File name:

NL Brute 1.2.rar

Full analysis: https://app.any.run/tasks/3d4b282e-419b-4437-b8e7-d0b5a7cf8a64
Verdict: Malicious activity
Analysis date: January 13, 2024, 08:22:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

F1D7F5F3E379AE9ED3F3B5328774D691

SHA1:

083CE36398E2A659FE9D3ADBE1E12F4158D42A09

SHA256:

0FD6CC0C1993117F2211DB646BF34ABBDA57DAEC8898EB362968CEBEA52904C9

SSDEEP:

98304:0aSkGJ7WjRhNxguYUTESt64BFJY4ikGIz0RSCN+OUHQIw6Av7BJ1ZgzhhBJg+SeS:ahNRADsUa4MZfv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2036)

  • SUSPICIOUS

    • Reads the BIOS version

      • NL Brute 1.2.exe (PID: 1504)

    • Connects to unusual port

      • NL Brute 1.2.exe (PID: 1504)

  • INFO

    • Checks supported languages

      • NL Brute 1.2.exe (PID: 1504)

    • Reads the computer name

      • NL Brute 1.2.exe (PID: 1504)

    • Reads the machine GUID from the registry

      • NL Brute 1.2.exe (PID: 1504)

    • Manual execution by a user

      • NL Brute 1.2.exe (PID: 1504)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 59812
UncompressedSize: 743168
OperatingSystem: Win32
ModifyDate: 2016:09:06 14:18:46
PackingMethod: Normal
ArchivedFileName: NL Brute 1.2\credentials.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe nl brute 1.2.exe

Process information

PID
CMD
Path
Indicators
Parent process
1504"C:\Users\admin\Desktop\NL Brute 1.2\NL Brute 1.2.exe" C:\Users\admin\Desktop\NL Brute 1.2\NL Brute 1.2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\nl brute 1.2\nl brute 1.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2036"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NL Brute 1.2.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
6 394
Read events
6 373
Write events
21
Delete events
0

Modification events

(PID) Process:(2036) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2036) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
1
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\credentials.txtbinary
MD5:82B78DC840AF677290AABFB039F26130
SHA256:4687E9B1E2FD8912E8898879F25428DDAEB521572E21A4EAFDEAE8F44D56B412
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\good.txttext
MD5:BEA07E6D2B8DCE396FE21BAA61B34956
SHA256:2E08D1F6000AEF541797D008C05AC36F4DBEBFB36CBAC5615788E6FCC5B300A7
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\settings.initext
MD5:B77F3F45F25624CD790E285FE450EF5A
SHA256:FFB06DCF744A64294FB75529F2E751149E80276BEBB5DDBC76C903D36C7FA2A9
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\user.txttext
MD5:200CEB26807D6BF99FD6F4F0D1CA54D4
SHA256:4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\pass.txttext
MD5:88BB886BBB1D8D7B21A15D47130698C3
SHA256:9A7FF309E28786EC4FC5FEE18C7F1E5B8990900268EB8AF0BC720EE51403E5EB
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\servers.txttext
MD5:C66FE1390A356C2CE76EB47AC3ED4224
SHA256:8863C342BB400831FFD01162792D36DBBD55458A7354154CB5A281926510C124
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\ip.txttext
MD5:0BA6846DDFDF2305BD5E1A8E88A53BFA
SHA256:A39BF8A7CED4D141F2B5F23D8B8E2CFF8A234E14D9C6A87D289C2B90E25EEEC6
2036WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2036.16984\NL Brute 1.2\NL Brute 1.2.exeexecutable
MD5:025C1C35C3198E6E3497D5DBF97AE81F
SHA256:FFA28DB79DACA3B93A283CE2A6FF24791956A768CB5FC791C075B638416B51F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3 000
DNS requests
0
Threats
1

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1504
NL Brute 1.2.exe
49.50.65.205:3389
Cyfuture India Pvt. Ltd.
IN
unknown
1504
NL Brute 1.2.exe
49.50.67.116:3389
Cyfuture India Pvt. Ltd.
IN
unknown
1504
NL Brute 1.2.exe
49.50.67.80:3389
Cyfuture India Pvt. Ltd.
IN
unknown
1504
NL Brute 1.2.exe
49.50.66.59:3389
Cyfuture India Pvt. Ltd.
IN
unknown
1504
NL Brute 1.2.exe
49.50.67.75:3389
Cyfuture India Pvt. Ltd.
IN
unknown
1504
NL Brute 1.2.exe
49.50.67.70:3389
Cyfuture India Pvt. Ltd.
IN
unknown
1504
NL Brute 1.2.exe
49.50.65.204:3389
Cyfuture India Pvt. Ltd.
IN
unknown

DNS requests

No data

Threats

PID
Process
Class
Message
1504
NL Brute 1.2.exe
Misc activity
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)
Process
Message
NL Brute 1.2.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
NL Brute 1.2.exe
4
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NL Brute 1.2.rar