| File name: | Armoury Crate.zip |
| Full analysis: | https://app.any.run/tasks/d99b1814-7fba-4eba-898a-333d28c9cc81 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 21, 2025, 20:07:09 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | C1EA2A1B90DC81B791C437E8B4C2D7B6 |
| SHA1: | 4E673CFA486A6FCDB51A6FE660272D30778A0D10 |
| SHA256: | 0EEAF58F78EDC616CB5D70BEFF091B525FC1BBA01175C48D6F80E47D8B10C874 |
| SSDEEP: | 98304:AuUSrhmbOHJ9bDvb8/GC9dUCM1OCO7OkHQNHykiCUnY0tuQAoMGVRGaPYujIBYMA:ALH+yn7ROY3hfv |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 3780)
Actions looks like stealing of personal data
- Tracehex.exe (PID: 7020)
Steals credentials from Web Browsers
- Tracehex.exe (PID: 7020)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- Armoury Crate.exe (PID: 7072)
- Tracehex.exe (PID: 7020)
Executable content was dropped or overwritten
- powershell.exe (PID: 4520)
Gets file extension (POWERSHELL)
- powershell.exe (PID: 4520)
Reads the date of Windows installation
- Armoury Crate.exe (PID: 7072)
Reads security settings of Internet Explorer
- Armoury Crate.exe (PID: 7072)
- Tracehex.exe (PID: 7020)
- Tracehex.exe (PID: 2764)
Application launched itself
- Tracehex.exe (PID: 7020)
The process checks if it is being run in the virtual environment
- Tracehex.exe (PID: 2764)
Checks for external IP
- svchost.exe (PID: 2200)
- Tracehex.exe (PID: 7020)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- Tracehex.exe (PID: 7020)
Starts CMD.EXE for commands execution
- Tracehex.exe (PID: 7020)
- powershell.exe (PID: 1644)
Searches for installed software
- Tracehex.exe (PID: 7020)
Possible usage of Discord/Telegram API has been detected (YARA)
- Tracehex.exe (PID: 7020)
- Tracehex.exe (PID: 2764)
Multiple wallet extension IDs have been found
- Tracehex.exe (PID: 7020)
Starts application with an unusual extension
- cmd.exe (PID: 1212)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 1212)
Found regular expressions for crypto-addresses (YARA)
- Tracehex.exe (PID: 4216)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 1212)
INFO
The sample compiled with english language support
- WinRAR.exe (PID: 3780)
- Armoury Crate.exe (PID: 7072)
- powershell.exe (PID: 4520)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3780)
Creates files or folders in the user directory
- Armoury Crate.exe (PID: 7072)
- Tracehex.exe (PID: 7020)
Manual execution by a user
- Armoury Crate.exe (PID: 7072)
- powershell.exe (PID: 1644)
Checks supported languages
- Armoury Crate.exe (PID: 7072)
- Tracehex.exe (PID: 7020)
- Tracehex.exe (PID: 2764)
- Tracehex.exe (PID: 4216)
- chcp.com (PID: 6236)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 4520)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 4520)
Reads the computer name
- Armoury Crate.exe (PID: 7072)
- Tracehex.exe (PID: 7020)
- Tracehex.exe (PID: 4216)
- Tracehex.exe (PID: 2764)
Process checks computer location settings
- Armoury Crate.exe (PID: 7072)
Reads Environment values
- Tracehex.exe (PID: 7020)
Disables trace logs
- Tracehex.exe (PID: 7020)
Reads the machine GUID from the registry
- Tracehex.exe (PID: 4216)
- Tracehex.exe (PID: 7020)
- Tracehex.exe (PID: 2764)
Checks proxy server information
- Tracehex.exe (PID: 7020)
- slui.exe (PID: 768)
Reads the software policy settings
- Tracehex.exe (PID: 7020)
- slui.exe (PID: 768)
Create files in a temporary directory
- Tracehex.exe (PID: 7020)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 4860)
- powershell.exe (PID: 6124)
- powershell.exe (PID: 1644)
Checks current location (POWERSHELL)
- powershell.exe (PID: 1644)
Changes the display of characters in the console
- cmd.exe (PID: 1212)
Gets data length (POWERSHELL)
- powershell.exe (PID: 1644)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 1644)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 1644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(7020) Tracehex.exe
Telegram-Tokens (1)7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI
Telegram-Info-Links
7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI
Get info about bothttps://api.telegram.org/bot7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI/getMe
Get incoming updateshttps://api.telegram.org/bot7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI/getUpdates
Get webhookhttps://api.telegram.org/bot7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7644050498:AAE2fORExcKKFPKzrJJ2gzjds1nE-EOASVI
End-PointsendMessage
Args
chat_id (1)7570840648
text (1)ℹ️ stealer > 94.142.241.194[The Netherlands] > Starting...
