analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7.rar

Full analysis: https://app.any.run/tasks/ca047084-d92b-46f6-96e4-fa29bd5839d9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 11, 2019, 08:16:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

F492E895C6EB31A7FFF0B4DA9628C809

SHA1:

C3998EEF68DA0F4993AD2783E75FF6F3AEBCF955

SHA256:

0880C3D5657386A2085BCA1052A231987437DA70B867F7813D5B5B8A96CC0059

SSDEEP:

49152:99tmb9NXfMVdgHrXXSxjvYrgJE5DU5GpI/xqb9L0O9zigVl/7VJS:btqzMVcXXSpHJsDU0m/xqb9jVrfS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 3568)
      • svchost.exe (PID: 1140)
      • svchost.exe (PID: 2960)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 3236)
      • svchost.exe (PID: 2936)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 1244)
      • svchost.exe (PID: 3336)
      • svchost.exe (PID: 4016)
      • svchost.exe (PID: 3640)
    • Downloads executable files from the Internet

      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
  • SUSPICIOUS

    • Creates files in the user directory

      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2880)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 3236)
    • Creates executable files which already exist in Windows

      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 3236)
    • Application launched itself

      • svchost.exe (PID: 2960)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 3236)
      • svchost.exe (PID: 2936)
  • INFO

    • Application was crashed

      • svchost.exe (PID: 1140)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 2680)
      • svchost.exe (PID: 3336)
      • Adfocus Brute Checker_ShaOnKrisTof.exe (PID: 3236)
      • svchost.exe (PID: 3640)
    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 4008)
    • Application launched itself

      • chrome.exe (PID: 4008)
    • Reads settings of System Certificates

      • chrome.exe (PID: 4008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
65
Monitored processes
22
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe adfocus brute checker_shaonkristof.exe svchost.exe no specs adfocus brute checker_shaonkristof.exe no specs svchost.exe adfocus brute checker_shaonkristof.exe svchost.exe no specs adfocus brute checker_shaonkristof.exe no specs svchost.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2680"C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exe" C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exe
explorer.exe
User:
admin
Company:
AdfocusBrute By ShaOnKrisTof
Integrity Level:
MEDIUM
Description:
AdfocusBrute By ShaOnKrisTof
Exit code:
3221225477
Version:
...
2960"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exeAdfocus Brute Checker_ShaOnKrisTof.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3568"C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exe"C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exeAdfocus Brute Checker_ShaOnKrisTof.exe
User:
admin
Company:
AdfocusBrute By ShaOnKrisTof
Integrity Level:
MEDIUM
Description:
AdfocusBrute By ShaOnKrisTof
Version:
...
1140"C:\Users\admin\AppData\Local\Temp\svchost.exe"C:\Users\admin\AppData\Local\Temp\svchost.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
216
3236"C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exe" C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exe
explorer.exe
User:
admin
Company:
AdfocusBrute By ShaOnKrisTof
Integrity Level:
HIGH
Description:
AdfocusBrute By ShaOnKrisTof
Exit code:
3221225477
Version:
...
2936"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exeAdfocus Brute Checker_ShaOnKrisTof.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1244"C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exe"C:\Users\admin\Desktop\Adfocus Brute Checker_ShaOnKrisTof.exeAdfocus Brute Checker_ShaOnKrisTof.exe
User:
admin
Company:
AdfocusBrute By ShaOnKrisTof
Integrity Level:
HIGH
Description:
AdfocusBrute By ShaOnKrisTof
Version:
...
3336"C:\Users\admin\AppData\Local\Temp\svchost.exe"C:\Users\admin\AppData\Local\Temp\svchost.exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
216
4008"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
Total events
1 395
Read events
1 311
Write events
81
Delete events
3

Modification events

(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2880) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\7.rar
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2880) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2680) Adfocus Brute Checker_ShaOnKrisTof.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Adfocus Brute Checker_ShaOnKrisTof_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2680) Adfocus Brute Checker_ShaOnKrisTof.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Adfocus Brute Checker_ShaOnKrisTof_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
4
Suspicious files
82
Text files
88
Unknown types
11

