analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CrackerHack.zip

Full analysis: https://app.any.run/tasks/74f507a4-5e87-486c-8130-2517f9700ff5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 30, 2020, 09:37:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
poullight
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

63FCD93243796BF2250A667696A30AE5

SHA1:

1D85805E563ED9651E2636B1465A3745F9FE0A27

SHA256:

2A6FD90C80294A38FAE064E7D0F5C9ACF989E582DBDC9D89033E7BFC01247E37

SSDEEP:

49152:pxJhTCFboStyVWI93N/pBC0j8M8OAAlMMcLOYTLnPNJ8QUTc/0Q5LkOjji7V:pxrabotWI93N/pBC0j8MlSC6LlJ8QUT3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • build.exe (PID: 380)
      • CrackerHack.exe (PID: 1524)

    • Stealing of credential data

      • build.exe (PID: 380)

    • Poullight was detected

      • build.exe (PID: 380)

    • Actions looks like stealing of personal data

      • build.exe (PID: 380)

  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • build.exe (PID: 380)

    • Creates files in the user directory

      • build.exe (PID: 380)

    • Executable content was dropped or overwritten

      • CrackerHack.exe (PID: 1524)
      • WinRAR.exe (PID: 604)

    • Reads Environment values

      • build.exe (PID: 380)

  • INFO

    • Manual execution by user

      • CrackerHack.exe (PID: 1524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CrackerHack.exe
ZipUncompressedSize: 2206208
ZipCompressedSize: 2198074
ZipCRC: 0x40048fa1
ZipModifyDate: 2020:05:23 22:13:16
ZipCompression: Unknown (99)
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe crackerhack.exe #POULLIGHT build.exe

Process information

PID
CMD
Path
Indicators
Parent process
604"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CrackerHack.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1524"C:\Users\admin\Desktop\CrackerHack.exe" C:\Users\admin\Desktop\CrackerHack.exe
explorer.exe
User:
admin
Company:
RF-Cheats.ru
Integrity Level:
MEDIUM
Description:
TotalInjector
Exit code:
0
Version:
1.8
380"C:\Users\admin\AppData\Local\Temp\build.exe" C:\Users\admin\AppData\Local\Temp\build.exe
CrackerHack.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Video Player V
Exit code:
2148734499
Version:
1.0.0.0
Total events
854
Read events
812
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
5
Text files
33
Unknown types
4

Dropped files

PID
Process
Filename
Type
380build.exeC:\Users\admin\AppData\Local\z7057ges\Clipboard.txttext
MD5:809B24C010F6102183F6461CAB36EB06
SHA256:B2DF1A1B12DE37C3B1159C28AA1FE7C7230666F70AD6D5F7B6C474307DB26B10
380build.exeC:\Users\admin\AppData\Local\z7057ges\Stealer Files\Documents Files\yourdata.rtftext
MD5:65DD12ACDC0214B848C054F3EEB79AB2
SHA256:17170063DC0A373E624EC7E3D1D07613168B4F74342C7560E3788883CDDA02E4
380build.exeC:\Users\admin\AppData\Local\z7057ges\Stealer Files\Desktop Files\appliedwoman.rtftext
MD5:0658E1880BCBD878ADDF5E8A3D5908B3
SHA256:D9B5BAFF9D89D9BAB4F3ABC759100C3E337F2B781784EA3BF560F5DBBCA84AD9
380build.exeC:\Users\admin\AppData\Local\z7057ges\Stealer Files\Desktop Files\traditionalartists.rtftext
MD5:0151959C9BAA185B33D178F058582097
SHA256:32E56C1F6232945A4B8C805929CC7F501B7CF0EBA0C17CFFED610C4FFD08B3CE
380build.exeC:\Users\admin\AppData\Local\z7057ges\Stealer Files\Documents Files\farbag.rtftext
MD5:C9070BAFF9B4AC01E39C404B4D5AD2C5
SHA256:D2D30E85FE8BB6BD4D34A1DE99D101F5A71F7DDCDFCFC4B519604C6C126C7586
380build.exeC:\Users\admin\AppData\Local\z7057ges\Stealer Files\Desktop Files\progresstopic.rtftext
MD5:B02FCA6EBF4E536236EF0BD1CFFAF48B
SHA256:422E26C53D51480184EB757A073F4DCC79ED039328BCB1C7FCE83000EAB2E7A4
1524CrackerHack.exeC:\Users\admin\AppData\Local\Temp\Bot_Hack.exeexecutable
MD5:FAB7A619EF540F18B72C4AA2F12C0B01
SHA256:E6468A0EE62BC468A0E08968A37286E9BA7913ABBA9BA7F0E1C166A6BDB8CE47
380build.exeC:\Users\admin\AppData\Local\z7057ges\ProcessList.txttext
MD5:82807A07D8500E8C9573FD9F1A215CEF
SHA256:446A67A1482BBD73F4BD0B34232FE3DD4D71290B7EB1EA93A53A6360E076F076
380build.exeC:\Users\admin\AppData\Local\z7057ges\FileZilla\info.txttext
MD5:49500921AD268A844597C6D6937A3F84
SHA256:462891A17DEC7D6920715F7671457014BB5C8DE1590C68C201FB6F208958F662
1524CrackerHack.exeC:\Users\admin\AppData\Local\Temp\build.exeexecutable
MD5:A6D9CFB102145FB5A635C81A2538A9D1
SHA256:83A6ECEDEF13071B5243B225AFE601BB5D95B0D40509583309A4E3217B188CB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
380
build.exe
POST
200
141.8.194.203:80
http://a0441467.xsph.ru/gate.php
RU
text
4 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
380
build.exe
91.210.201.108:80
ru-uid-507352920.pp.ru
ICC Makhachkala-Telecom Ltd.
RU
suspicious
380
build.exe
141.8.194.203:80
a0441467.xsph.ru
Sprinthost.ru LLC
RU
malicious

DNS requests

Domain
IP
Reputation
a0441467.xsph.ru
  • 141.8.194.203
malicious
ru-uid-507352920.pp.ru
  • 91.210.201.108
suspicious

Threats

PID
Process
Class
Message
380
build.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
380
build.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no accept headers
380
build.exe
A Network Trojan was detected
STEALER [PTsecurity] Poulight
1 ETPRO signatures available at the full report
Process
Message
build.exe
CLR: Managed code called FailFast, saying "
build.exe
Program has been crashed
build.exe
"
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CrackerHack.zip