parse_mode (1)HTML
Telegram-Responses
oktrue
result
message_id374
from
id7644050498
is_bottrue
first_nameArmoryCrate
usernamearmorycrate_bot
chat
id7570840648
first_namesupr
last_namesu
usernamemr0x03
typeprivate
date1750536462
textℹ️ stealer > 94.142.241.194[The Netherlands] > Starting...
entities
offset13
length14
typeurl
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:06:12 00:30:22 |
| ZipCRC: | 0xc7b275c9 |
| ZipCompressedSize: | 5258872 |
| ZipUncompressedSize: | 6029824 |
| ZipFileName: | Armoury Crate.exe |
Total processes
166
Monitored processes
21
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 620 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 768 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1212 | "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All | C:\Windows\System32\cmd.exe | — | Tracehex.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1644 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1712 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2200 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2276 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2764 | "C:\Users\admin\AppData\Roaming\su_415127434\requirements\Tracehex.exe" tgc2 | C:\Users\admin\AppData\Roaming\su_415127434\requirements\Tracehex.exe | — | Tracehex.exe | |||||||||||
User: admin Company: Bootracodera Inc. Integrity Level: MEDIUM Version: 1.8.70.23 Modules
| |||||||||||||||
| 3780 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Armoury Crate.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 4216 | "C:\Users\admin\AppData\Roaming\su_415127434\requirements\Tracehex.exe" cli | C:\Users\admin\AppData\Roaming\su_415127434\requirements\Tracehex.exe | — | Tracehex.exe | |||||||||||
User: admin Company: Bootracodera Inc. Integrity Level: MEDIUM Version: 1.8.70.23 Modules
| |||||||||||||||
Total events
23 449
Read events
23 417
Write events
32
Delete events
0
Modification events
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Armoury Crate.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEB0000003E000000AB04000027020000 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
2
Suspicious files
24
Text files
18
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\places.raw | — | |
MD5:— | SHA256:— | |||
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\tmpBDEB.tmp.dat | — | |
MD5:— | SHA256:— | |||
| 4520 | powershell.exe | C:\Users\admin\AppData\Roaming\su_415127434\requirements\Tracehex.exe | executable | |
MD5:9834EAB05F36614911E08A8469BC956F | SHA256:4D1C08028C406387D01FC71658A511568C16C997AB3B65DC8902DDAB0D6A16C5 | |||
| 4520 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0cglgho1.3dk.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3780.25609\Armoury Crate.exe | executable | |
MD5:0BA542BD1B9539C77E44924423FCC05F | SHA256:D5C9AA50D91F721B0188535C7735B77556D06072497A9E56C7D030B484365072 | |||
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\tmpBD68.tmp.dat | binary | |
MD5:983A5B37990067066CF80EDDF2426994 | SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3 | |||
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\tmpBD46.tmp.dat | binary | |
MD5:A45465CDCDC6CB30C8906F3DA4EC114C | SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209 | |||
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\tmpBD8A.tmp.dat | binary | |
MD5:9354520741EBDFB3142C07C6CBC20A35 | SHA256:1440E81F80958229541B1DA9D33A03E9AA5848545033C98EFF59E332AA2B59E9 | |||
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\tmpBD56.tmp.dat | binary | |
MD5:15689BCA2327BD6439BB5A321BFF1115 | SHA256:1513329660C876E166FDE7919D705ECFA5339732849159685C59847BE92B7478 | |||
| 7020 | Tracehex.exe | C:\Users\admin\AppData\Local\Temp\tmpBD89.tmp.dat | binary | |
MD5:AD69D516F25355F9DF4BF7160DBC0A31 | SHA256:7C7CC596E5D1D2F3809B5D1E7BC8E9E578A88D1A07657C1FD411363C5853C1D3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
50
DNS requests
27
Threats
17
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6160 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.10.249.17:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7020 | Tracehex.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
5328 | SearchApp.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
7020 | Tracehex.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
1296 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
1296 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5328 | SearchApp.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
7020 | Tracehex.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/xml | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2320 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2336 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6160 | svchost.exe | 20.190.160.22:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6160 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 23.10.249.17:80 | crl.microsoft.com | Akamai International B.V. | CH | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
api.ipify.org |
| shared |
ip-api.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
7020 | Tracehex.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
7020 | Tracehex.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ip-api.com |
2200 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
2200 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
7020 | Tracehex.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
2200 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
2200 | svchost.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram |
7020 | Tracehex.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
7020 | Tracehex.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ip-api.com |