File name:

BLTools v2.7.1 fresh crak cherker.zip

Full analysis: https://app.any.run/tasks/13e562fc-72e3-4ca0-bb2b-375e97c5b341
Verdict: Malicious activity
Threats:

MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.

Malware Trends Tracker     >>>
Analysis date: March 01, 2024, 02:24:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
metastealer
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

D5FD465F90B46AE74525E4EB49DE9A94

SHA1:

4CB141DC66FC757D7CF8AE16EA84E2B0EE50192F

SHA256:

24B395EA21E12AFD8B0973366F8B64AF7DCF33DF3CF2D9DD36F27D55B99B0184

SSDEEP:

98304:11Guhg6GYFAIq55J4Lj300P04rYbWPPpqFebj7k7cBYlBjsHbMrrNUnnj7nI9CX5:qbbRuD7fS6ao

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • METASTEALER has been detected (YARA)

      • AppLaunch.exe (PID: 3848)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3656)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3656)

    • Connects to unusual port

      • AppLaunch.exe (PID: 3848)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3656)

    • Reads the computer name

      • AppLaunch.exe (PID: 3848)

    • Checks supported languages

      • AppLaunch.exe (PID: 3848)
      • BLTools v2.7.1.exe (PID: 2844)

    • Manual execution by a user

      • BLTools v2.7.1.exe (PID: 2844)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 3848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

MetaStealer

(PID) Process(3848) AppLaunch.exe
C2 (1)5.42.65.101:48790
Botnet5938639204-26990097-packlab
Options
ErrorMessage
Keys
XorPyrometry
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:10:28 13:02:34
ZipCRC: 0x9b5350cf
ZipCompressedSize: 63211
ZipUncompressedSize: 146360
ZipFileName: Microsoft.Xaml.Behaviors.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe bltools v2.7.1.exe no specs #METASTEALER applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Users\admin\Desktop\BLTools v2.7.1.exe" C:\Users\admin\Desktop\BLTools v2.7.1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\bltools v2.7.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3656"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 fresh crak cherker.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3848"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
BLTools v2.7.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
MetaStealer
(PID) Process(3848) AppLaunch.exe
C2 (1)5.42.65.101:48790
Botnet5938639204-26990097-packlab
Options
ErrorMessage
Keys
XorPyrometry
Total events
3 772
Read events
3 750
Write events
22
Delete events
0

Modification events

(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3656) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BLTools v2.7.1 fresh crak cherker.zip
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3656) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
6
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\Extreme.Net.dllexecutable
MD5:F79F0E3A0361CAC000E2D3553753CD68
SHA256:8A6518AB7419FBEC3AC9875BAA3AFB410AD1398C7AA622A09CD9084EC6CADFCD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\License.dlltext
MD5:C1AA690DEB494A266692534410A8894F
SHA256:13116B9075739F12B0958D1E52D17327BCA0D2CCA9F115E4DADA279B4248FD83
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\MaterialDesignColors.dllexecutable
MD5:5C108C4DA6D03F0FA2C3B4DC7890CB52
SHA256:B5EC30C93B1D2B4631EE2B178750EC92E302E2E331090EC9783981B9572354F8
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\Settings.initext
MD5:4E3F437D2BE9E667BD6E05F5A4464981
SHA256:8ADA9EBA2A91D0AA743502DD2C154E1E02AF04B8708B8E9229056A502F20A66C
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\Ookii.Dialogs.Wpf.dllexecutable
MD5:932EBB3F9E7113071C6A17818342B7CC
SHA256:285AA8225732DDBCF211B1158BD6CFF8BF3ACBEEAB69617F4BE85862B7105AB5
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\MaterialDesignThemes.Wpf.dllexecutable
MD5:824CBF63999F954AA1747F79586A4D3C
SHA256:344E2CEE979E979932F504DC76BD75E97AE1FF46CAA3FE2795ADFE0A866347F7
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\BLTools v2.7.1.exeexecutable
MD5:A97F55D638D3AC03EEFB1EFBCC9CD9FA
SHA256:DE90412F58FB18840449971B6BFB2E3ED52DD56C3042016497A97D4C9E069FC3
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3656.35274\Microsoft.Xaml.Behaviors.dllexecutable
MD5:95F46F34C099421D917D5FEADBB33EDB
SHA256:8E77A1DD5E2DF4D4AF801376CC3428B082EB49FCB6E647B933967FAE12AD9D5D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3848
AppLaunch.exe
5.42.65.101:48790
CJSC Kolomna-Sviaz TV
RU
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BLTools v2.7.1 fresh crak cherker.zip