analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Desktop.rar

Full analysis: https://app.any.run/tasks/589a91c7-483b-416d-900a-a0d61a0813ca
Verdict: Malicious activity
Analysis date: August 08, 2020, 09:39:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C8EBAB34EC2DCF9B623CB457AAF808EA

SHA1:

148C42CB85A0161ACFFCC0CA004CE7BED42E21AC

SHA256:

23D0F7E53189A135EC90BEDA1C8163A90B63ED5CF3D7689792598208E90D2EAA

SSDEEP:

12288:HLatPhjd7lkS6gfCbBkTodivO9vTubbId8nhM5UCfv/tEmgijv41l4bog/Bt9Psd:HLA37lPffCbST8Lubb28nMUuXtEmfjvG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GABB.exe (PID: 2628)
      • GABB.exe (PID: 828)
      • GABB.exe (PID: 1080)
      • GABB.exe (PID: 2972)

    • Changes the autorun value in the registry

      • GABB.exe (PID: 2628)
      • GABB.exe (PID: 828)
      • GABB.exe (PID: 1080)
      • GABB.exe (PID: 2972)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2176)

    • Checks for external IP

      • GABB.exe (PID: 2628)
      • GABB.exe (PID: 828)
      • GABB.exe (PID: 1080)
      • GABB.exe (PID: 2972)

  • INFO

    • Manual execution by user

      • GABB.exe (PID: 828)
      • GABB.exe (PID: 1080)
      • GABB.exe (PID: 2972)

    • Reads settings of System Certificates

      • GABB.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe gabb.exe gabb.exe gabb.exe gabb.exe

Process information

PID
CMD
Path
Indicators
Parent process
2176"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2628"C:\Users\admin\AppData\Local\Temp\Rar$EXa2176.40079\GABB.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2176.40079\GABB.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
828"C:\Users\admin\Desktop\GABB.exe" C:\Users\admin\Desktop\GABB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
1080"C:\Users\admin\Desktop\GABB.exe" C:\Users\admin\Desktop\GABB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
2972"C:\Users\admin\Desktop\GABB.exe" C:\Users\admin\Desktop\GABB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Total events
2 254
Read events
2 165
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2176.41219\GABB.exe
MD5:
SHA256:
2176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2176.41219\GABB.ini
MD5:
SHA256:
2176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2176.41219\GDLL.dll
MD5:
SHA256:
2176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2176.40079\GABB.exeexecutable
MD5:6A6D36044ECFCE8BC5EC5D4DA9683656
SHA256:A4F81C05C6F5A401FDC37C7DAE695C56BB26D3D7AA6F259C773C0AAE80D5160E
2176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2176.40079\GABB.initext
MD5:78E850A5916CB4D96A41FE35D8007B7B
SHA256:81E4BBF799A67BCC0EC71BE5B4C34405D2982B25506685E6C40EB58B6709DF51
2176WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2176.40079\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
12
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
828
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
2972
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
2628
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
2972
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
828
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
1080
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
2628
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
1080
GABB.exe
GET
200
116.202.244.153:80
http://icanhazip.com/
IN
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2628
GABB.exe
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
2628
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
828
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious
828
GABB.exe
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
1080
GABB.exe
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
1080
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious
2972
GABB.exe
116.202.244.153:80
icanhazip.com
334,Udyog Vihar
IN
malicious
2972
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
icanhazip.com
  • 116.202.244.153
  • 116.202.55.106
shared
nusumu.wtf
  • 104.27.142.46
  • 172.67.214.70
  • 104.27.143.46
unknown

Threats

PID
Process
Class
Message
2628
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2628
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
828
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
828
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
1080
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
1080
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2972
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2972
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Desktop.rar