File name:

Sketchfab_Ripper_v9.zip

Full analysis: https://app.any.run/tasks/b50378c0-cffd-43de-8f80-9baa8aadc762
Verdict: Malicious activity
Analysis date: May 23, 2021, 23:23:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

3CF63D7CE8CC88273944EE9F4E87A880

SHA1:

6A61B4AA3E261AA62C20BFDA0E21770C79FD1D16

SHA256:

05ED4C8CFA17683AF3640C25080DF236EA8962734F01055FF2CF3898FCC6D454

SSDEEP:

196608:NLhj0S5YG0GTN9lrfJKX44NvFSnT1lUQRXI2fWqr0VToJkm35zju5Uv:NJjbvnLnT1OSpWqI0kU5zOUv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Sketchfab Ripper v9.exe (PID: 3512)
      • config.bat (PID: 552)
      • sf_ripper.bat (PID: 2060)
    • Steals credentials from Web Browsers

      • config.bat (PID: 552)
    • Actions looks like stealing of personal data

      • config.bat (PID: 552)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3396)
      • sf_ripper.bat (PID: 2060)
  • SUSPICIOUS

    • Checks supported languages

      • config.bat (PID: 552)
      • Sketchfab Ripper v9.exe (PID: 3512)
      • WinRAR.exe (PID: 3828)
      • sf_ripper.bat (PID: 2060)
    • Suspicious files were dropped or overwritten

      • Sketchfab Ripper v9.exe (PID: 3512)
      • WinRAR.exe (PID: 3828)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3828)
    • Reads the computer name

      • WinRAR.exe (PID: 3828)
      • Sketchfab Ripper v9.exe (PID: 3512)
      • config.bat (PID: 552)
    • Drops a file with too old compile date

      • WinRAR.exe (PID: 3828)
    • Executable content was dropped or overwritten

      • Sketchfab Ripper v9.exe (PID: 3512)
      • WinRAR.exe (PID: 3828)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3828)
    • Starts application with an unusual extension

      • Sketchfab Ripper v9.exe (PID: 3512)
    • Creates files in the user directory

      • config.bat (PID: 552)
    • Executed via COM

      • explorer.exe (PID: 2940)
      • DllHost.exe (PID: 3192)
    • Reads default file associations for system extensions

      • explorer.exe (PID: 2940)
    • Reads the date of Windows installation

      • explorer.exe (PID: 2940)
  • INFO

    • Manual execution by user

      • Sketchfab Ripper v9.exe (PID: 3512)
    • Checks supported languages

      • Explorer.exe (PID: 2864)
      • explorer.exe (PID: 2940)
      • DllHost.exe (PID: 3192)
    • Reads the computer name

      • explorer.exe (PID: 2940)
      • Explorer.exe (PID: 2864)
      • DllHost.exe (PID: 3192)
    • Reads settings of System Certificates

      • Sketchfab Ripper v9.exe (PID: 3512)
    • Checks Windows Trust Settings

      • Sketchfab Ripper v9.exe (PID: 3512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:05:11 14:23:19
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: AppData/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs sketchfab ripper v9.exe config.bat sf_ripper.bat no specs explorer.exe no specs explorer.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
3828"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Sketchfab_Ripper_v9.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3396"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3512"C:\Users\admin\Desktop\Sketchfab Ripper v9.exe" C:\Users\admin\Desktop\Sketchfab Ripper v9.exe
Explorer.EXE
User:
admin
Company:
Sketchfab-Ripper.com
Integrity Level:
MEDIUM
Description:
Sketchfab-Ripper.com
Version:
12.00
Modules
Images
c:\users\admin\desktop\sketchfab ripper v9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
552AppData\config.batC:\Users\admin\Desktop\AppData\config.bat
Sketchfab Ripper v9.exe
User:
admin
Company:
Synchronize
Integrity Level:
MEDIUM
Description:
Synchronize
Version:
1.04.0008
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\appdata\config.bat
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2060sf_ripper.bat blank.blend -g -noaudio -noglsl -y -b -P 0000.py -P 0001.pyC:\Users\admin\Desktop\AppData\sf_ripper.batSketchfab Ripper v9.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\appdata\sf_ripper.bat
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\appdata\zlib.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\desktop\appdata\python26.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2864Explorer.exe Ripped Models\MundoPixelado\01- 80's Personal Computer Keyboard\C:\Windows\Explorer.exeSketchfab Ripper v9.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2940C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
3192C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
10 295
Read events
9 892
Write events
390
Delete events
13

