analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Xans Injector.rar

Full analysis: https://app.any.run/tasks/0bd39a7d-7182-4b9b-ab40-2f532a162463
Verdict: Malicious activity
Analysis date: October 04, 2022, 22:20:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

508611E46D27994E6EF5D5D33E4A005D

SHA1:

F1B9E2B017E0D1E6B87ED3EB1B779F5284170854

SHA256:

386D0F652F59C86A486B3F15C37F6BB3EAC3613CC44A6EA921CD9DB694D9376F

SSDEEP:

393216:bAGHzeBUEIa9wKVD/cTSUXlkv7Jaxuc2o3mDL1i:bfHCBUFa9HbcFzahi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3292)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2052)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3292)

    • Checks supported languages

      • WinRAR.exe (PID: 3292)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3292)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3292)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3292"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Xans Injector.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2052"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Total events
1 544
Read events
1 521
Write events
23
Delete events
0

Modification events

(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3292) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Xans Injector.rar
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3292) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
10
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Xans Injector.exe
MD5:
SHA256:
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Assembly-UnityScript-firstpass.dllexecutable
MD5:B7C8BFF6B34347567F1562181BA7F080
SHA256:B96BEFF5DDF870A45AB7F042B08FBD07EEBFB531FB97E0966244C8EBB8E2181A
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Assembly-CSharp.dllexecutable
MD5:CEEAD5700590C5DB2D5280EBD6F6F1E8
SHA256:3FCB3958D5C6A04C16B010A056BC0798EC4E1A4705CDC1E974D70BA2FB5C1C59
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\bolt.user.dllexecutable
MD5:7AAC772907C2ADBF137FFF4D599014C0
SHA256:628C6F87C3DE09F59AE0FA116F33B76E13C98B98D49F598828713604EFAD70B3
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Assembly-UnityScript.dllexecutable
MD5:FB5C5DEBB22030075A49B6C2CEACEE0E
SHA256:56D95D106AC64377BE02C55B0999CF9BCA2A627560F8FC97C6E4862CC7761071
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Mono.Posix.dllexecutable
MD5:80ED30C87B1C7AFFCCD767AB27B692C3
SHA256:0220B03FF54B4840F8EE0202EB49B9C81AA62C29310B47210B21A2BDC171BFA6
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Boo.Lang.dllexecutable
MD5:35F8102E37D05D1797F11649EFF8C6FB
SHA256:D9DE23E053C1889BA9CDA3BA3708B8CA1286C0DCAF29B50F719ACF0D4B15582F
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\Assembly-CSharp-firstpass.dllexecutable
MD5:9ED1FDEC5ABF867949E674DC64D9DF46
SHA256:D73D755757F508BF3EA33432368FEA924F507C4E139B70342A2510E55C0EBDF4
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\bolt.dllexecutable
MD5:C27F1E54895DB80C1C8D0F16FBED22E9
SHA256:D2B93E9FC2E2C48F159B736EAC62CF51453E4CD28866536A55EA0FEABA0B42EC
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.21331\Xans Injector\AmplifyOcclusion.dllexecutable
MD5:533F35098C7ECCDC859ED5E520042ECA
SHA256:DB299FEF58132D7579F2BD84908DE6E0BA7D5B840E72B2B0C9751531D4B75E8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Xans Injector.rar