analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.rar

Full analysis: https://app.any.run/tasks/34418fc8-8c5b-43e9-a1e3-377c5b262cb0
Verdict: Malicious activity
Analysis date: January 18, 2020, 11:24:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

30EDD123DC12367712A5C4EE6CA68635

SHA1:

75543031C63C5CD1145AD429056726E8E3528C97

SHA256:

36E345A37B718088538C4C4A84FFF940DBB7A0B94F243D60072666D88356E9F9

SSDEEP:

393216:lLKjgS3HY3hlZxncawyHXQA9aFYZrW5sjfviS:Jq7XY3rXcqXQA9EOjniS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3544)
      • BlackBullet2.exe (PID: 1096)
      • BlackBullet2.exe (PID: 3652)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Launcher(u can try if other not work).exe (PID: 2444)

    • Starts Internet Explorer

      • cmd.exe (PID: 1292)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 996)

  • INFO

    • Manual execution by user

      • BlackBullet2.exe (PID: 1096)
      • Launcher(u can try if other not work).exe (PID: 2444)
      • Launcher(updated).exe (PID: 3772)
      • Launcher(updated).exe (PID: 3096)
      • Launcher(updated).exe (PID: 3292)

    • Changes internet zones settings

      • iexplore.exe (PID: 4040)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2136)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2136)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2136)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2136)

    • Creates files in the user directory

      • iexplore.exe (PID: 2136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs blackbullet2.exe launcher(u can try if other not work).exe cmd.exe no specs iexplore.exe iexplore.exe blackbullet2.exe launcher(updated).exe launcher(updated).exe no specs launcher(updated).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
996"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3544"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
1096"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\BlackBullet2.exe" C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\BlackBullet2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
BlackBullet2
Exit code:
0
Version:
1.0.0.0
2444"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(u can try if other not work).exe" C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(u can try if other not work).exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1292"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\7EF9.tmp\7EFA.tmp\7EFB.bat "C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(u can try if other not work).exe""C:\Windows\system32\cmd.exeLauncher(u can try if other not work).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4040"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2136"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4040 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3652BlackBullet2.exe FLC:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\BlackBullet2.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Description:
BlackBullet2
Exit code:
3221225477
Version:
1.0.0.0
3772"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe" C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe
explorer.exe
User:
admin
Company:
CPUID Hardware Monitor
Integrity Level:
HIGH
Description:
CPUID Hardware Monitor
Version:
1.3.4.0
3096"C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exe" C:\Users\admin\Desktop\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Launcher(updated).exeexplorer.exe
User:
admin
Company:
CPUID Hardware Monitor
Integrity Level:
MEDIUM
Description:
CPUID Hardware Monitor
Version:
1.3.4.0
Total events
1 219
Read events
1 134
Write events
0
Delete events
0

Modification events

No data
Executable files
32
Suspicious files
2
Text files
110
Unknown types
17

Dropped files

PID
Process
Filename
Type
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\903fb8d8.binhtml
MD5:6625F647DFFC6DD25628207E75DC9922
SHA256:1E25FF5F760B5AAB3AA896CC8B74F71B89FE92E94FA5A463BA893D26A11696C2
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\chromedriver.exeexecutable
MD5:2FBE8348A03B7440EB5B025ABAE7F7D1
SHA256:C68BB9B97E36B5DAAB3D100F427A7977A535D9B4EA20890FBB755F39D0421E94
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\Amazon GC.bbctext
MD5:3846F9AF887004477D066C670725AC20
SHA256:84FAD65A3C47B6F340112D69E27AB597BCC32EEB6ACD841604FFD718CA5D5413
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\geckodriver.exeexecutable
MD5:45965D4D64ACC06FD669E8A509E5E546
SHA256:A56397E98C52370FA370FEEF31814105EE8B41933D51DDE3403252C5D4ED6471
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\Extreme.Net.xmlxml
MD5:21F2F9F50744B877DCC99903F56CA488
SHA256:E2524EE13D55BF81D1F8B4405A8BB517C7E3834957DF160A49A0E6A67022E824
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\AngleSharp.xmlxml
MD5:68A0CADB92BA0866013B625B7B1A86EC
SHA256:5F83F50EF9241A4FA4D049FF587B2AA6C2F33939842703145140DCC0853EBA95
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeathByCaptcha.pdbpdb
MD5:1C127B5964FE54CA87E72D4E0F27DDBB
SHA256:B880BF64DCB57E490BB05B13F8CC3C0059C80987EE8B8C9D2E113293669309CF
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeathByCaptcha.dllexecutable
MD5:3495203999B4A2C1A91A6C2E7903E0DB
SHA256:FDD3C336E835F01FA052CF23C1B5A8070D510FFA3C8EE12187C1EA46A08287D1
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\Extreme.Net.pdbpdb
MD5:14DDBAC1E701EC38412C77170D26595D
SHA256:9BEA8D66B0FFE1E89633682B870E2CF49D31C496838EF5174F50959BF812B586
996WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa996.23199\Amazon GC Checker & Generator\Amazon GC Checker & Generator\bin\DeCaptcherLibrary.pdbpdb
MD5:3504A330E2782EF3E549B438946578BF
SHA256:408C07A85B04949CE0900E4545EE9790D93BF1EFDAA51DE7EBAA37BD03BDB62A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
30
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2136
iexplore.exe
GET
301
104.27.160.126:80
http://crackingcentral.com/
US
malicious
4040
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2136
iexplore.exe
172.217.18.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2136
iexplore.exe
104.27.11.92:443
cracked.to
Cloudflare Inc
US
suspicious
2136
iexplore.exe
104.27.160.126:80
crackingcentral.com
Cloudflare Inc
US
shared
4040
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2136
iexplore.exe
104.27.10.92:443
cracked.to
Cloudflare Inc
US
suspicious
2136
iexplore.exe
104.17.64.4:443
cdnjs.cloudflare.com
Cloudflare Inc
US
unknown
2136
iexplore.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2136
iexplore.exe
172.217.22.2:443
www.googleadservices.com
Google Inc.
US
whitelisted
2136
iexplore.exe
151.101.2.109:443
cdn.jsdelivr.net
Fastly
US
suspicious
2136
iexplore.exe
172.217.23.100:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
crackingcentral.com
  • 104.27.160.126
  • 104.27.161.126
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cracked.to
  • 104.27.11.92
  • 104.27.10.92
whitelisted
static.cracked.to
  • 104.27.10.92
  • 104.27.11.92
suspicious
fonts.googleapis.com
  • 172.217.18.170
whitelisted
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
cdnjs.cloudflare.com
  • 104.17.64.4
  • 104.17.65.4
whitelisted
cdn.jsdelivr.net
  • 151.101.2.109
  • 151.101.66.109
  • 151.101.130.109
  • 151.101.194.109
whitelisted
www.googletagmanager.com
  • 172.217.22.40
whitelisted
fonts.gstatic.com
  • 172.217.22.67
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.rar