRqzBmyrYVWxqyNSocpgqkG0Jbxbnzi/BxIpmLzp:/qUyrY0VNSNJk5WDIpup

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Searches for installed software

Creates a software uninstall entry

Creates files in the program directory

Creates files in the user directory

Executed as Windows Service

Executed via COM

Creates files in the Windows directory

Starts Microsoft Installer

INFO

Low-level read access rights to disk partition

Creates a software uninstall entry

Manual execution by user

Searches for installed software

Application launched itself

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings