File name: | GABB.rar |
Full analysis: | https://app.any.run/tasks/07cd5c76-dc7c-413e-9542-2bdfd2842d7c |
Verdict: | Malicious activity |
Analysis date: | August 08, 2020, 09:33:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 100D8F6D15EE020F1283083CA70DBB23 |
SHA1: | CBC42CA92EA764879B08D57BB9087F5946365879 |
SHA256: | 084C5158D08333A5E667CE7D981D55A4816D7F43242067E6BAAD9AED1DFEA2C0 |
SSDEEP: | 12288:zLatPhjd7lkS6AxV9zsCfyDhA9iLnhGL3btEMgvavS4bop13KW9JsxK1ckz7yg:zLA37lPXJYRhnEbtEMOaa/o8sxKakz7/ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2816 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GABB.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3808 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 | ||||
3064 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.ini | text | |
MD5:196D221966D770523E1E6BA4A34F4262 | SHA256:4B86545805383530470E404B615C26D376DC9365698FB436DEC58E928427E54C | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.ini | text | |
MD5:196D221966D770523E1E6BA4A34F4262 | SHA256:4B86545805383530470E404B615C26D376DC9365698FB436DEC58E928427E54C | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GABB.exe | executable | |
MD5:E6CC263C2A8AA0B299A9836849A36133 | SHA256:679D944E615DF5981C82873995B71D27FD3EF4BF05A127859DF7BB5B4D3BD7A4 | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GABB.exe | executable | |
MD5:E6CC263C2A8AA0B299A9836849A36133 | SHA256:679D944E615DF5981C82873995B71D27FD3EF4BF05A127859DF7BB5B4D3BD7A4 | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.6404\GDLL.dll | executable | |
MD5:8A12CB004CDBAAA80114F3C183848EFD | SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517 | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2816.8355\GDLL.dll | executable | |
MD5:8A12CB004CDBAAA80114F3C183848EFD | SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3808 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 12 b | shared |
3808 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 12 b | shared |
3064 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 12 b | shared |
3064 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 12 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3808 | GABB.exe | 116.202.244.153:80 | icanhazip.com | 334,Udyog Vihar | IN | malicious |
3808 | GABB.exe | 172.67.214.70:443 | nusumu.wtf | — | US | malicious |
— | — | 116.202.244.153:80 | icanhazip.com | 334,Udyog Vihar | IN | malicious |
3064 | GABB.exe | 172.67.214.70:443 | nusumu.wtf | — | US | malicious |
3064 | GABB.exe | 116.202.244.153:80 | icanhazip.com | 334,Udyog Vihar | IN | malicious |
Domain | IP | Reputation |
---|---|---|
icanhazip.com |
| shared |
nusumu.wtf |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3808 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
3808 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
3064 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
3064 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |