File name:

GABB.rar

Full analysis: https://app.any.run/tasks/07cd5c76-dc7c-413e-9542-2bdfd2842d7c
Verdict: Malicious activity
Analysis date: August 08, 2020, 09:33:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

100D8F6D15EE020F1283083CA70DBB23

SHA1:

CBC42CA92EA764879B08D57BB9087F5946365879

SHA256:

084C5158D08333A5E667CE7D981D55A4816D7F43242067E6BAAD9AED1DFEA2C0

SSDEEP:

12288:zLatPhjd7lkS6AxV9zsCfyDhA9iLnhGL3btEMgvavS4bop13KW9JsxK1ckz7yg:zLA37lPXJYRhnEbtEMOaa/o8sxKakz7/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GABB.exe (PID: 3808)
      • GABB.exe (PID: 3064)

    • Changes the autorun value in the registry

      • GABB.exe (PID: 3808)
      • GABB.exe (PID: 3064)

  • SUSPICIOUS

    • Checks for external IP

      • GABB.exe (PID: 3808)
      • GABB.exe (PID: 3064)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2816)

  • INFO

    • Reads settings of System Certificates

      • GABB.exe (PID: 3808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe gabb.exe gabb.exe

Process information

PID
CMD
Path
Indicators
Parent process
2816"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GABB.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3064"C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2816.8355\gabb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3808"C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2816.6404\gabb.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
1 341
Read events
1 287
Write events
54
Delete events
0

Modification events

(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2816) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2816) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\GABB.rar
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2816) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
4
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.initext
MD5:
SHA256:
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.exeexecutable
MD5:
SHA256:
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.initext
MD5:
SHA256:
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.exeexecutable
MD5:
SHA256:
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
2816WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
2
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3808
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
12 b
shared
3064
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
12 b
shared
3808
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
12 b
shared
3064
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3808
GABB.exe
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
3808
GABB.exe
172.67.214.70:443
nusumu.wtf
US
malicious
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
3064
GABB.exe
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
3064
GABB.exe
172.67.214.70:443
nusumu.wtf
US
malicious

DNS requests

Domain
IP
Reputation
icanhazip.com
  • 116.202.244.153
  • 116.202.55.106
shared
nusumu.wtf
  • 172.67.214.70
  • 104.27.143.46
  • 104.27.142.46
unknown

Threats

PID
Process
Class
Message
3808
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
3808
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
3064
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
3064
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
GABB.rar