analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

20PackPvpFac.rar

Full analysis: https://app.any.run/tasks/d50e4838-4078-4757-86e2-fe679063387a
Verdict: Malicious activity
Analysis date: May 20, 2022, 18:24:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
mercurialgrabber
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

5701DDB51C8D475BCECDADF416005207

SHA1:

D285B1C03569E8775D3B8522873F9DCC88FA1746

SHA256:

313FA3E3B56E26386FDC1CA310B4BB7C6CF7B6E3CCF578A53500B68B36F7DFA1

SSDEEP:

768:UIx4yve9N+lMytAOHotMvOIx4yve9N+lMytAOHotMva:UIx5e9uMytAOHjvOIx5e9uMytAOHjva

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2924)

    • Application was dropped or rewritten from another process

      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

    • Actions looks like stealing of personal data

      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

    • MERCURIALGRABBER detected by memory dumps

      • 20PackPvpFac.exe (PID: 1836)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2924)
      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

    • Reads the computer name

      • WinRAR.exe (PID: 2924)
      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2924)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2924)

    • Reads Environment values

      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

    • Reads CPU info

      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

    • Checks for external IP

      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)

  • INFO

    • Reads settings of System Certificates

      • 20PackPvpFac.exe (PID: 1836)
      • Lunar.seting.exe (PID: 3940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

MercurialGrabber

(PID) Process(1836) 20PackPvpFac.exe
C2https://discord.com/api/webhooks/976886781041586236/rro04rr4QUrcsUe2-Pv0FuHd7X6PWEerlf7t9k4jCAReFBSiV93Awtm2Dz95X3cLJH7I
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe #MERCURIALGRABBER 20packpvpfac.exe lunar.seting.exe

Process information

PID
CMD
Path
Indicators
Parent process
2924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\20PackPvpFac.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1836"C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.23007\20PackPvpFac.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.23007\20PackPvpFac.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221225477
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2924.23007\20packpvpfac.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
MercurialGrabber
(PID) Process(1836) 20PackPvpFac.exe
C2https://discord.com/api/webhooks/976886781041586236/rro04rr4QUrcsUe2-Pv0FuHd7X6PWEerlf7t9k4jCAReFBSiV93Awtm2Dz95X3cLJH7I
3940"C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.24238\Lunar.seting.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2924.24238\Lunar.seting.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221225477
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2924.24238\lunar.seting.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
8 511
Read events
8 430
Write events
81
Delete events
0

Modification events

(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2924) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\20PackPvpFac.rar
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2924) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
4
Suspicious files
3
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.23007\20PackPvpFac.exeexecutable
MD5:FBC4DB72C44988B6F82095B2424E57C4
SHA256:A1875E7865550B7323628889115B3A0456D7C2015FC7CF0BC1B0BF8A548C58C7
183620PackPvpFac.exeC:\Users\admin\AppData\Local\Temp\CabF1D9.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.24238\20PackPvpFac.exeexecutable
MD5:FBC4DB72C44988B6F82095B2424E57C4
SHA256:A1875E7865550B7323628889115B3A0456D7C2015FC7CF0BC1B0BF8A548C58C7
183620PackPvpFac.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:515C1EFA5BAF6CD2A49D8C04A3076A3B
SHA256:CDA3D78B65ECDD8EB34A74FB997F784A74682903416B70D73D3F006F3047E7C8
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.24238\Lunar.seting.exeexecutable
MD5:FBC4DB72C44988B6F82095B2424E57C4
SHA256:A1875E7865550B7323628889115B3A0456D7C2015FC7CF0BC1B0BF8A548C58C7
2924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2924.23007\Lunar.seting.exeexecutable
MD5:FBC4DB72C44988B6F82095B2424E57C4
SHA256:A1875E7865550B7323628889115B3A0456D7C2015FC7CF0BC1B0BF8A548C58C7
183620PackPvpFac.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
183620PackPvpFac.exeC:\Users\admin\AppData\Local\Temp\TarF1DA.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3940
Lunar.seting.exe
GET
200
208.95.112.1:80
http://ip-api.com//json/82.118.29.68
unknown
binary
278 b
shared
1836
20PackPvpFac.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?398237e9f1ef0b5b
US
compressed
60.0 Kb
whitelisted
1836
20PackPvpFac.exe
GET
200
208.95.112.1:80
http://ip-api.com//json/82.118.29.68
unknown
binary
278 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1836
20PackPvpFac.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1836
20PackPvpFac.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
1836
20PackPvpFac.exe
23.128.64.141:443
ip4.seeip.org
Joe's Datacenter, LLC
US
suspicious
3940
Lunar.seting.exe
23.128.64.141:443
ip4.seeip.org
Joe's Datacenter, LLC
US
suspicious
1836
20PackPvpFac.exe
162.159.137.232:443
discord.com
Cloudflare Inc
malicious
3940
Lunar.seting.exe
162.159.137.232:443
discord.com
Cloudflare Inc
malicious
3940
Lunar.seting.exe
208.95.112.1:80
ip-api.com
IBURST
malicious

DNS requests

Domain
IP
Reputation
ip4.seeip.org
  • 23.128.64.141
suspicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ip-api.com
  • 208.95.112.1
shared
discord.com
  • 162.159.137.232
  • 162.159.128.233
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.135.232
whitelisted

Threats

PID
Process
Class
Message
1836
20PackPvpFac.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
1836
20PackPvpFac.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1836
20PackPvpFac.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3940
Lunar.seting.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3940
Lunar.seting.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3940
Lunar.seting.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
20PackPvpFac.rar