File name: | GABB.rar |
Full analysis: | https://app.any.run/tasks/9023e109-031f-4b3a-b5e6-460bfb6a8661 |
Verdict: | Malicious activity |
Analysis date: | August 08, 2020, 10:44:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | FBEE6A0BD53009B50CBA431E02A6A4EB |
SHA1: | F05C81373972B28DD81A7DC2C29131B68DB8F0F4 |
SHA256: | 3185430BEEBCFCCD395D7D269805AE95C120C5E2FFC033B8A49684DFCB29F371 |
SSDEEP: | 24576:EKakz7yELA37lPxV4y5N0OcyV2ceBL+kYtqQFy/FVNek0r19/:7akPyELAlv4y5JpJFqwx1B |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2816 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GABB.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
256 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3560 | "C:\Users\admin\Desktop\New folder\GABB.exe" | C:\Users\admin\Desktop\New folder\GABB.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 | ||||
2152 | "C:\Users\admin\Desktop\New folder\GABB.exe" | C:\Users\admin\Desktop\New folder\GABB.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 | ||||
3768 | "C:\Users\admin\AppData\Local\Temp\GABB.exe" | C:\Users\admin\AppData\Local\Temp\GABB.exe | — | GABB.exe |
User: admin Integrity Level: MEDIUM | ||||
3900 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\GABB.ini | C:\Windows\system32\NOTEPAD.EXE | — | GABB.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.35143\GABB.ini | — | |
MD5:— | SHA256:— | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.35143\GDLL.dll | — | |
MD5:— | SHA256:— | |||
2816 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2816.35143\GABB.exe | — | |
MD5:— | SHA256:— | |||
256 | explorer.exe | C:\Users\admin\Desktop\GABB.exe | executable | |
MD5:4FA52E3B0FC5C828FA699BD385943192 | SHA256:C0B0A37BE2BF94355A82C680E929B55084EAB66040E2A7DAB6C6349C5D569245 | |||
3560 | GABB.exe | C:\Users\admin\AppData\Local\Temp\GABB.ini | text | |
MD5:78E850A5916CB4D96A41FE35D8007B7B | SHA256:81E4BBF799A67BCC0EC71BE5B4C34405D2982B25506685E6C40EB58B6709DF51 | |||
256 | explorer.exe | C:\Users\admin\Desktop\New folder\GABB.exe | executable | |
MD5:4FA52E3B0FC5C828FA699BD385943192 | SHA256:C0B0A37BE2BF94355A82C680E929B55084EAB66040E2A7DAB6C6349C5D569245 | |||
256 | explorer.exe | C:\Users\admin\Desktop\GABB.ini | text | |
MD5:C4A166CFFF95A111FEA5474A95928F2C | SHA256:3B45F4BC47C7DEF7BDBE886DFECBBB5DBC8335998B4D925978A114DEFE8C8DC9 | |||
256 | explorer.exe | C:\Users\admin\Desktop\New folder\GABB.ini | text | |
MD5:C4A166CFFF95A111FEA5474A95928F2C | SHA256:3B45F4BC47C7DEF7BDBE886DFECBBB5DBC8335998B4D925978A114DEFE8C8DC9 | |||
3560 | GABB.exe | C:\Users\admin\AppData\Local\Temp\GDLL.dll | executable | |
MD5:8A12CB004CDBAAA80114F3C183848EFD | SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517 | |||
256 | explorer.exe | C:\Users\admin\Desktop\GDLL.dll | executable | |
MD5:8A12CB004CDBAAA80114F3C183848EFD | SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3560 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 13 b | shared |
3560 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 13 b | shared |
2152 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 13 b | shared |
2152 | GABB.exe | GET | 200 | 116.202.244.153:80 | http://icanhazip.com/ | IN | text | 13 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2152 | GABB.exe | 104.27.142.46:443 | nusumu.wtf | Cloudflare Inc | US | malicious |
3560 | GABB.exe | 104.27.142.46:443 | nusumu.wtf | Cloudflare Inc | US | malicious |
— | — | 116.202.244.153:80 | icanhazip.com | 334,Udyog Vihar | IN | malicious |
2152 | GABB.exe | 116.202.244.153:80 | icanhazip.com | 334,Udyog Vihar | IN | malicious |
3560 | GABB.exe | 116.202.244.153:80 | icanhazip.com | 334,Udyog Vihar | IN | malicious |
Domain | IP | Reputation |
---|---|---|
icanhazip.com |
| shared |
nusumu.wtf |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3560 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
3560 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
2152 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |
2152 | GABB.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |