analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fedex.com Brute by Plyshka.rar

Full analysis: https://app.any.run/tasks/d8e28401-1322-4996-be50-f6b2762fdb14
Verdict: Malicious activity
Analysis date: September 19, 2019, 08:12:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A97F42A4F8892BCB6FBACA477606D946

SHA1:

766DF6A26F02C50419030607FF29F74452A56A7E

SHA256:

3FDC2AF04095886916ABE5BE1EC605C74A11C428F1F72674344F7E4DCEE2B10E

SSDEEP:

49152:xFipp3SrT26A5JEUkjcXSmO5QTd9bOONaGZ+pqZoHd8SdBrOhQ3:GppkT26A5JGcCmzd9bZtUkmnBrT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Fedex.com Brute by Plyshka.exe (PID: 2228)
      • SearchProtocolHost.exe (PID: 752)
    • Application was dropped or rewritten from another process

      • Fedex.com Brute by Plyshka.exe (PID: 2228)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3448)
  • INFO

    • Manual execution by user

      • Fedex.com Brute by Plyshka.exe (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs fedex.com brute by plyshka.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3448"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Fedex.com Brute by Plyshka.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
752"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2228"C:\Users\admin\Desktop\Fedex.com Brute by Plyshka.exe" C:\Users\admin\Desktop\Fedex.com Brute by Plyshka.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Total events
439
Read events
431
Write events
8
Delete events
0

Modification events

(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3448) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Fedex.com Brute by Plyshka.rar
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3448) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3448.27445\Fedex.com Brute by Plyshka.exe
MD5:
SHA256:
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3448.27445\ssleay32.dllexecutable
MD5:9B3921B65E656FCD9D27423F8283033C
SHA256:89DCCAC92BC457B9180C0389B824AACEBF4A934EE2F0B37F4A6E3865799ECC6A
3448WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3448.27445\libeay32.dllexecutable
MD5:ABEF7052E350DB0C7882CFED969066E1
SHA256:5B4E6E7FF551A2A48F1BAB0AC27421930A6215A9F5E52E95297C8BA31484D1F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info