analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Nemesis (2).rar

Full analysis: https://app.any.run/tasks/780f58fe-675e-433d-9ab1-a2336c585ee3
Verdict: Malicious activity
Analysis date: July 11, 2019, 20:11:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

BFDA8B8489B38CCAE1128CB81D432CAE

SHA1:

2F4903293EFF13782EC8873F36C0FA3865FE1D62

SHA256:

30B3286EA1D76124C9A2DA704C5628C097C93B69042D3468CF39F201DE01AF0B

SSDEEP:

24576:6k9gvKhtDYP5kqRxaP5dz2ssi7SyrVS0mB96i5:6kivKHEP5re5Upj0m76o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1808)
      • Nemesis.exe (PID: 1148)

    • Application was dropped or rewritten from another process

      • Nemesis.exe (PID: 3100)
      • Nemesis.exe (PID: 1148)

    • Changes settings of System certificates

      • Nemesis.exe (PID: 1148)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2392)
      • Nemesis.exe (PID: 1148)

    • Reads internet explorer settings

      • Nemesis.exe (PID: 1148)

    • Adds / modifies Windows certificates

      • Nemesis.exe (PID: 1148)

  • INFO

    • Manual execution by user

      • Nemesis.exe (PID: 1148)
      • Nemesis.exe (PID: 3100)

    • Reads settings of System Certificates

      • Nemesis.exe (PID: 1148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs nemesis.exe no specs nemesis.exe

Process information

PID
CMD
Path
Indicators
Parent process
2392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nemesis (2).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1808"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3100"C:\Users\admin\Desktop\Nemesis.exe" C:\Users\admin\Desktop\Nemesis.exeexplorer.exe
User:
admin
Company:
19754
Integrity Level:
MEDIUM
Description:
Nemesis
Exit code:
3221226540
Version:
1.0.0.0
1148"C:\Users\admin\Desktop\Nemesis.exe" C:\Users\admin\Desktop\Nemesis.exe
explorer.exe
User:
admin
Company:
19754
Integrity Level:
HIGH
Description:
Nemesis
Version:
1.0.0.0
Total events
491
Read events
460
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\SlavSeal.dllexecutable
MD5:346BE4763DB215DBBEDE5DE8CD51F2A8
SHA256:E18F2C1E6F08AD2ADB6990B5599D2DFD2831D952B9DB5967EB4B32C04C30641C
2392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\ProxineGuard.dllexecutable
MD5:20E34A623FAD86673D5192330C4A5000
SHA256:A366C687CDDB57618BA08ECB3EEBF62B61B34F22BB2DCD257D18FA30E778CD98
2392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\Nemesis.exeexecutable
MD5:B88B22DED42C55A82BD024354A63541D
SHA256:1C6D848165B5E20187FD7EA60AA1DE4FAFC7ACF8F551763FF04BFA68889C0D88
2392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\Newtonsoft.Json.dllexecutable
MD5:4DF6C8781E70C3A4912B5BE796E6D337
SHA256:3598CCCAD5B535FEA6F93662107A4183BFD6167BF1D0F80260436093EDC2E3AF
2392WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2392.39104\Nemesis\OB-Native.dllexecutable
MD5:E833484E615275397572EE4521212A3B
SHA256:1623CE75EAFBEA439B2DDB02C3D186DB9541D21CAD4D583096FCF1DFE4AD28A1
1148Nemesis.exeC:\Users\admin\Desktop\OB-Native.dllexecutable
MD5:E833484E615275397572EE4521212A3B
SHA256:1623CE75EAFBEA439B2DDB02C3D186DB9541D21CAD4D583096FCF1DFE4AD28A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1148
Nemesis.exe
GET
404
148.251.158.38:80
http://pizzaxyz.bplaced.net/Version.html
DE
html
6.85 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1148
Nemesis.exe
148.251.158.38:80
pizzaxyz.bplaced.net
Hetzner Online GmbH
DE
suspicious
1148
Nemesis.exe
104.28.31.132:443
panel.slav.vodka
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
pizzaxyz.bplaced.net
  • 148.251.158.38
suspicious
panel.slav.vodka
  • 104.28.31.132
  • 104.28.30.132
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Nemesis (2).rar