File name:

Sketchfab_Ripper_v9.zip

Full analysis: https://app.any.run/tasks/b50378c0-cffd-43de-8f80-9baa8aadc762
Verdict: Malicious activity
Analysis date: May 23, 2021, 23:23:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

3CF63D7CE8CC88273944EE9F4E87A880

SHA1:

6A61B4AA3E261AA62C20BFDA0E21770C79FD1D16

SHA256:

05ED4C8CFA17683AF3640C25080DF236EA8962734F01055FF2CF3898FCC6D454

SSDEEP:

196608:NLhj0S5YG0GTN9lrfJKX44NvFSnT1lUQRXI2fWqr0VToJkm35zju5Uv:NJjbvnLnT1OSpWqI0kU5zOUv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Sketchfab Ripper v9.exe (PID: 3512)
      • config.bat (PID: 552)
      • sf_ripper.bat (PID: 2060)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3396)
      • sf_ripper.bat (PID: 2060)

    • Steals credentials from Web Browsers

      • config.bat (PID: 552)

    • Actions looks like stealing of personal data

      • config.bat (PID: 552)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3828)
      • Sketchfab Ripper v9.exe (PID: 3512)
      • config.bat (PID: 552)
      • sf_ripper.bat (PID: 2060)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3828)
      • Sketchfab Ripper v9.exe (PID: 3512)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3828)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3828)

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 3828)
      • Sketchfab Ripper v9.exe (PID: 3512)

    • Starts application with an unusual extension

      • Sketchfab Ripper v9.exe (PID: 3512)

    • Reads the computer name

      • WinRAR.exe (PID: 3828)
      • config.bat (PID: 552)
      • Sketchfab Ripper v9.exe (PID: 3512)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3828)

    • Creates files in the user directory

      • config.bat (PID: 552)

    • Executed via COM

      • DllHost.exe (PID: 3192)
      • explorer.exe (PID: 2940)

    • Reads the date of Windows installation

      • explorer.exe (PID: 2940)

    • Reads default file associations for system extensions

      • explorer.exe (PID: 2940)

  • INFO

    • Manual execution by user

      • Sketchfab Ripper v9.exe (PID: 3512)

    • Checks Windows Trust Settings

      • Sketchfab Ripper v9.exe (PID: 3512)

    • Reads settings of System Certificates

      • Sketchfab Ripper v9.exe (PID: 3512)

    • Reads the computer name

      • Explorer.exe (PID: 2864)
      • explorer.exe (PID: 2940)
      • DllHost.exe (PID: 3192)

    • Checks supported languages

      • Explorer.exe (PID: 2864)
      • DllHost.exe (PID: 3192)
      • explorer.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: AppData/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2021:05:11 14:23:19
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs sketchfab ripper v9.exe config.bat sf_ripper.bat no specs explorer.exe no specs explorer.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
552AppData\config.batC:\Users\admin\Desktop\AppData\config.bat
Sketchfab Ripper v9.exe
User:
admin
Company:
Synchronize
Integrity Level:
MEDIUM
Description:
Synchronize
Exit code:
0
Version:
1.04.0008
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\appdata\config.bat
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2060sf_ripper.bat blank.blend -g -noaudio -noglsl -y -b -P 0000.py -P 0001.pyC:\Users\admin\Desktop\AppData\sf_ripper.batSketchfab Ripper v9.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\appdata\sf_ripper.bat
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\appdata\zlib.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\desktop\appdata\python26.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2864Explorer.exe Ripped Models\MundoPixelado\01- 80's Personal Computer Keyboard\C:\Windows\Explorer.exeSketchfab Ripper v9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2940C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
3192C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3396"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3512"C:\Users\admin\Desktop\Sketchfab Ripper v9.exe" C:\Users\admin\Desktop\Sketchfab Ripper v9.exe
Explorer.EXE
User:
admin
Company:
Sketchfab-Ripper.com
Integrity Level:
MEDIUM
Description:
Sketchfab-Ripper.com
Exit code:
0
Version:
12.00
Modules
Images
c:\users\admin\desktop\sketchfab ripper v9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Sketchfab_Ripper_v9.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
10 295
Read events
9 892
Write events
390
Delete events
13

Modification events

(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3828) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Sketchfab_Ripper_v9.zip
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3828) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16B\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
16
Suspicious files
11
Text files
64
Unknown types
34

