analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

GABB.rar

Full analysis: https://app.any.run/tasks/517b802f-066a-4c20-9e60-319cef4f79b6
Verdict: Malicious activity
Analysis date: August 08, 2020, 10:43:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FBEE6A0BD53009B50CBA431E02A6A4EB

SHA1:

F05C81373972B28DD81A7DC2C29131B68DB8F0F4

SHA256:

3185430BEEBCFCCD395D7D269805AE95C120C5E2FFC033B8A49684DFCB29F371

SSDEEP:

24576:EKakz7yELA37lPxV4y5N0OcyV2ceBL+kYtqQFy/FVNek0r19/:7akPyELAlv4y5JpJFqwx1B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GABB.exe (PID: 692)
      • GABB.exe (PID: 3000)
      • GABB.exe (PID: 296)
      • GABB.exe (PID: 4092)
      • GABB.exe (PID: 820)

    • Changes the autorun value in the registry

      • GABB.exe (PID: 692)
      • GABB.exe (PID: 296)
      • GABB.exe (PID: 3000)

    • Changes settings of System certificates

      • GABB.exe (PID: 3000)

    • Loads dropped or rewritten executable

      • explorer.exe (PID: 356)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1228)
      • GABB.exe (PID: 296)
      • explorer.exe (PID: 356)

    • Checks for external IP

      • GABB.exe (PID: 692)
      • GABB.exe (PID: 296)
      • GABB.exe (PID: 3000)

    • Adds / modifies Windows certificates

      • GABB.exe (PID: 3000)

  • INFO

    • Manual execution by user

      • GABB.exe (PID: 692)
      • GABB.exe (PID: 3000)
      • GABB.exe (PID: 296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe gabb.exe gabb.exe gabb.exe explorer.exe gabb.exe no specs notepad.exe no specs gabb.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GABB.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
692"C:\Users\admin\Desktop\GABB.exe" C:\Users\admin\Desktop\GABB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
296"C:\Users\admin\Desktop\GABB.exe" C:\Users\admin\Desktop\GABB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
3000"C:\Users\admin\Desktop\GABB.exe" C:\Users\admin\Desktop\GABB.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
356C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
820"C:\Users\admin\AppData\Local\Temp\GABB.exe" C:\Users\admin\AppData\Local\Temp\GABB.exeGABB.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225781
3944"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\GABB.iniC:\Windows\system32\NOTEPAD.EXEGABB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4092"C:\Users\admin\Desktop\New folder\GABB.exe" C:\Users\admin\Desktop\New folder\GABB.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Total events
4 695
Read events
4 536
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
356explorer.exeC:\Users\admin\Desktop\New folder\GABB.initext
MD5:C4A166CFFF95A111FEA5474A95928F2C
SHA256:3B45F4BC47C7DEF7BDBE886DFECBBB5DBC8335998B4D925978A114DEFE8C8DC9
356explorer.exeC:\Users\admin\Desktop\New folder\GABB.exeexecutable
MD5:4FA52E3B0FC5C828FA699BD385943192
SHA256:C0B0A37BE2BF94355A82C680E929B55084EAB66040E2A7DAB6C6349C5D569245
356explorer.exeC:\Users\admin\Desktop\GABB.initext
MD5:C4A166CFFF95A111FEA5474A95928F2C
SHA256:3B45F4BC47C7DEF7BDBE886DFECBBB5DBC8335998B4D925978A114DEFE8C8DC9
356explorer.exeC:\Users\admin\Desktop\GABB.exeexecutable
MD5:4FA52E3B0FC5C828FA699BD385943192
SHA256:C0B0A37BE2BF94355A82C680E929B55084EAB66040E2A7DAB6C6349C5D569245
296GABB.exeC:\Users\admin\AppData\Local\Temp\GABB.initext
MD5:78E850A5916CB4D96A41FE35D8007B7B
SHA256:81E4BBF799A67BCC0EC71BE5B4C34405D2982B25506685E6C40EB58B6709DF51
1228WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1228.26630\GABB.initext
MD5:C4A166CFFF95A111FEA5474A95928F2C
SHA256:3B45F4BC47C7DEF7BDBE886DFECBBB5DBC8335998B4D925978A114DEFE8C8DC9
1228WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1228.26630\GABB.exeexecutable
MD5:4FA52E3B0FC5C828FA699BD385943192
SHA256:C0B0A37BE2BF94355A82C680E929B55084EAB66040E2A7DAB6C6349C5D569245
356explorer.exeC:\Users\admin\Desktop\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
296GABB.exeC:\Users\admin\AppData\Local\Temp\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
1228WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1228.26630\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
692
GABB.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
14 b
shared
296
GABB.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
14 b
shared
296
GABB.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
14 b
shared
3000
GABB.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
14 b
shared
3000
GABB.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
692
GABB.exe
116.202.55.106:80
icanhazip.com
334,Udyog Vihar
IN
malicious
296
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious
296
GABB.exe
116.202.55.106:80
icanhazip.com
334,Udyog Vihar
IN
malicious
116.202.55.106:80
icanhazip.com
334,Udyog Vihar
IN
malicious
3000
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious
3000
GABB.exe
116.202.55.106:80
icanhazip.com
334,Udyog Vihar
IN
malicious
692
GABB.exe
104.27.142.46:443
nusumu.wtf
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
icanhazip.com
  • 116.202.55.106
  • 116.202.244.153
shared
nusumu.wtf
  • 104.27.142.46
  • 172.67.214.70
  • 104.27.143.46
unknown

Threats

PID
Process
Class
Message
692
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
296
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
296
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
3000
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
3000
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
692
GABB.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
GABB.rar