File name: | SQLi Dumper v.10.5 [Cracked].zip |
Full analysis: | https://app.any.run/tasks/52d2a829-ac02-4f4b-bbce-9a45402cbc31 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | June 27, 2022, 11:24:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 8FB2B08E507A19A5DD6568B9A007017B |
SHA1: | DC747E69E91D01701DB6145982F2BEB3299E6817 |
SHA256: | 38990820F4AEC8C75ABC6281C5025A7F452457757B976E0C686CE26C7FA32218 |
SSDEEP: | 98304:LbcexiALRfqD0NvgeLxfJmN6lMmRuwyFva9rWB18T4:3VxHfqD0NvgKVYN6lFswyvwWXV |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | bufferGeop.bin |
---|---|
ZipUncompressedSize: | 1358092 |
ZipCompressedSize: | 754547 |
ZipCRC: | 0xf15e25a9 |
ZipModifyDate: | 2018:12:12 10:14:21 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2616 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLi Dumper v.10.5 [Cracked].zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 | ||||
3544 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.21656\SQLi Dumper v.10.5.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.21656\SQLi Dumper v.10.5.exe | WinRAR.exe | |
User: admin Company: fLaSh Integrity Level: MEDIUM Description: SQLi Dumper Exit code: 0 Version: 10.5.0.0 | ||||
1612 | "C:\Users\admin\AppData\Local\Temp\tmp6F0C.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmp6F0C.tmp.exe | SQLi Dumper v.10.5.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3868 | "C:\Users\admin\AppData\Local\Temp\tmp6FC9.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmp6FC9.tmp.exe | — | SQLi Dumper v.10.5.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
844 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\admin\AppData\Local\cache\MoUSO.exe" | C:\Windows\System32\schtasks.exe | — | tmp6F0C.tmp.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
35504 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | tmp6FC9.tmp.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR RedLine(PID) Process(35504) AppLaunch.exe US (163) LEnvironmentogiEnvironmentn DatEnvironmenta Environment WSystem.Texteb DatSystem.Texta System.Text CoCryptographyokieCryptographys Cryptography ExtGenericension CooGenerickies Generic OFileInfopeFileInfora GFileInfoX StabFileInfole FileInfo OpLinqera GLinqX Linq ApGenericpDaGenericta\RGenericoamiGenericng\ Network Extension UNKNOWN . 1 cFileStreamredFileStreamit_cFileStreamardFileStreams FileStream \ Network\ Host Port : User Pass cookies.sqlite String.Replace String.Remove net.tcp:// / localhost 8ba92dfee5aef3dd5d57f4219e603a3f Authorization ns1 HSYKSSkYAUYgOj8ZNQ83UjooP0IsPTxCKyRRbQ== ATovFD81EgQOFwYQGCRPWw== BjUJFSw6JAwOYhYYIDJCASxeFgcrSjQVBUY+OBEPKAIrCyMGCSo3Az8hJDs5YSglLA83ETgvZRkDPhIVBy0hNxA2FR8RVBkZCgsjFAYfXwElGB4XHT07ASxeaQYCMTNCPC0lJQ== Prayerful Id3 EnumerateFiles ExpandEnvironmentVariables Id2 Id1 FullName Replace Directory wa l et d a t *wallet* _ T e gr am ex \TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata \Discord\Local Storage\leveldb *.loSystem.Collections.Genericg System.Collections.Generic String string.Replace %USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng File.Write Handler npvo* %USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl serviceInterface.Extension ProldCharotonVoldCharPN oldChar nSystem.CollectionspvoSystem.Collections* System.Collections Microsoft\Windоws - ToString AddRange % ( UNIQUE " bcrFileStream.IOypt.dFileStream.IOll FileStream.IO BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder string.Empty BCruintyptCloseAlgorituinthmProvuintider uint BCrUnmanagedTypeyptDecrUnmanagedTypeypt UnmanagedType BCrbyte[]yptDesbyte[]troyKbyte[]ey byte[] BCpszPropertyryptGepszPropertytPropepszPropertyrty pszProperty BCEncodingryptSEncodingetPrEncodingoperEncodingty Encoding BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey bMasterKey windows-1251 AES Microsoft Primitive Provider ChainingModeGCM AuthTagLength ChainingMode ObjectLength KeyDataBlob {0} gasdl94ja;sdiasdl94ja;s32 asdl94ja;s Gasdl94jlajsdetDevasdl94jlajsdiceCapasdl94jlajsds asdl94jlajsd Width Height CopyFromScreen | https://api.ip.sb/ip 80 81 0.0.0.0 SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor System.Windows.Forms Name NumberOfCores roSystem.Linqot\CISystem.LinqMV2 System.Linq SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller AdapterRAM SOFTWARE\WOW6432Node\Clients\StartMenuInternet SOFTWARE\Clients\StartMenuInternet shell\open\command Unknown Version SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente System.Management SerialNumber SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId=' System.Text.RegularExpressions ' FileSystem SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId=' System. ExecutablePath [ ] Concat0 MConcatb oConcatr Concat0 Concat SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem Memory {0}{1}{2} x32 x64 x86 SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName CSDVersion Unknown _[ Auth_value8ba92dfee5aef3dd5d57f4219e603a3f Err_msgThe program can't start because MSVCR100.dll is missing from your computer. Botnet@sfdkjlkjh C2 (1)194.87.31.188:40641 | ||||
3680 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.22931\SQLi Dumper v.10.5.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.22931\SQLi Dumper v.10.5.exe | WinRAR.exe | |
User: admin Company: fLaSh Integrity Level: MEDIUM Description: SQLi Dumper Exit code: 0 Version: 10.5.0.0 | ||||
1268 | "C:\Users\admin\AppData\Local\Temp\tmpA07D.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmpA07D.tmp.exe | — | SQLi Dumper v.10.5.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3000 | "C:\Users\admin\AppData\Local\Temp\tmpA129.tmp.exe" | C:\Users\admin\AppData\Local\Temp\tmpA129.tmp.exe | — | SQLi Dumper v.10.5.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3272 | "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\admin\AppData\Local\cache\MoUSO.exe" | C:\Windows\System32\schtasks.exe | — | tmpA07D.tmp.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SQLi Dumper v.10.5 [Cracked].zip | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2616) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2616 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.21656\SQLi Dumper v.10.5.exe | executable | |
MD5:971EA8E4AE2CA3CFD5D71525C06441A3 | SHA256:1F55B7F97FC82CAD90004841C8894CF76F9A4D9DD672530212EEA912266F80ED | |||
3544 | SQLi Dumper v.10.5.exe | C:\Users\admin\AppData\Local\Temp\tmp6FC9.tmp.exe | executable | |
MD5:EF646A77B4F958ACB31DAED93238043A | SHA256:56552685856A890E1A259E7544A376E69B4C28A7C12B063FE169C171A5490AD3 | |||
2616 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.21656\DUX4.dll | executable | |
MD5:2C7300A2A56C532B4ED416CF0946E6EF | SHA256:4F8D7DAA27615E4A06C1B11A75AFDADC4E7E9775C0A778CF6145A395689A255B | |||
3544 | SQLi Dumper v.10.5.exe | C:\Users\admin\AppData\Local\Temp\tmp6F0C.tmp.exe | executable | |
MD5:B2989C50BF20205773DB9669AC7D3145 | SHA256:40132D8B97A042D01BC6BECA2B688690B269B7E42F354A07A5E4728D13B718AA | |||
1612 | tmp6F0C.tmp.exe | C:\Users\admin\AppData\Local\cache\MoUSO.exe | executable | |
MD5:B2989C50BF20205773DB9669AC7D3145 | SHA256:40132D8B97A042D01BC6BECA2B688690B269B7E42F354A07A5E4728D13B718AA | |||
3680 | SQLi Dumper v.10.5.exe | C:\Users\admin\AppData\Local\Temp\tmpA07D.tmp.exe | executable | |
MD5:B2989C50BF20205773DB9669AC7D3145 | SHA256:40132D8B97A042D01BC6BECA2B688690B269B7E42F354A07A5E4728D13B718AA | |||
3680 | SQLi Dumper v.10.5.exe | C:\Users\admin\AppData\Local\Temp\tmpA129.tmp.exe | executable | |
MD5:EF646A77B4F958ACB31DAED93238043A | SHA256:56552685856A890E1A259E7544A376E69B4C28A7C12B063FE169C171A5490AD3 | |||
2616 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.22931\Settings.xml | xml | |
MD5:7D2F836CE743897D880D8405404F9B5E | SHA256:B20536E3669FE475188DEC542CA876F1B503A14EB5ECD97AD5C44AF5124A72D0 | |||
2616 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2616.24076\bufferGeop.bin | binary | |
MD5:CB9AD69965F9F4CFF8572983F60BE67C | SHA256:56C7079DC309168D9C41DD4A7A61033ACD264A120CA8D2E2182ABB5B9AE6B0A3 | |||
2616 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.22931\SQLi Dumper v.10.5.exe | executable | |
MD5:971EA8E4AE2CA3CFD5D71525C06441A3 | SHA256:1F55B7F97FC82CAD90004841C8894CF76F9A4D9DD672530212EEA912266F80ED |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
36848 | AppLaunch.exe | 194.87.31.188:40641 | — | Llcrelcom | RU | malicious |
35504 | AppLaunch.exe | 194.87.31.188:40641 | — | Llcrelcom | RU | malicious |
3816 | AppLaunch.exe | 194.87.31.188:40641 | — | Llcrelcom | RU | malicious |