Dropped files

PID
Process
Filename
Type
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\Bpymenustext
MD5:
SHA256:
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPyMesh_redux.pytext
MD5:E00679ADE49646EF8E84A9A0AD8B03AF
SHA256:9D35F6ED3128B8E71D1F82F9627D2494584FB78505C839046BC8051A1086C91C
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPySys.pytext
MD5:BB826670AD54708855637D84F1BA4D97
SHA256:8DBAB6228272D8F7F7556CD8E4BA92E0ACF3C1C949931968E750329C13FE47D4
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\0001.pytext
MD5:
SHA256:
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPyMesh.pytext
MD5:1A7EB3C0DCA237758CD2D105FA0C8070
SHA256:6204DD0741F0876E017D53086C7337D5FBA9418FC4C70FA532AF8EEF2F928FFA
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\newGameLib\myLibraries\imageLib.pytext
MD5:DFBB7C07EBC3F060DFE6426B2EC6BF58
SHA256:CFFF58BC2D2EE4BDF7EA8EB903EA2FA54D3571BF2766F3ED309B8A714295660C
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\newGameLib\myLibraries\commandLib.pytext
MD5:142D21E520FDB76A75D6FC3839B64EA8
SHA256:20D2C09FFBCF41CD92A829AA0B0C2BB1FDD144D6C45B4E34AF63A719B06CC796
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\newGameLib\myLibraries\myFunction.pytext
MD5:261BF7CD59653D40B94F59F2DEDE475B
SHA256:8609D084F0E3E6F2461FBDC118B9448B6A2C938E311E56D54D2472657C8F497F
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPyMessages.pytext
MD5:653FC2E1E01F9073C2AC01AE6CFD4059
SHA256:3E364197CDDCEF068A0BB78E6DDC423109BD9ABC2A5251BFB12DB88EBD711F98
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPyObject.pytext
MD5:C12A3042956DFE0B2D5E23962C12591A
SHA256:59A2F820E1A6C52520B098F8E677902121F74D70D7BAD7E2076565D83AD32319
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
20
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3512
Sketchfab Ripper v9.exe
GET
200
52.222.137.133:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
552
config.bat
POST
23.95.12.218:80
http://coinbella.com/game/newgame.php?&rnd=2902.8
US
unknown
3512
Sketchfab Ripper v9.exe
GET
200
13.225.84.97:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
143.204.214.74:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAWSkQ%2FxfjBHjZi6MmhNbUA%3D
US
der
471 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
13.225.84.145:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3512
Sketchfab Ripper v9.exe
GET
301
13.225.74.107:80
http://media.sketchfab.com/models/5e400fbc21c34e72ab103640db42cde6/2bf5ae19b4aa496e8d343625a77b38c5/files/515a66bccdcc4e84bb88eb8e869a435e/file.osgjs.gz
US
html
183 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
107.172.10.124:80
http://rigmodels.com/exporter/sf_rip_v2.php?rnd=137&uid=Free_Trial&hash=53-101-52-48-48-102-98-99-50-49-99-51-52-101-55-50-97-98-49-48-51-54-52-48-100-98-52-50-99-100-101-54-&pc=97100109105110
US
text
53 b
unknown
552
config.bat
POST
200
23.95.12.218:80
http://coinbella.com/game/newgame.php?&rnd=6963.6
US
text
4 b
unknown
552
config.bat
POST
200
23.95.12.218:80
http://coinbella.com/game/newgame.php?&rnd=8933.6
US
text
4 b
unknown
3512
Sketchfab Ripper v9.exe
GET
301
13.225.74.107:80
http://media.sketchfab.com/models/5e400fbc21c34e72ab103640db42cde6/2bf5ae19b4aa496e8d343625a77b38c5/files/515a66bccdcc4e84bb88eb8e869a435e/model_file_wireframe.bin.gz
US
html
183 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3512
Sketchfab Ripper v9.exe
13.224.195.71:80
sketchfab.com
US
suspicious
3512
Sketchfab Ripper v9.exe
13.224.195.71:443
sketchfab.com
US
suspicious
552
config.bat
23.95.12.218:80
coinbella.com
ColoCrossing
US
unknown
3512
Sketchfab Ripper v9.exe
8.253.95.121:80
ctldl.windowsupdate.com
Global Crossing
US
suspicious
3512
Sketchfab Ripper v9.exe
13.225.84.97:80
o.ss2.us
US
unknown
3512
Sketchfab Ripper v9.exe
52.222.137.133:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3512
Sketchfab Ripper v9.exe
13.225.84.145:80
ocsp.rootca1.amazontrust.com
US
whitelisted
3512
Sketchfab Ripper v9.exe
13.225.74.107:443
media.sketchfab.com
US
unknown
3512
Sketchfab Ripper v9.exe
143.204.214.74:80
ocsp.sca1b.amazontrust.com
US
whitelisted
3512
Sketchfab Ripper v9.exe
13.225.74.107:80
media.sketchfab.com
US
unknown

DNS requests

Domain
IP
Reputation
coinbella.com
  • 23.95.12.218
unknown
sketchfab.com
  • 13.224.195.71
  • 13.224.195.85
  • 13.224.195.14
  • 13.224.195.42
whitelisted
ctldl.windowsupdate.com
  • 8.253.95.121
  • 8.253.95.120
  • 67.26.73.254
  • 67.27.234.126
  • 8.248.99.254
whitelisted
o.ss2.us
  • 13.225.84.97
  • 13.225.84.42
  • 13.225.84.66
  • 13.225.84.68
whitelisted
ocsp.rootg2.amazontrust.com
  • 52.222.137.133
  • 52.222.137.193
  • 52.222.137.230
  • 52.222.137.208
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.225.84.145
  • 13.225.84.13
  • 13.225.84.175
  • 13.225.84.49
shared
ocsp.sca1b.amazontrust.com
  • 143.204.214.74
  • 143.204.214.142
  • 143.204.214.141
  • 143.204.214.169
whitelisted
media.sketchfab.com
  • 13.225.74.107
  • 13.225.74.81
  • 13.225.74.78
  • 13.225.74.47
whitelisted
rigmodels.com
  • 107.172.10.124
unknown

Threats

PID
Process
Class
Message
552
config.bat
Generic Protocol Command Decode
SURICATA STREAM Last ACK with wrong seq
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sketchfab_Ripper_v9.zip