Modification events

(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3828) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Sketchfab_Ripper_v9.zip
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3828) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3828) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16B\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
16
Suspicious files
11
Text files
64
Unknown types
34

Dropped files

PID
Process
Filename
Type
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\Bpymenustext
MD5:D92BFBB8D1646285DEA6E9096B036AA4
SHA256:84F973A0E30751F3410F22947B57FEDC6795409DBC206D16C3341BD21A199635
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\0001.pytext
MD5:56DCA36E309BACDA833608D057710EAF
SHA256:9702AA46391DF899B776A20B288C54B46EFB9D0B6D9F1FAB1CFB1EBA4C20A247
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPyObject.pytext
MD5:C12A3042956DFE0B2D5E23962C12591A
SHA256:59A2F820E1A6C52520B098F8E677902121F74D70D7BAD7E2076565D83AD32319
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\abc.pytext
MD5:A647530426D7E8F00758E86799175F2D
SHA256:3E50A9826BECDF48410D7A8E4DC30099B90E2CA11868636B0BAF679531CBC1EC
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\newGameLib\myLibraries\binaresLib.pytext
MD5:9072082D81846D5C33EF324D68BFA27A
SHA256:5EE9A57C781B7B6789320FA67109B8BA5C20DEDBA23384FDA8272B3087D45F80
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\bpymodules\BPyMesh_redux.pytext
MD5:E00679ADE49646EF8E84A9A0AD8B03AF
SHA256:9D35F6ED3128B8E71D1F82F9627D2494584FB78505C839046BC8051A1086C91C
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\newGameLib\myLibraries\myFunction.pytext
MD5:261BF7CD59653D40B94F59F2DEDE475B
SHA256:8609D084F0E3E6F2461FBDC118B9448B6A2C938E311E56D54D2472657C8F497F
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\export_obj.pytext
MD5:FF8A51622E8937DCE36A9D84E20E1146
SHA256:FBA9A33A87B654C311A700C37A3296A4D9B966A25A4B5B3D13349FE859EB0376
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\.blender\scripts\newGameLib\myLibraries\__init__.pytext
MD5:7F517E0AAD171C2EB2D4477356229F15
SHA256:E15C014D9BCC294477E9454E496C6CD19D8E4ED6CE9F60A33BC4023B138CD921
3828WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3828.7084\AppData\0000.pytext
MD5:6107FCFFBCA84DFC704690B6BB53DF20
SHA256:894DA87B8422BEF9171BE556395423DDE555B771B37A31BAFB111A1BF5F45655
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
20
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3512
Sketchfab Ripper v9.exe
GET
200
107.172.10.124:80
http://rigmodels.com/exporter/sf_rip_v2.php?rnd=137&uid=Free_Trial&hash=53-101-52-48-48-102-98-99-50-49-99-51-52-101-55-50-97-98-49-48-51-54-52-48-100-98-52-50-99-100-101-54-&pc=97100109105110
US
text
53 b
unknown
3512
Sketchfab Ripper v9.exe
GET
301
13.225.74.107:80
http://media.sketchfab.com/models/5e400fbc21c34e72ab103640db42cde6/2bf5ae19b4aa496e8d343625a77b38c5/files/515a66bccdcc4e84bb88eb8e869a435e/model_file_wireframe.bin.gz
US
html
183 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
143.204.214.74:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAWSkQ%2FxfjBHjZi6MmhNbUA%3D
US
der
471 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
13.225.84.145:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3512
Sketchfab Ripper v9.exe
GET
301
13.224.195.71:80
http://sketchfab.com/i/models/5e400fbc21c34e72ab103640db42cde6/textures?optimized=1
US
html
134 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
52.222.137.133:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3512
Sketchfab Ripper v9.exe
GET
200
13.225.84.97:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3512
Sketchfab Ripper v9.exe
GET
301
13.224.195.71:80
http://sketchfab.com/3d-models/5e400fbc21c34e72ab103640db42cde6
US
html
183 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
301
13.225.74.107:80
http://media.sketchfab.com/models/5e400fbc21c34e72ab103640db42cde6/2bf5ae19b4aa496e8d343625a77b38c5/files/515a66bccdcc4e84bb88eb8e869a435e/model_file.bin.gz
US
html
183 b
whitelisted
3512
Sketchfab Ripper v9.exe
GET
301
13.225.74.107:80
http://media.sketchfab.com/models/5e400fbc21c34e72ab103640db42cde6/2bf5ae19b4aa496e8d343625a77b38c5/files/515a66bccdcc4e84bb88eb8e869a435e/file.osgjs.gz
US
html
183 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3512
Sketchfab Ripper v9.exe
13.225.84.145:80
ocsp.rootca1.amazontrust.com
US
whitelisted
3512
Sketchfab Ripper v9.exe
13.224.195.71:80
sketchfab.com
US
suspicious
3512
Sketchfab Ripper v9.exe
13.224.195.71:443
sketchfab.com
US
suspicious
3512
Sketchfab Ripper v9.exe
143.204.214.74:80
ocsp.sca1b.amazontrust.com
US
whitelisted
552
config.bat
23.95.12.218:80
coinbella.com
ColoCrossing
US
unknown
3512
Sketchfab Ripper v9.exe
13.225.74.107:443
media.sketchfab.com
US
unknown
3512
Sketchfab Ripper v9.exe
13.225.74.107:80
media.sketchfab.com
US
unknown
3512
Sketchfab Ripper v9.exe
107.172.10.124:80
rigmodels.com
ColoCrossing
US
unknown
3512
Sketchfab Ripper v9.exe
52.222.137.133:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3512
Sketchfab Ripper v9.exe
13.225.84.97:80
o.ss2.us
US
unknown

