File name: | Nemesis (2).rar |
Full analysis: | https://app.any.run/tasks/780f58fe-675e-433d-9ab1-a2336c585ee3 |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 20:11:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | BFDA8B8489B38CCAE1128CB81D432CAE |
SHA1: | 2F4903293EFF13782EC8873F36C0FA3865FE1D62 |
SHA256: | 30B3286EA1D76124C9A2DA704C5628C097C93B69042D3468CF39F201DE01AF0B |
SSDEEP: | 24576:6k9gvKhtDYP5kqRxaP5dz2ssi7SyrVS0mB96i5:6kivKHEP5re5Upj0m76o |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2392 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nemesis (2).rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1808 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3100 | "C:\Users\admin\Desktop\Nemesis.exe" | C:\Users\admin\Desktop\Nemesis.exe | — | explorer.exe |
User: admin Company: 19754 Integrity Level: MEDIUM Description: Nemesis Exit code: 3221226540 Version: 1.0.0.0 | ||||
1148 | "C:\Users\admin\Desktop\Nemesis.exe" | C:\Users\admin\Desktop\Nemesis.exe | explorer.exe | |
User: admin Company: 19754 Integrity Level: HIGH Description: Nemesis Version: 1.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\SlavSeal.dll | executable | |
MD5:346BE4763DB215DBBEDE5DE8CD51F2A8 | SHA256:E18F2C1E6F08AD2ADB6990B5599D2DFD2831D952B9DB5967EB4B32C04C30641C | |||
2392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\ProxineGuard.dll | executable | |
MD5:20E34A623FAD86673D5192330C4A5000 | SHA256:A366C687CDDB57618BA08ECB3EEBF62B61B34F22BB2DCD257D18FA30E778CD98 | |||
2392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\Nemesis.exe | executable | |
MD5:B88B22DED42C55A82BD024354A63541D | SHA256:1C6D848165B5E20187FD7EA60AA1DE4FAFC7ACF8F551763FF04BFA68889C0D88 | |||
2392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\Newtonsoft.Json.dll | executable | |
MD5:4DF6C8781E70C3A4912B5BE796E6D337 | SHA256:3598CCCAD5B535FEA6F93662107A4183BFD6167BF1D0F80260436093EDC2E3AF | |||
2392 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\OB-Native.dll | executable | |
MD5:E833484E615275397572EE4521212A3B | SHA256:1623CE75EAFBEA439B2DDB02C3D186DB9541D21CAD4D583096FCF1DFE4AD28A1 | |||
1148 | Nemesis.exe | C:\Users\admin\Desktop\OB-Native.dll | executable | |
MD5:E833484E615275397572EE4521212A3B | SHA256:1623CE75EAFBEA439B2DDB02C3D186DB9541D21CAD4D583096FCF1DFE4AD28A1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1148 | Nemesis.exe | GET | 404 | 148.251.158.38:80 | http://pizzaxyz.bplaced.net/Version.html | DE | html | 6.85 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1148 | Nemesis.exe | 148.251.158.38:80 | pizzaxyz.bplaced.net | Hetzner Online GmbH | DE | suspicious |
1148 | Nemesis.exe | 104.28.31.132:443 | panel.slav.vodka | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pizzaxyz.bplaced.net |
| suspicious |
panel.slav.vodka |
| suspicious |
dns.msftncsi.com |
| shared |