analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dox Tool V2.rar

Full analysis: https://app.any.run/tasks/8251038a-ddb3-4e94-ae7d-8fee780dbd94
Verdict: Malicious activity
Analysis date: May 20, 2022, 21:11:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AE2286FE396397E712CBB987D2B6CFEE

SHA1:

646693DD55FA8988A1C2DA1C7162D2C56451595C

SHA256:

2FABACE22364D24879971FD1B9A868241C3D689D4F7AD7140573023623A58DB3

SSDEEP:

768:+mmJQHiWO8HtHPurSHsISa1rwCCwdDfIQ94uUDZsea3kYrYb+BCoypSIGB5lqbnn:SrudedISa1/bDf9QDsYb+c0IG5lsn+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 1528)

    • Application was dropped or rewritten from another process

      • Dox Tool V2.exe (PID: 1776)
      • Dox Tool V2.exe (PID: 3644)
      • Dox Tool V2.exe (PID: 3764)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 1528)
      • Dox Tool V2.exe (PID: 1776)
      • Dox Tool V2.exe (PID: 3644)
      • Dox Tool V2.exe (PID: 3764)

    • Reads the computer name

      • WinRAR.exe (PID: 1528)
      • Dox Tool V2.exe (PID: 1776)
      • Dox Tool V2.exe (PID: 3644)
      • Dox Tool V2.exe (PID: 3764)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1528)

    • Reads Environment values

      • Dox Tool V2.exe (PID: 1776)
      • Dox Tool V2.exe (PID: 3644)
      • Dox Tool V2.exe (PID: 3764)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1528)

  • INFO

    • Checks supported languages

      • runas.exe (PID: 2980)

    • Reads the computer name

      • runas.exe (PID: 2980)

    • Manual execution by user

      • WinRAR.exe (PID: 1528)
      • Dox Tool V2.exe (PID: 3644)
      • Dox Tool V2.exe (PID: 3764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start runas.exe no specs winrar.exe dox tool v2.exe dox tool v2.exe dox tool v2.exe

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Windows\System32\runas.exe" /user:administrator "C:\Users\admin\Desktop\Dox Tool V2.rar"C:\Windows\System32\runas.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1528"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Dox Tool V2.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1776"C:\Users\admin\AppData\Local\Temp\Rar$EXa1528.28114\Dox Tool V2\Dox Tool V2.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1528.28114\Dox Tool V2\Dox Tool V2.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Dox Tool V2
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1528.28114\dox tool v2\dox tool v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3644"C:\Users\admin\Desktop\Dox Tool V2.exe" C:\Users\admin\Desktop\Dox Tool V2.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Dox Tool V2
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\desktop\dox tool v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3764"C:\Users\admin\Desktop\Dox Tool V2.exe" C:\Users\admin\Desktop\Dox Tool V2.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Dox Tool V2
Version:
2.0.0.1
Modules
Images
c:\users\admin\desktop\dox tool v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
2 479
Read events
2 427
Write events
52
Delete events
0

Modification events

(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1528) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Dox Tool V2.rar
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1528) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1528WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1528.28114\Dox Tool V2\Dox Tool V2.exeexecutable
MD5:3075FC835B4F3B7B20DFEE9ECC5DFAA0
SHA256:81FDAF72BC2DE5CDEF33F74D867092172C40A5C1FE86C3313F9FCD0A0C22EAC8
1528WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1528.28737\Dox Tool V2\Dox Tool V2.exeexecutable
MD5:3075FC835B4F3B7B20DFEE9ECC5DFAA0
SHA256:81FDAF72BC2DE5CDEF33F74D867092172C40A5C1FE86C3313F9FCD0A0C22EAC8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3644
Dox Tool V2.exe
GET
404
188.114.97.10:80
http://drizzybot.com/releases/Newtonsoft.Json.dll
US
xml
341 b
malicious
3764
Dox Tool V2.exe
GET
404
188.114.97.10:80
http://www.zabasearch.com/people/giannhs%20+ploumakis/Zip%20Code,%20City,%20or%20State
US
xml
341 b
malicious
3764
Dox Tool V2.exe
GET
404
172.64.146.172:80
http://www.411.com/name/giannhs%20-ploumakis/crete
US
xml
341 b
unknown
3764
Dox Tool V2.exe
GET
404
172.64.146.172:80
http://www.411.com/name/giannhs%20-ploumakis/Zip%20Code,%20City,%20or%20State
US
xml
341 b
unknown
1776
Dox Tool V2.exe
GET
404
188.114.97.10:80
http://drizzybot.com/releases/Newtonsoft.Json.dll
US
xml
341 b
malicious
3764
Dox Tool V2.exe
GET
404
169.45.189.53:80
http://10digits.us/n/giannhs%20_ploumakis/location/crete
NL
xml
341 b
unknown
3764
Dox Tool V2.exe
GET
404
188.114.97.10:80
http://drizzybot.com/releases/Newtonsoft.Json.dll
US
xml
341 b
malicious
3764
Dox Tool V2.exe
GET
404
188.114.97.10:80
http://www.zabasearch.com/people/giannhs%20+ploumakis/crete
US
xml
341 b
malicious
3764
Dox Tool V2.exe
GET
404
142.250.185.228:80
http://www.google.com/search?num=100&q=%22slqmmer%22
US
xml
341 b
whitelisted
3764
Dox Tool V2.exe
GET
404
188.114.97.10:80
http://www.zabasearch.com/people/giannhs%20+ploumakis/crete
US
xml
341 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1776
Dox Tool V2.exe
188.114.97.10:80
drizzybot.com
Cloudflare Inc
US
malicious
3644
Dox Tool V2.exe
188.114.97.10:80
drizzybot.com
Cloudflare Inc
US
malicious
3764
Dox Tool V2.exe
188.114.97.10:80
drizzybot.com
Cloudflare Inc
US
malicious
3764
Dox Tool V2.exe
142.250.185.228:80
www.google.com
Google Inc.
US
whitelisted
3764
Dox Tool V2.exe
169.45.189.53:80
10digits.us
SoftLayer Technologies Inc.
NL
unknown
3764
Dox Tool V2.exe
172.64.146.172:80
www.411.com
US
unknown

DNS requests

Domain
IP
Reputation
drizzybot.com
  • 188.114.97.10
  • 188.114.96.10
malicious
10digits.us
  • 169.45.189.53
unknown
www.411.com
  • 172.64.146.172
  • 104.18.41.84
unknown
www.zabasearch.com
  • 188.114.97.10
  • 188.114.96.10
malicious
www.google.com
  • 142.250.185.228
whitelisted

Threats

PID
Process
Class
Message
1776
Dox Tool V2.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
3644
Dox Tool V2.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
3764
Dox Tool V2.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .dll file with no User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dox Tool V2.rar