analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Debug.zip

Full analysis: https://app.any.run/tasks/78efb858-98e2-4ee0-9e75-e101e590f7e4
Verdict: Malicious activity
Analysis date: November 29, 2020, 11:43:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

BAAE1C69E0B10F25F8AD1C74F663DE8D

SHA1:

820CE12DF752C3C6BEF7F218B6F8FD691E3891D2

SHA256:

0FB625F48B1210057074B4C2F299B22398070A84D99CD78FE6FA36EA02D44160

SSDEEP:

98304:+b5Rnf2LXixMr6itVYDPEaxs9mIWJ/lHksQvS:+nJxMr6iED/QmnNlHXQvS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Spyder1.3.0.exe (PID: 2988)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3448)

    • Drops executable file immediately after starts

      • Spyder1.3.0.exe (PID: 2988)

  • SUSPICIOUS

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 956)
      • Spyder1.3.0.exe (PID: 2988)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 956)
      • Spyder1.3.0.exe (PID: 2988)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 956)
      • Spyder1.3.0.exe (PID: 2988)

    • Creates files in the user directory

      • Spyder1.3.0.exe (PID: 2988)

  • INFO

    • Manual execution by user

      • Spyder1.3.0.exe (PID: 2988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:03:02 21:19:13
ZipCRC: 0x3396496d
ZipCompressedSize: 27970
ZipUncompressedSize: 68608
ZipFileName: GameOverlay.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs spyder1.3.0.exe

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Debug.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3448"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2988"C:\Users\admin\Desktop\Spyder1.3.0.exe" C:\Users\admin\Desktop\Spyder1.3.0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.1.32.00
Total events
868
Read events
819
Write events
0
Delete events
0

Modification events

No data
Executable files
38
Suspicious files
6
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\GameOverlay.dllexecutable
MD5:0CBC714C910D27F3A2C2F7AA29D63129
SHA256:6F47F4119B15B706F8627941E23D42BEFFED21BE5B9D2D1D403E0F317D1349C8
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\Spyder1.3.0.exeexecutable
MD5:65F2EF96961ACBEFCA09E4A95FC27D2C
SHA256:25A3E5A06765DF6912606670C8569A6BBB34DCC1F0B02459F3EAF1EF51638E76
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\System.Numerics.Vectors.dllexecutable
MD5:482D88247171630099D81400DC0A1AA7
SHA256:A044D77EDB6E8DB4053BF67CC671E7687C226C1B9B0963A81EBE359CE79DFDF7
956WinRAR.exeC:\Users\admin\Desktop\GameOverlay.dllexecutable
MD5:0CBC714C910D27F3A2C2F7AA29D63129
SHA256:6F47F4119B15B706F8627941E23D42BEFFED21BE5B9D2D1D403E0F317D1349C8
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\spyder.dllexecutable
MD5:D37DA4AF6A94771D51D995D8683AFED4
SHA256:978459919E8C7879F76889A4237703E4A7E58F5AAA02B4E1135DD940E8879C70
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\SharpDX.Direct2D1.dllexecutable
MD5:B992DFABF27B4C32C57D5CC2960CD8E3
SHA256:9F4B5E240CB42CE903082F81633BBA0C781C1E684FD5903BC3915E3805B5E83E
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\System.Runtime.CompilerServices.Unsafe.dllexecutable
MD5:457118C8AB56D3E31C28EF97AF2BA81A
SHA256:9B97A0904DDA270A8021E6E90AA8B083D8C3AFD0165B85DF21C0A090B8A0985C
956WinRAR.exeC:\Users\admin\Desktop\Spyder1.3.0.exeexecutable
MD5:65F2EF96961ACBEFCA09E4A95FC27D2C
SHA256:25A3E5A06765DF6912606670C8569A6BBB34DCC1F0B02459F3EAF1EF51638E76
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Debug\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2988
Spyder1.3.0.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
313 b
whitelisted
2988
Spyder1.3.0.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQD5g7jF84adhvw3B5kCUueb
US
der
280 b
whitelisted
2988
Spyder1.3.0.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEBblhnjgcJQ5S9%2FbTvymO98%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2988
Spyder1.3.0.exe
162.159.129.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2988
Spyder1.3.0.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.130.233
  • 162.159.135.233
shared
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Debug.zip