analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

GjkeqZjxdJVq2K.rar

Full analysis: https://app.any.run/tasks/2a4a7a5f-d2ab-48b7-ba4b-30257c3e279d
Verdict: Malicious activity
Analysis date: May 30, 2020, 09:09:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

5B639E895D8FD75E5CB3F2BD25811A41

SHA1:

774E54BCA857A3D5284910649F5901B7509FF955

SHA256:

18A14C770DC8D0679D2C22D35853F53C5B40EC7B10F098FEA57A38989929B525

SSDEEP:

49152:d7JF/7akKMurXK+4uVreB0cQyXusC2haQ7BhcwAhjIZJf+qiNpT4V9lpNrqTwwH:d7JN7ajXNBC0GC1QNhcDGf+qifkTlppO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Vq2K$GjkeqZjxdJ.exe (PID: 2728)
      • Vq2K$GjkeqZjxdJ.exe (PID: 2836)
      • ztYw2y8tYw2N9yeRPFMT.exe (PID: 2004)
      • NzmQfYnDsd.exe (PID: 2732)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • Vq2K$GjkeqZjxdJ.exe (PID: 2836)

    • Application launched itself

      • Vq2K$GjkeqZjxdJ.exe (PID: 2728)

    • Creates files in the driver directory

      • Vq2K$GjkeqZjxdJ.exe (PID: 2836)

    • Executable content was dropped or overwritten

      • Vq2K$GjkeqZjxdJ.exe (PID: 2836)

    • Reads internet explorer settings

      • NzmQfYnDsd.exe (PID: 2732)

    • Creates files in the user directory

      • NzmQfYnDsd.exe (PID: 2732)

    • Reads Internet Cache Settings

      • NzmQfYnDsd.exe (PID: 2732)

  • INFO

    • Manual execution by user

      • Vq2K$GjkeqZjxdJ.exe (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe no specs vq2k$gjkeqzjxdj.exe no specs vq2k$gjkeqzjxdj.exe ztyw2y8tyw2n9yerpfmt.exe no specs nzmqfyndsd.exe

Process information

PID
CMD
Path
Indicators
Parent process
2452"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GjkeqZjxdJVq2K.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2728"C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe" C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2836"C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe" -el -s2 "-dC:\Windows\System32\drivers" "-sp"C:\Users\admin\Desktop\Vq2K$GjkeqZjxdJ.exe
Vq2K$GjkeqZjxdJ.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2004"C:\Windows\System32\drivers\ztYw2y8tYw2N9yeRPFMT.exe" C:\Windows\System32\drivers\ztYw2y8tYw2N9yeRPFMT.exeVq2K$GjkeqZjxdJ.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
2732"C:\Windows\System32\drivers\NzmQfYnDsd.exe" C:\Windows\System32\drivers\NzmQfYnDsd.exe
Vq2K$GjkeqZjxdJ.exe
User:
admin
Integrity Level:
HIGH
Description:
FluxLoader
Version:
1.0.0.0
Total events
618
Read events
592
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2452WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2452.11447\Vq2K$GjkeqZjxdJ.exe
MD5:
SHA256:
2732NzmQfYnDsd.exeC:\Users\admin\AppData\Local\FluxLoader\DefaultDomain_Path_otxh1g3d2uhtlcxxtxzivz3e0bknhhgq\1.0.0.0\weg3olz3.newcfg
MD5:
SHA256:
2732NzmQfYnDsd.exeC:\Users\admin\AppData\Local\FluxLoader\DefaultDomain_Path_otxh1g3d2uhtlcxxtxzivz3e0bknhhgq\1.0.0.0\wmd0suv0.newcfgxml
MD5:1788F2062F6A7E22E4927886A11D3382
SHA256:34084F133FCB718A7B6AF21D002BD4C58CFC9E9D26DEC560CAE2D24061B7DE0C
2836Vq2K$GjkeqZjxdJ.exeC:\Windows\System32\drivers\NzmQfYnDsd.exeexecutable
MD5:5AFE1B8FA3B129BAF77CC93FB9E8ABCE
SHA256:ABFA7D4DFCB563C9513B74632CB409077398EF322D9D1E0103AFFC6E8CCF1499
2732NzmQfYnDsd.exeC:\Users\admin\AppData\Local\FluxLoader\DefaultDomain_Path_otxh1g3d2uhtlcxxtxzivz3e0bknhhgq\1.0.0.0\user.configxml
MD5:EC9C54B3B844A101D9CF34D1DFEF0B36
SHA256:6CF63C9684DE5FBDC16CF52170C9777FEF2CB6D6F73DFB2ACFA78735276EB22D
2732NzmQfYnDsd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\check[1].htmhtml
MD5:9D4FBA3544D638604A90669C319B94AF
SHA256:BEC6F1EF1206BE834319F90DCAB5A683D12790EADFAA248E2785B81A9C75261E
2836Vq2K$GjkeqZjxdJ.exeC:\Windows\System32\drivers\ztYw2y8tYw2N9yeRPFMT.exeexecutable
MD5:FF5D13943A0ED41A293B0262A6D3BF36
SHA256:C4CB80458AE8DD744CB5CD0672AF7B0D0B0E2B324EA00290F97508D3E37D5175
2732NzmQfYnDsd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\ECKJYRJ0.txttext
MD5:B06CE482EA337F9FEADF149D30508F0F
SHA256:A542834BD1175D85DFA71B8773C7FAFF8AF3D0D1498457AB7348D77CB42C4717
2732NzmQfYnDsd.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\aes[1].jstext
MD5:78A66859739B0C9E18BC5B4538C03BF9
SHA256:D2701C86A2A31A641520E72121749DBBABEED4B1A59AECE20BBF14F9C9DE82BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2732
NzmQfYnDsd.exe
GET
200
185.27.134.125:80
http://fluxware.epizy.com/forums/check/check.php?username=dick&password=awdadawdawdawdwuaiawidaawdaw
GB
suspicious
2732
NzmQfYnDsd.exe
GET
200
185.27.134.125:80
http://fluxware.epizy.com/forums/check/check.php?username=dwadwad&password=awdadawdawdaw
GB
html
593 b
suspicious
2732
NzmQfYnDsd.exe
GET
200
185.27.134.125:80
http://fluxware.epizy.com/forums/check/check.php?username=dwadwad&password=awdadawdawdaw&i=1
GB
text
30.4 Kb
suspicious
2732
NzmQfYnDsd.exe
GET
200
185.27.134.125:80
http://fluxware.epizy.com/aes.js
GB
text
30.4 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2732
NzmQfYnDsd.exe
185.27.134.125:80
fluxware.epizy.com
Wildcard UK Limited
GB
suspicious

DNS requests

Domain
IP
Reputation
fluxware.epizy.com
  • 185.27.134.125
suspicious

Threats

PID
Process
Class
Message
2732
NzmQfYnDsd.exe
Misc activity
SUSPICIOUS [PTsecurity] Encryptor aes.js script (seen PedCont ransomware)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GjkeqZjxdJVq2K.rar