analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

apwmie.rar

Full analysis: https://app.any.run/tasks/d4cc50e8-2962-4351-8ffd-2fbee49233b7
Verdict: Malicious activity
Analysis date: April 23, 2019, 14:54:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

2549F116ADBBFEEECF7596E6381BB43C

SHA1:

8A12453015658A505DD6F473DE7A881900D8A769

SHA256:

4116EC1EB75CF336A3FDDE253C28F712668D0A325A74C41445C7FA87C4E9B7A5

SSDEEP:

49152:59veuzboCJzNuy/dZ/HaznYYumDeqAvcSm8rL67EHOSAekFPCi:DWKN5/dZ/aDKQSm8rL67zXKi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3180)
    • Application was dropped or rewritten from another process

      • builder_gui.exe (PID: 3900)
      • botcmd.exe (PID: 1140)
      • bot.exe (PID: 2076)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2616)
  • INFO

    • Application was crashed

      • bot.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: ?????? ???? ??⮢\bot.dll
PackingMethod: Normal
ModifyDate: 2017:04:19 21:09:27
OperatingSystem: Win32
UncompressedSize: 147456
CompressedSize: 71967
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs builder_gui.exe no specs botcmd.exe no specs bot.exe

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\apwmie.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2616"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\apwmie.rar" "?\"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3180"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3900"C:\Users\admin\Desktop\apwmie\билдер дляя ратов\builder_gui.exe" C:\Users\admin\Desktop\apwmie\билдер дляя ратов\builder_gui.exeexplorer.exe
User:
admin
Company:
TODO: <Название организации>
Integrity Level:
MEDIUM
Description:
builder_gui
Exit code:
0
Version:
1.0.0.1
1140"C:\Users\admin\Desktop\apwmie\билдер дляя ратов\botcmd.exe" C:\Users\admin\Desktop\apwmie\билдер дляя ратов\botcmd.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225786
2076"C:\Users\admin\Desktop\apwmie\билдер дляя ратов\bot.exe" C:\Users\admin\Desktop\apwmie\билдер дляя ратов\bot.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
780
Read events
749
Write events
31
Delete events
0

Modification events

(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:Key:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\apwmie.rar
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2616) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2616) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
Executable files
17
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\bot_cmd.txttext
MD5:115BC12722DA048BEC5A23736573A8CD
SHA256:579E6E7990CB7F7629F16F1C2CEE10A20C34348134D0B60C811A185380C86CB1
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\builder.exeexecutable
MD5:CA037127C0CBAC7BB2E11E8EB61C8CAB
SHA256:41955340B55EE3C2054263A008C141151DB9FCC0816B08905771E26E3739F411
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\bot.exeexecutable
MD5:726FF22572027F36A0BF15FA70FDA272
SHA256:74DA983C63F4C77EAFCD9953C0705F01E2DFCC30A14FDED06FF1E2641B8EA856
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\Server.exeexecutable
MD5:0F367FCE0C77E594EC09F105DED2503A
SHA256:120EDD37142C24D17472137C608220220A4EFB595D42A991EFD498AC30339B4E
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\CmdManager.exeexecutable
MD5:A12B1337A4802F47CC179243D1391300
SHA256:2825F6CB667B1ACD55E6D7013D5E8828370DF38B2398A39C1CE4BA42347FB5B5
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\bot_x64.exeexecutable
MD5:07EACCF8CF454358A3F669ACCF9C1DF9
SHA256:0ACF29E9AE705E5518A55E9020F69E9BDC9348D6374D054720B6169CFDC5CA87
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\VncSharp.dllexecutable
MD5:BA810766A2901EE00CD8E244D2DB1A43
SHA256:E5EE043DA6E74B1CBEE3FD4035A6F80A22C89E1813C5BFBD2572A594F93FD740
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\builder_gui.configtext
MD5:ED19CA99581136D44B35BBB2240A6BF6
SHA256:AEA52D27230B89CA1B732866AFBE137A98E65100049A56B3293DEF8D5FE7DDA0
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\botcmd.exeexecutable
MD5:51394BB6F51E6D229D39F8E2C27E11C0
SHA256:822D1259E7B03A5113743E2840D3338236159670D94AAF41431B7D6391268300
2616WinRAR.exeC:\Users\admin\Desktop\apwmie\билдер дляя ратов\bot_x64.dllexecutable
MD5:3FBBC541A3C08FD3B2F17C0C2FF0B957
SHA256:55341DFE5A2E7FF47BDE6573885693EC67D9662C40A7B321059FE1AF6D5BABAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info