Dropped files

PID
Process
Filename
Type
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\aab58cde-19c3-469a-b06c-188a0e311dca.tmp
MD5:
SHA256:
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:C10EBD4DB49249EFC8D112B2920D5F73
SHA256:90A1B994CAFE902F22A88A22C0B6CC9CB5B974BF20F8964406DD7D6C9B8867D1
2680Adfocus Brute Checker_ShaOnKrisTof.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:CA7BC5AD6DAFD97C7BACBF1B8B9FC45B
SHA256:F7C8DA7C02E29B1D1F383F83F7179BCB43EB42AFF1F54A41B196154674DA76C5
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
3236Adfocus Brute Checker_ShaOnKrisTof.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:CA7BC5AD6DAFD97C7BACBF1B8B9FC45B
SHA256:F7C8DA7C02E29B1D1F383F83F7179BCB43EB42AFF1F54A41B196154674DA76C5
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\4fc5337d-b5e2-4897-935f-b3900f9de717.tmp
MD5:
SHA256:
4008chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF1afe85.TMPtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.5813\Adfocus Brute Checker_ShaOnKrisTof.exeexecutable
MD5:714B35406685A5D8B9F4A9744B823820
SHA256:5B43F7F633185D4AF05E43F3D847AD744CAA188839081C5E78812081A5FCC75A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3236
Adfocus Brute Checker_ShaOnKrisTof.exe
GET
304
77.222.40.107:80
http://intspy.ru/svchost.exe
RU
malicious
2680
Adfocus Brute Checker_ShaOnKrisTof.exe
GET
200
77.222.40.107:80
http://intspy.ru/svchost.exe
RU
executable
1.17 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4008
chrome.exe
216.58.206.3:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3236
Adfocus Brute Checker_ShaOnKrisTof.exe
77.222.40.107:80
intspy.ru
SpaceWeb Ltd
RU
malicious
4008
chrome.exe
216.58.208.35:443
www.gstatic.com
Google Inc.
US
whitelisted
2680
Adfocus Brute Checker_ShaOnKrisTof.exe
77.222.40.107:80
intspy.ru
SpaceWeb Ltd
RU
malicious
4008
chrome.exe
172.217.16.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
4008
chrome.exe
216.58.205.227:443
www.google.de
Google Inc.
US
whitelisted
4008
chrome.exe
172.217.22.13:443
accounts.google.com
Google Inc.
US
whitelisted
4008
chrome.exe
172.217.22.46:443
apis.google.com
Google Inc.
US
whitelisted
4008
chrome.exe
172.217.23.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted
4008
chrome.exe
172.217.16.195:443
www.google.no
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
intspy.ru
  • 77.222.40.107
malicious
www.gstatic.com
  • 216.58.208.35
whitelisted
clientservices.googleapis.com
  • 216.58.206.3
whitelisted
www.google.de
  • 216.58.205.227
whitelisted
safebrowsing.googleapis.com
  • 172.217.16.202
whitelisted
accounts.google.com
  • 172.217.22.13
shared
ssl.gstatic.com
  • 172.217.23.131
whitelisted
apis.google.com
  • 172.217.22.46
whitelisted
www.google.com
  • 216.58.207.68
whitelisted
www.google.no
  • 172.217.16.195
whitelisted

Threats

PID
Process
Class
Message
2680
Adfocus Brute Checker_ShaOnKrisTof.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
2680
Adfocus Brute Checker_ShaOnKrisTof.exe
Potentially Bad Traffic
ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download
2680
Adfocus Brute Checker_ShaOnKrisTof.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3236
Adfocus Brute Checker_ShaOnKrisTof.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016
3236
Adfocus Brute Checker_ShaOnKrisTof.exe
Potentially Bad Traffic
ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download
No debug info