analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

babel 4.0 BY OWL.rar

Full analysis: https://app.any.run/tasks/c7030c42-3626-456b-b2fa-b464a0f0090c
Verdict: Malicious activity
Analysis date: May 21, 2022, 05:07:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

7B843011F7144203DA5EE763B5196B8B

SHA1:

9B5A350A751D35A9DCA1CE84710FC7D2B75B3713

SHA256:

18E441F837E8EF19179ACE44349A3D248EC911FB77404DA2B039E88EC820FFA8

SSDEEP:

49152:srYqKOvK5bc2shNQAXVKkcpdwphOexS5WzYbarAmdgdyAoMbo:srYlOyRc2iyAlKxpdTICDerpKAX2o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2300)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2684)
      • msiexec.exe (PID: 2300)
      • MsiExec.exe (PID: 2664)
      • MsiExec.exe (PID: 2692)
      • MsiExec.exe (PID: 3476)
      • filezilla.exe (PID: 1692)

    • Checks supported languages

      • WinRAR.exe (PID: 2684)
      • msiexec.exe (PID: 2300)
      • MsiExec.exe (PID: 2664)
      • MsiExec.exe (PID: 2692)
      • MsiExec.exe (PID: 3476)
      • filezilla.exe (PID: 1692)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2684)
      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2300)

    • Starts Microsoft Installer

      • WinRAR.exe (PID: 2684)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2300)

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2300)

    • Executed as Windows Service

      • vssvc.exe (PID: 3336)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2300)

    • Reads Environment values

      • vssvc.exe (PID: 3336)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 2300)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 2300)

    • Creates files in the user directory

      • msiexec.exe (PID: 2300)
      • filezilla.exe (PID: 1692)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2732)
      • vssvc.exe (PID: 3336)

    • Reads the computer name

      • msiexec.exe (PID: 2732)
      • vssvc.exe (PID: 3336)

    • Application launched itself

      • msiexec.exe (PID: 2300)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2664)
      • MsiExec.exe (PID: 2692)
      • MsiExec.exe (PID: 3476)
      • msiexec.exe (PID: 2300)

    • Creates files in the program directory

      • msiexec.exe (PID: 2300)
      • MsiExec.exe (PID: 3476)

    • Reads settings of System Certificates

      • filezilla.exe (PID: 1692)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2300)

    • Manual execution by user

      • filezilla.exe (PID: 1692)

    • Searches for installed software

      • msiexec.exe (PID: 2300)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs filezilla.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2684"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\babel 4.0 BY OWL.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2732"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXb2684.31592\babel_x86_4.0.0.0.msi" C:\Windows\System32\msiexec.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2300C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2664C:\Windows\system32\MsiExec.exe -Embedding A45F8C4EDCC98EC0B27DE1F1FCA52705 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3336C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2692C:\Windows\system32\MsiExec.exe -Embedding 0EA4C7F4C0C238D09F3CDEC4F50F2986C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3476C:\Windows\system32\MsiExec.exe -Embedding 49C124C67143273F5E55ADCED9B1E9B6 E Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1692"C:\Program Files\FileZilla FTP Client\filezilla.exe" C:\Program Files\FileZilla FTP Client\filezilla.exeExplorer.EXE
User:
admin
Company:
FileZilla Project
Integrity Level:
MEDIUM
Description:
FileZilla FTP Client
Version:
3, 51, 0, 0
Total events
7 172
Read events
6 878
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
7
Text files
11
Unknown types
4

Dropped files

PID
Process
Filename
Type
2300msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2300msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:5BEBDED3AD1BCC01F4AF18D5F994C03C
SHA256:398576F21C9808C060C6BAFAD66AACDA84E7F2745A1A5C79F3896A502C78E1B7
2300msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{a244dd3d-07a2-40ba-b864-217996d3f009}_OnDiskSnapshotPropbinary
MD5:5BEBDED3AD1BCC01F4AF18D5F994C03C
SHA256:398576F21C9808C060C6BAFAD66AACDA84E7F2745A1A5C79F3896A502C78E1B7
2300msiexec.exeC:\Windows\Installer\10e0ce.ipibinary
MD5:516F3BF56C139A4827285261A30C807B
SHA256:ED1506E166916854537F3981CD7871ED91DEC541D09DC6F3BFD6C58375BAAA53
2300msiexec.exeC:\Windows\Installer\10e0cd.msiexecutable
MD5:31C4DF7E1828B1DDD9E4844974932C50
SHA256:3C2A5970A483C50E58BF5FB669C6415A48D3782A5B2B996982ED9A823672CCEC
2300msiexec.exeC:\Windows\Installer\MSIE572.tmpbinary
MD5:446B6B061FC79FC29FF9C70D6EBF0322
SHA256:55B1758686712C355983261DD3ED6EEA7B41DA17849BA5AAA19F3CF9CFDDDE1C
2732msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIBDF3.tmpexecutable
MD5:DEF1669123BC5BD8E9A3A93E7F68B58C
SHA256:82BBA027D920FAC29385C1A6752F2337A3AE4B1944A29A72D2864017ABEAA8D9
2300msiexec.exeC:\Windows\assembly\tmp\2M0DQZX3\Babel.Build.dllexecutable
MD5:5DDC0699CA82F41E599092CE56578D05
SHA256:56BB3C8B6F2097FE8FEC831C5AEE6DF3DB17D9D26FB2297748430E6087BAEEF8
2692MsiExec.exeC:\Users\admin\AppData\Local\Temp\CFGE428.tmpxml
MD5:17AF548F88A3199AA8A63A72201F470F
SHA256:A558DBE555749CD3BDD62060FDBBA72720C4F4A186D5870B977ED2ACF9721D9E
2300msiexec.exeC:\Program Files\Babel\babel.exe.configxml
MD5:1AD01B32288C407CF1E29393FDC110D7
SHA256:B9508A186376BA03A50699B9A95FAA11A41CF5B5D7683E67A7CC0AB81A283C55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
babel 4.0 BY OWL.rar