analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

File.7z

Full analysis: https://app.any.run/tasks/42f01ed5-d6fb-4dd4-aeb4-b6f7d03c3f3d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 21, 2022, 06:17:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
socelars
stealer
loader
rat
redline
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

4BAE0558EF80F6E0522E7A0F9FC9F782

SHA1:

964AA1E695069810C9A71D772FAD9A3702CBBAE7

SHA256:

2278C8C48B2BF0E8080776FB52F09DF454454F4731E322174EBDC3E622D3E102

SSDEEP:

1536:yppaEi4xgj05MU3xmLty9WmStMrjFhTUxSekS0sgXN+x5b2pxGg4xmQttTdMTwE:w4MwJUBmRyMEhGV0vX4Tb2pxwxmoxAl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • File.exe (PID: 3936)
      • File.exe (PID: 1412)
      • rrun.exe.exe (PID: 3684)
      • NiceProcessX32.bmp.exe (PID: 1660)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2876)
      • NiceProcessX32.bmp.exe (PID: 1660)
      • File.exe (PID: 1412)
    • Disables Windows Defender

      • File.exe (PID: 1412)
    • Changes settings of System certificates

      • File.exe (PID: 1412)
    • Connects to CnC server

      • File.exe (PID: 1412)
      • rrun.exe.exe (PID: 3684)
    • SOCELARS was detected

      • File.exe (PID: 1412)
    • REDLINE was detected

      • rrun.exe.exe (PID: 3684)
    • Actions looks like stealing of personal data

      • rrun.exe.exe (PID: 3684)
    • Steals credentials from Web Browsers

      • rrun.exe.exe (PID: 3684)
    • REDLINE detected by memory dumps

      • rrun.exe.exe (PID: 3684)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2876)
      • File.exe (PID: 1412)
      • rrun.exe.exe (PID: 3684)
    • Checks supported languages

      • WinRAR.exe (PID: 2876)
      • File.exe (PID: 1412)
      • NiceProcessX32.bmp.exe (PID: 1660)
      • rrun.exe.exe (PID: 3684)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2876)
      • File.exe (PID: 1412)
      • NiceProcessX32.bmp.exe (PID: 1660)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2876)
      • NiceProcessX32.bmp.exe (PID: 1660)
      • File.exe (PID: 1412)
    • Adds / modifies Windows certificates

      • File.exe (PID: 1412)
    • Checks for external IP

      • File.exe (PID: 1412)
    • Reads Environment values

      • rrun.exe.exe (PID: 3684)
    • Reads the cookies of Google Chrome

      • rrun.exe.exe (PID: 3684)
    • Reads the cookies of Mozilla Firefox

      • rrun.exe.exe (PID: 3684)
    • Searches for installed software

      • rrun.exe.exe (PID: 3684)
  • INFO

    • Checks Windows Trust Settings

      • File.exe (PID: 1412)
    • Reads settings of System Certificates

      • File.exe (PID: 1412)
    • Reads the computer name

      • WINWORD.EXE (PID: 3360)
    • Checks supported languages

      • WINWORD.EXE (PID: 3360)
    • Manual execution by user

      • WINWORD.EXE (PID: 3360)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3360)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RedLine

(PID) Process(3684) rrun.exe.exe
US (200)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
.
1
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Network\
Host
Port
:
User
Pass
cookies.sqlite
%USEDisposeRPROFILE%\AppDaDisposeta\LDisposeocal
Dispose
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrbyte[]yptDesbyte[]troyKbyte[]ey
byte[]
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
c504b04cfbdd4bf85ce6195bcb37fba6
Authorization
ns1
UNKNWON
DzUcHj4TCxs6HUZJDSJDVT09LRs4IBlNDTBKWQ==
Fw8hUhNLLjcjDx41EzQPKyYOf1w=
Bawdry
Yandex\YaAddon
ToString
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
String
Replace
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
cstringmstringd
string
/ProcessC Process
Process
|
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
gasdl94ja;sdiasdl94ja;s32
asdl94ja;s
Gasdl94jlajsdetDevasdl94jlajsdiceCapasdl94jlajsds
asdl94jlajsd
Width
Height
CopyFromScreen
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
Name
NumberOfCores
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Cryptography.AesCryptoServiceProvider
—nŒ83‘mŒœ23o9fgq.•‰y‹jš’”5‰‰lc0‘s‹
{11111-22222-10009-11111}
{11111-22222-50001-00000}
GetDelegateForFunctionPointer
System.Reflection.ReflectionContext
m_ptr
System.Reflection.RuntimeModule
m_pData
˜cdrkosi‹jdˆi6cj˜.—pcŒ“ŒŽ˜h1˜pwxœ•‘
__
clrjit.dll
file:///
Location
Find
ResourceA
Virtual
Alloc
Write
Process
Protect
Open
Close
Handle
kernel
32.dll
{11111-22222-10001-00001}
{11111-22222-10001-00002}
{11111-22222-20001-00001}
{11111-22222-20001-00002}
{11111-22222-40001-00001}
{11111-22222-40001-00002}
{11111-22222-50001-00001}
{11111-22222-50001-00002}
Auth_valuec504b04cfbdd4bf85ce6195bcb37fba6
Err_msg
BotnetRuzkiUNIKALNO
C2 (1)193.233.48.58:38989
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start winrar.exe file.exe no specs #SOCELARS file.exe niceprocessx32.bmp.exe #REDLINE rrun.exe.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2876"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\File.7z"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3936"C:\Users\admin\AppData\Local\Temp\Rar$EXb2876.49277\File.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2876.49277\File.exeWinRAR.exe
User:
admin
Company:
ForceMin
Integrity Level:
MEDIUM
Description:
ForceMin
Exit code:
3221226540
Version:
1.3.21001.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2876.49277\file.exe
c:\windows\system32\ntdll.dll
1412"C:\Users\admin\AppData\Local\Temp\Rar$EXb2876.49277\File.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2876.49277\File.exe
WinRAR.exe
User:
admin
Company:
ForceMin
Integrity Level:
HIGH
Description:
ForceMin
Exit code:
0
Version:
1.3.21001.2
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2876.49277\file.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1660"C:\Users\admin\Pictures\Adobe Films\NiceProcessX32.bmp.exe" C:\Users\admin\Pictures\Adobe Films\NiceProcessX32.bmp.exe
File.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\pictures\adobe films\niceprocessx32.bmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
3684"C:\Users\admin\Pictures\Adobe Films\rrun.exe.exe" C:\Users\admin\Pictures\Adobe Films\rrun.exe.exe
File.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\pictures\adobe films\rrun.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
RedLine
(PID) Process(3684) rrun.exe.exe
US (200)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
.
1
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Network\
Host
Port
:
User
Pass
cookies.sqlite
%USEDisposeRPROFILE%\AppDaDisposeta\LDisposeocal
Dispose
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrbyte[]yptDesbyte[]troyKbyte[]ey
byte[]
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
c504b04cfbdd4bf85ce6195bcb37fba6
Authorization
ns1
UNKNWON
DzUcHj4TCxs6HUZJDSJDVT09LRs4IBlNDTBKWQ==
Fw8hUhNLLjcjDx41EzQPKyYOf1w=
Bawdry
Yandex\YaAddon
ToString
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
String
Replace
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
cstringmstringd
string
/ProcessC Process
Process
|
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
gasdl94ja;sdiasdl94ja;s32
asdl94ja;s
Gasdl94jlajsdetDevasdl94jlajsdiceCapasdl94jlajsds
asdl94jlajsd
Width
Height
CopyFromScreen
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
Name
NumberOfCores
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Security.Cryptography.AesCryptoServiceProvider
—nŒ83‘mŒœ23o9fgq.•‰y‹jš’”5‰‰lc0‘s‹
{11111-22222-10009-11111}
{11111-22222-50001-00000}
GetDelegateForFunctionPointer
System.Reflection.ReflectionContext
m_ptr
System.Reflection.RuntimeModule
m_pData
˜cdrkosi‹jdˆi6cj˜.—pcŒ“ŒŽ˜h1˜pwxœ•‘
__
clrjit.dll
file:///
Location
Find
ResourceA
Virtual
Alloc
Write
Process
Protect
Open
Close
Handle
kernel
32.dll
{11111-22222-10001-00001}
{11111-22222-10001-00002}
{11111-22222-20001-00001}
{11111-22222-20001-00002}
{11111-22222-40001-00001}
{11111-22222-40001-00002}
{11111-22222-50001-00001}
{11111-22222-50001-00002}
Auth_valuec504b04cfbdd4bf85ce6195bcb37fba6
Err_msg
BotnetRuzkiUNIKALNO
C2 (1)193.233.48.58:38989
3360"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\sourcessite.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
10 347
Read events
9 961
Write events
237
Delete events
149

Modification events

(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2876) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\File.7z
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2876) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
6
Text files
1
Unknown types
7

Dropped files

PID
Process
Filename
Type
3360WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA70B.tmp.cvr
MD5:
SHA256:
1412File.exeC:\Users\admin\Documents\cK9hbXp435SljsGsF83sh.jetbinary
MD5:8D505656356A73B4595320989D0F263E
SHA256:4B456A4681006C12F3225BC10A460DC672A110C8FD260225AE3CC0EFD7F101E9
3360WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F0C272546EE9DBFC2AF76F6AF19154F9
SHA256:9257E95D71233CE9CD0F87E680C7828E1D9A204E4102D69C80692F3799C97AF7
2876WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2876.49277\File.exeexecutable
MD5:D8933905DAF436FDE88523508F9F0EAE
SHA256:4AA606A0A542D44BF4AA6F7EBCDC2684BF914C65A344BFED77AA34C8C20768A2
1412File.exeC:\Users\admin\Pictures\Adobe Films\NiceProcessX32.bmp.exeexecutable
MD5:A89561ABD740E80AA85B8E86EFE9A210
SHA256:E83F58825C02DB8659491FE6E3DECEC9ADA7040BAF22DE5957FA17477466CA46
1412File.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:B11652EFF754C94C50B20E897AC592E6
SHA256:E13E8BC907CF6B5618BC191080E5EB637EAF03BF2188F897A7BD1E59602D0348
1412File.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\rrun[1].exeexecutable
MD5:2142E365B3B7363A441EF737F48F55BE
SHA256:DBAFB55C36E5D055E029307DF9E1B9EA1FDD408A29BCB9F369C1AD1B90FAEF47
1412File.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4C0966DB3F770456768D6C6A4171407A
SHA256:071A33CE1292DC7A3D259FD34F08DF3EB180C2278DB231B19AFC8A0C2D5DB5E9
1412File.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\PL_Client[1].bmpbinary
MD5:8D505656356A73B4595320989D0F263E
SHA256:4B456A4681006C12F3225BC10A460DC672A110C8FD260225AE3CC0EFD7F101E9
3360WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\sourcessite.rtf.LNKlnk
MD5:F646E52A56872C8D4E3994405C4E5AFE
SHA256:8EF016BD7F85368E61AB12C90F106299D6F071E4902DD66A5881152BBDD72965
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1412
File.exe
GET
400
45.144.225.57:80
http://45.144.225.57/server.txt
unknown
html
301 b
malicious
1412
File.exe
HEAD
200
45.144.225.57:80
http://45.144.225.57/download/NiceProcessX32.bmp
unknown
malicious
1412
File.exe
HEAD
200
31.41.244.240:80
http://31.41.244.240/rrun.exe
RU
suspicious
1412
File.exe
GET
200
212.193.30.21:80
http://212.193.30.21/base/api/statistics.php
RU
binary
94 b
malicious
1412
File.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1412
File.exe
POST
200
212.193.30.21:80
http://212.193.30.21/base/api/getData.php
RU
text
108 b
malicious
1412
File.exe
GET
200
45.144.225.57:80
http://45.144.225.57/download/NiceProcessX32.bmp
unknown
executable
259 Kb
malicious
1412
File.exe
GET
400
212.193.30.45:80
http://212.193.30.45/proxies.txt
RU
html
301 b
malicious
1412
File.exe
GET
200
31.41.244.240:80
http://31.41.244.240/rrun.exe
RU
executable
415 Kb
suspicious
1412
File.exe
POST
200
212.193.30.21:80
http://212.193.30.21/base/api/getData.php
RU
text
216 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1412
File.exe
212.193.30.21:80
RU
malicious
1412
File.exe
212.193.30.45:80
RU
malicious
1412
File.exe
172.67.34.170:443
pastebin.com
US
malicious
1412
File.exe
45.144.225.57:80
malicious
1412
File.exe
104.20.67.143:443
pastebin.com
Cloudflare Inc
US
malicious
1412
File.exe
31.41.244.240:80
LLC DARNET
RU
suspicious
1412
File.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1412
File.exe
162.159.130.233:443
cdn.discordapp.com
Cloudflare Inc
shared
1412
File.exe
34.117.59.81:443
ipinfo.io
US
whitelisted
1412
File.exe
8.252.188.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.67.143
  • 172.67.34.170
  • 104.20.68.143
shared
cdn.discordapp.com
  • 162.159.130.233
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.135.233
  • 162.159.129.233
shared
ctldl.windowsupdate.com
  • 8.252.188.126
  • 8.249.23.254
  • 8.252.192.126
  • 8.252.41.254
  • 8.250.164.126
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ipinfo.io
  • 34.117.59.81
shared
iplis.ru
  • 148.251.234.93
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1412
File.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
1412
File.exe
Potentially Bad Traffic
ET INFO Terse Request for .txt - Likely Hostile
1412
File.exe
A Network Trojan was detected
ET MALWARE User-Agent (???)
1412
File.exe
Generic Protocol Command Decode
SURICATA Applayer Mismatch protocol both directions
1412
File.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1412
File.exe
Generic Protocol Command Decode
SURICATA Applayer Mismatch protocol both directions
1412
File.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1412
File.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1412
File.exe
A Network Trojan was detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
1412
File.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
17 ETPRO signatures available at the full report
No debug info