DNS requests

Domain
IP
Reputation
coinbella.com
  • 23.95.12.218
unknown
sketchfab.com
  • 13.224.195.71
  • 13.224.195.85
  • 13.224.195.14
  • 13.224.195.42
whitelisted
ctldl.windowsupdate.com
  • 8.253.95.121
  • 8.253.95.120
  • 67.26.73.254
  • 67.27.234.126
  • 8.248.99.254
whitelisted
o.ss2.us
  • 13.225.84.97
  • 13.225.84.42
  • 13.225.84.66
  • 13.225.84.68
whitelisted
ocsp.rootg2.amazontrust.com
  • 52.222.137.133
  • 52.222.137.193
  • 52.222.137.230
  • 52.222.137.208
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.225.84.145
  • 13.225.84.13
  • 13.225.84.175
  • 13.225.84.49
shared
ocsp.sca1b.amazontrust.com
  • 143.204.214.74
  • 143.204.214.142
  • 143.204.214.141
  • 143.204.214.169
whitelisted
media.sketchfab.com
  • 13.225.74.107
  • 13.225.74.81
  • 13.225.74.78
  • 13.225.74.47
whitelisted
rigmodels.com
  • 107.172.10.124
unknown

Threats

PID
Process
Class
Message
Generic Protocol Command Decode
SURICATA STREAM Last ACK with wrong seq
No debug info