analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

crackedbyrzr.zip

Full analysis: https://app.any.run/tasks/a0db0079-a309-413c-aa23-2c918ce45cfc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 19:42:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
vidar
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

EC2095EBEB801E95E7B552504D5F99AE

SHA1:

29F9702BB40856F4FC549ED851B2696A0C761578

SHA256:

25443CB0BC48F1EE65C85A8A6EE9AADE2E7A457FF591257DCF889B36A8A17359

SSDEEP:

192:/szmQp1LCleDBwiwlxHnG7PlcV6HzzNC4De8X:Um42leLgxHnilR5C4aq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CrackedByRzr.exe (PID: 3800)
      • kernal.dll (PID: 2404)
      • Crypt.exe (PID: 3020)
      • system.exe (PID: 2080)

    • Loads dropped or rewritten executable

      • Crypt.exe (PID: 3020)
      • svchost.exe (PID: 880)
      • system.exe (PID: 2080)

    • VIDAR was detected

      • system.exe (PID: 2080)

    • Downloads executable files from the Internet

      • system.exe (PID: 2080)

    • Stealing of credential data

      • system.exe (PID: 2080)

    • Actions looks like stealing of personal data

      • system.exe (PID: 2080)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3104)
      • CrackedByRzr.exe (PID: 3800)
      • Crypt.exe (PID: 3020)
      • kernal.dll (PID: 2404)
      • system.exe (PID: 2080)

    • Creates files in the user directory

      • Crypt.exe (PID: 3020)

    • Starts application with an unusual extension

      • Crypt.exe (PID: 3020)

    • Reads Internet Cache Settings

      • system.exe (PID: 2080)

    • Creates files in the program directory

      • system.exe (PID: 2080)

    • Reads the cookies of Google Chrome

      • system.exe (PID: 2080)

    • Reads the cookies of Mozilla Firefox

      • system.exe (PID: 2080)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CrackedByRzr.exe
ZipUncompressedSize: 23552
ZipCompressedSize: 6314
ZipCRC: 0x9c82b703
ZipModifyDate: 2020:04:15 03:44:02
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start winrar.exe crackedbyrzr.exe crypt.exe kernal.dll svchost.exe #VIDAR system.exe

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\crackedbyrzr.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3800"C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.9757\CrackedByRzr.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3104.9757\CrackedByRzr.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
CrackedByRzr
Version:
1.0.0.0
3020"C:\Users\admin\AppData\Local\Temp\Crypt.exe" C:\Users\admin\AppData\Local\Temp\Crypt.exe
CrackedByRzr.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2404"C:\Users\admin\AppData\Roaming\kernal.dll" -s -pdfgsrdgersfgersfgrsdrgC:\Users\admin\AppData\Roaming\kernal.dll
Crypt.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
880C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2080"C:\Users\admin\AppData\Local\Temp\system.exe" C:\Users\admin\AppData\Local\Temp\system.exe
kernal.dll
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225725
Total events
1 599
Read events
1 542
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
1
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
2080system.exeC:\ProgramData\982049557577544\temp
MD5:
SHA256:
2080system.exeC:\ProgramData\982049557577544\temp-shm
MD5:
SHA256:
2404kernal.dllC:\Users\admin\AppData\Local\Temp\system.exeexecutable
MD5:249B2DF9AE0C3D0A9EFDE89E6F566ED5
SHA256:E0FA3B45C8AB8C3BFB5EFE97EDB70CC424EB8682AD852671EEBA3E7D44ADC749
880svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:4855D1162BE301FBCE790FF37615A7B6
SHA256:B8CE0BE76E1CAA6F1EA1A1586266E82E87C192160AA2F01FBE0854CCF2BF9F4D
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3104.9757\CrackedByRzr.exeexecutable
MD5:42671C34E21AB46EA32679979078415A
SHA256:1AF91304AA014CAAAB4CBA6C850D2FAA534442F1C5A2C5EDDD4D4DEE27A1FA51
3800CrackedByRzr.exeC:\Users\admin\AppData\Local\Temp\Crypt.exeexecutable
MD5:70D909F1DBBB9648B22189EC5B307E28
SHA256:5585265D62EDE82AFA80CBAE03B8F73FA846539368F7BB1C1DA64B59D27E910F
3020Crypt.exeC:\Users\admin\AppData\Roaming\kernal.dllexecutable
MD5:AAD73E3215841FC2EB866C62ED069172
SHA256:5AECB8B796B35FDE712052361C3DD74E1F808E9C5BA5D633086BD1E3BDA70E93
2080system.exeC:\ProgramData\982049557577544\autofill\Google Chrome_Default.txttext
MD5:678685666D3FAAFD8CFDBDB0CD997122
SHA256:DD730415E2853666046266477EE09BF65D67C6567D298EEF319C114E18CCB6D8
2080system.exeC:\ProgramData\982049557577544\cookies\Mozilla Firefox_qldyz51w.default.txttext
MD5:DE787244E95963A4C27C83BFD7A4EBEB
SHA256:EE319DFFD89B54B772A4FD4BFB4F7DDDB5D9A4C3D818F452A94B3397CFE1AB11
2080system.exeC:\ProgramData\982049557577544\passwords.txttext
MD5:3B276630E702D0E9C23DAA467E8C2AC6
SHA256:5FC5563BD84713E7FF6449E099FBD9F71A864424078EDECA3DB52E5FE63154DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3800
CrackedByRzr.exe
GET
301
18.205.93.1:80
http://bitbucket.org/xenon49834/j3qyjxfv9wrg8d3batgynfqv/downloads/JpW5MsCN5gnSxXWgamvquHp2.txt
US
shared
3800
CrackedByRzr.exe
GET
301
18.205.93.1:80
http://bitbucket.org/xenon49834/jaxxexe/downloads/Crypt.exe
US
shared
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/freebl3.dll
DE
executable
326 Kb
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/sqlite3.dll
DE
executable
630 Kb
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/softokn3.dll
DE
executable
141 Kb
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/main.php
DE
text
73 b
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/nss3.dll
DE
executable
1.19 Mb
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/msvcp140.dll
DE
executable
429 Kb
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/vcruntime140.dll
DE
executable
81.8 Kb
malicious
2080
system.exe
POST
200
78.46.233.14:80
http://92g938uextmgvb7rllv8wcad.biz/mozglue.dll
DE
executable
133 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2080
system.exe
78.46.233.14:80
92g938uextmgvb7rllv8wcad.biz
Hetzner Online GmbH
DE
malicious
3800
CrackedByRzr.exe
18.205.93.1:80
bitbucket.org
US
malicious
3800
CrackedByRzr.exe
18.205.93.1:443
bitbucket.org
US
malicious
3800
CrackedByRzr.exe
52.216.168.227:443
bbuseruploads.s3.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
bitbucket.org
  • 18.205.93.1
  • 18.205.93.2
  • 18.205.93.0
shared
bbuseruploads.s3.amazonaws.com
  • 52.216.168.227
shared
google-public-dns-b.google.com
  • 8.8.4.4
whitelisted
92g938uextmgvb7rllv8wcad.biz
  • 78.46.233.14
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
2080
system.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
2080
system.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
2080
system.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2080
system.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2080
system.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
2080
system.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
2080
system.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2080
system.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible Generic.Trojan Boundary
2080
system.exe
A Network Trojan was detected
STEALER [PTsecurity] Arkei/Vidar Stealer
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
crackedbyrzr.zip