analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

crackedbyrzr.zip

Full analysis: https://app.any.run/tasks/9e98ecaa-7d2e-4258-9ff2-78f8de98522d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 19:48:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
vidar
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EC2095EBEB801E95E7B552504D5F99AE

SHA1:

29F9702BB40856F4FC549ED851B2696A0C761578

SHA256:

25443CB0BC48F1EE65C85A8A6EE9AADE2E7A457FF591257DCF889B36A8A17359

SSDEEP:

192:/szmQp1LCleDBwiwlxHnG7PlcV6HzzNC4De8X:Um42leLgxHnilR5C4aq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CrackedByRzr.exe (PID: 2520)
      • Crypt.exe (PID: 1924)
      • kernal.dll (PID: 884)
      • system.exe (PID: 1664)

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 864)
      • Crypt.exe (PID: 1924)
      • system.exe (PID: 1664)

    • Downloads executable files from the Internet

      • system.exe (PID: 1664)

    • Actions looks like stealing of personal data

      • system.exe (PID: 1664)

    • Stealing of credential data

      • system.exe (PID: 1664)

    • VIDAR was detected

      • system.exe (PID: 1664)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1344)
      • CrackedByRzr.exe (PID: 2520)
      • Crypt.exe (PID: 1924)
      • kernal.dll (PID: 884)
      • system.exe (PID: 1664)

    • Creates files in the user directory

      • Crypt.exe (PID: 1924)

    • Starts application with an unusual extension

      • Crypt.exe (PID: 1924)

    • Reads Internet Cache Settings

      • system.exe (PID: 1664)

    • Creates files in the program directory

      • system.exe (PID: 1664)

    • Reads the cookies of Google Chrome

      • system.exe (PID: 1664)

    • Reads the cookies of Mozilla Firefox

      • system.exe (PID: 1664)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:04:15 03:44:02
ZipCRC: 0x9c82b703
ZipCompressedSize: 6314
ZipUncompressedSize: 23552
ZipFileName: CrackedByRzr.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start winrar.exe crackedbyrzr.exe crypt.exe kernal.dll #VIDAR system.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1344"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\crackedbyrzr.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2520"C:\Users\admin\AppData\Local\Temp\Rar$EXa1344.47880\CrackedByRzr.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1344.47880\CrackedByRzr.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
CrackedByRzr
Version:
1.0.0.0
1924"C:\Users\admin\AppData\Local\Temp\Crypt.exe" C:\Users\admin\AppData\Local\Temp\Crypt.exe
CrackedByRzr.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
884"C:\Users\admin\AppData\Roaming\kernal.dll" -s -pdfgsrdgersfgersfgrsdrgC:\Users\admin\AppData\Roaming\kernal.dll
Crypt.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1664"C:\Users\admin\AppData\Local\Temp\system.exe" C:\Users\admin\AppData\Local\Temp\system.exe
kernal.dll
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225725
864C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 590
Read events
1 532
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
1
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
1664system.exeC:\ProgramData\740378980506497\temp
MD5:
SHA256:
1664system.exeC:\ProgramData\740378980506497\temp-shm
MD5:
SHA256:
2520CrackedByRzr.exeC:\Users\admin\AppData\Local\Temp\Crypt.exeexecutable
MD5:70D909F1DBBB9648B22189EC5B307E28
SHA256:5585265D62EDE82AFA80CBAE03B8F73FA846539368F7BB1C1DA64B59D27E910F
864svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:13BD0DBAED738F6D9855B618DB39F80F
SHA256:9F3926A32E7A69BF660374DE492321E89F74D78A2D04B908ED6AEA65A7F5D796
1344WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1344.47880\CrackedByRzr.exeexecutable
MD5:42671C34E21AB46EA32679979078415A
SHA256:1AF91304AA014CAAAB4CBA6C850D2FAA534442F1C5A2C5EDDD4D4DEE27A1FA51
1664system.exeC:\ProgramData\740378980506497\passwords.txttext
MD5:5D5BB12172A64362993F565C8A49B134
SHA256:FD649C7DF0941EC697FF262A504E772F85B62A09A1CF8336AD14BA8A2F937257
1924Crypt.exeC:\Users\admin\AppData\Roaming\kernal.dllexecutable
MD5:AAD73E3215841FC2EB866C62ED069172
SHA256:5AECB8B796B35FDE712052361C3DD74E1F808E9C5BA5D633086BD1E3BDA70E93
1664system.exeC:\ProgramData\freebl3.dllexecutable
MD5:EF2834AC4EE7D6724F255BEAF527E635
SHA256:A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
1664system.exeC:\ProgramData\mozglue.dllexecutable
MD5:8F73C08A9660691143661BF7332C3C27
SHA256:3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
1664system.exeC:\ProgramData\nss3.dllexecutable
MD5:BFAC4E3C5908856BA17D41EDCD455A51
SHA256:E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2520
CrackedByRzr.exe
GET
301
18.205.93.1:80
http://bitbucket.org/xenon49834/jaxxexe/downloads/Crypt.exe
US
shared
2520
CrackedByRzr.exe
GET
301
18.205.93.1:80
http://bitbucket.org/xenon49834/j3qyjxfv9wrg8d3batgynfqv/downloads/JpW5MsCN5gnSxXWgamvquHp2.txt
US
shared
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/mozglue.dll
DE
executable
133 Kb
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/msvcp140.dll
DE
executable
429 Kb
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/main.php
DE
text
73 b
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/softokn3.dll
DE
executable
141 Kb
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/vcruntime140.dll
DE
executable
81.8 Kb
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/sqlite3.dll
DE
executable
630 Kb
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/nss3.dll
DE
executable
1.19 Mb
malicious
1664
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/freebl3.dll
DE
executable
326 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1664
system.exe
78.46.233.14:80
92g938uextmgvb7rllv8wcad.biz
Hetzner Online GmbH
DE
malicious
2520
CrackedByRzr.exe
18.205.93.1:80
bitbucket.org
US
malicious
2520
CrackedByRzr.exe
52.217.64.20:443
bbuseruploads.s3.amazonaws.com
Amazon.com, Inc.
US
unknown
2520
CrackedByRzr.exe
18.205.93.1:443
bitbucket.org
US
malicious

DNS requests

Domain
IP
Reputation
bitbucket.org
  • 18.205.93.1
  • 18.205.93.0
  • 18.205.93.2
shared
bbuseruploads.s3.amazonaws.com
  • 52.217.64.20
shared
google-public-dns-b.google.com
  • 8.8.4.4
whitelisted
92g938uextmgvb7rllv8wcad.biz
  • 78.46.233.14
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
1664
system.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
1664
system.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
1664
system.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1664
system.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
1664
system.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
1664
system.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
1664
system.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
1664
system.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
1664
system.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
crackedbyrzr.zip