analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW MULTITOOL.rar

Full analysis: https://app.any.run/tasks/55c15018-d393-486e-bc1e-6692c7688378
Verdict: Malicious activity
Analysis date: August 08, 2020, 18:42:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

5E7DC6833B224937516CA2C8BF4FA7BC

SHA1:

9FE86590FFECD2C565DD531A8011F27103BDBAAE

SHA256:

3BC57CFD9160F44F5C0DA3813A6591083569DCA7A8632C0ED699F14FACC5BF08

SSDEEP:

196608:ZmooVD/sFC/m3njVWvezX/fFsmxHDwDmfeGqVd/1Cs/XQ:6VD/sF/3zv9lxHMK2l38aA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MultiTool.exe (PID: 1496)
      • MultiTool.exe (PID: 2092)

    • Loads dropped or rewritten executable

      • MultiTool.exe (PID: 2092)

    • Actions looks like stealing of personal data

      • MultiTool.exe (PID: 2092)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2688)
      • MultiTool.exe (PID: 1496)

    • Application launched itself

      • MultiTool.exe (PID: 1496)

    • Starts CMD.EXE for commands execution

      • MultiTool.exe (PID: 2092)

    • Loads Python modules

      • MultiTool.exe (PID: 2092)

  • INFO

    • Manual execution by user

      • MultiTool.exe (PID: 1496)

    • Dropped object may contain Bitcoin addresses

      • MultiTool.exe (PID: 1496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe multitool.exe multitool.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2688"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NEW MULTITOOL.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1496"C:\Users\admin\Desktop\MultiTool.exe" C:\Users\admin\Desktop\MultiTool.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
2092"C:\Users\admin\Desktop\MultiTool.exe" C:\Users\admin\Desktop\MultiTool.exe
MultiTool.exe
User:
admin
Integrity Level:
HIGH
2508C:\Windows\system32\cmd.exe /c clsC:\Windows\system32\cmd.exeMultiTool.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
696
Read events
434
Write events
0
Delete events
0

Modification events

No data
Executable files
28
Suspicious files
6
Text files
920
Unknown types
3

Dropped files

PID
Process
Filename
Type
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\Main.exe.manifestxml
MD5:69ED167046FB52C0C1EE06B632050E51
SHA256:5975EA9D4A5A359E33D1D6E6C0698E74F101B4BE2AEDF41C3624C8EFC508C939
2688WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2688.49316\MultiTool.exeexecutable
MD5:3B3322B19213FA88B502E4B8B41C14E8
SHA256:1A67771BE99549B76EAC909B3659C005204B604EAE660987A8BADA466E5AF626
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_hashlib.pydexecutable
MD5:F9799B167C3E4FFEE4629B4A4E2606F2
SHA256:02DD924D4EBFBB8B5B0B66B6E6BB2388FCCDAD64D0493854A5443018AD5D1543
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_testcapi.pydexecutable
MD5:58B6D54036BB03B606A11EA1A4FE376B
SHA256:03F67F5AE47EB4AF1C6DE599AFA9640E6B77BEB0A71CFF79223D07BA63E94D2F
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_bz2.pydexecutable
MD5:2002B2CC8F20AC05DE6DE7772E18F6A7
SHA256:645665CF3338E7665E314F53FBBCB3C5D9174E90F3BF65DDBDC9C0CB24A5D40D
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_ctypes.pydexecutable
MD5:C827A20FC5F1F4E0EF9431F29EBF03B4
SHA256:D500CFF28678ECED1FC4B3AEABECC0F3B30DE735FDEFE90855536BC29FC2CB4D
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_multiprocessing.pydexecutable
MD5:7D3306BA4645463CB0D4C34C77B2BDF2
SHA256:3A183E0F6A31507C3B0ACBCAE5D6C3D843C590BB370DE5382E2DF9CFC2CB156E
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_sqlite3.pydexecutable
MD5:49848CA2C6ED629A5FA24ABAB96E5EC9
SHA256:C222806D471A71D0FD804162E5DA3DC607973367819453C20119A5742EFF5113
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_decimal.pydexecutable
MD5:5CDA820A4E1427EAB472A05398B7BA36
SHA256:49D4DCD257138718CC3F8D8BB445F8C9212CDA73B06CF70F3D706102042680BC
1496MultiTool.exeC:\Users\admin\AppData\Local\Temp\_MEI14962\_elementtree.pydexecutable
MD5:FA9381D1851DA8B8F61547013D8CC81E
SHA256:12147B8D57C9C4740D4AC23615F75FC62A2F41379B2BA0E159B9838819B1700A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2092
MultiTool.exe
54.235.182.194:443
api.ipify.org
Amazon.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 54.235.182.194
  • 23.21.118.184
  • 107.22.251.25
  • 54.225.191.113
  • 54.225.195.221
  • 23.21.126.66
  • 54.221.234.156
  • 174.129.214.20
shared

Threats

PID
Process
Class
Message
2092
MultiTool.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
2092
MultiTool.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW MULTITOOL.rar