analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1.rar

Full analysis: https://app.any.run/tasks/9e9461f9-9302-42ae-a86d-0eb35834d24f
Verdict: Malicious activity
Analysis date: January 11, 2019, 07:03:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

B0F4411635565131BD0E77F0EB0383F1

SHA1:

B7B4C7C7C8D28978AD90C5DFF3A2725ADB059622

SHA256:

48821B749239F46D64CE386C026F248F00C979ED0DBD3BC92BDE713C6354C9D0

SSDEEP:

98304:0TuGTN4Sj59f+BZmbH21GntctlSR08jIR9RnEW2fP:kN/92rmbH216Ol4fjiPGP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SpyAgentSetup.exe (PID: 3496)
      • driver-setup.exe (PID: 2156)
      • WinRAR.exe (PID: 3088)
      • sysdiag.exe (PID: 3664)
      • sysdiag.exe (PID: 3432)
      • explorer.exe (PID: 284)
      • DllHost.exe (PID: 2276)

    • Application was dropped or rewritten from another process

      • npf_mgm.exe (PID: 2200)
      • driver-setup.exe (PID: 2156)
      • sysdiag.exe (PID: 3664)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SpyAgentSetup.exe (PID: 3496)
      • driver-setup.exe (PID: 2156)

    • Creates files in the Windows directory

      • driver-setup.exe (PID: 2156)
      • SpyAgentSetup.exe (PID: 3496)

    • Creates files in the driver directory

      • driver-setup.exe (PID: 2156)

    • Creates files in the program directory

      • driver-setup.exe (PID: 2156)
      • SpyAgentSetup.exe (PID: 3496)

    • Creates executable files which already exist in Windows

      • SpyAgentSetup.exe (PID: 3496)

    • Creates a software uninstall entry

      • SpyAgentSetup.exe (PID: 3496)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: Spytech SpyAgent Stealth 6.2\Crack\sysdiag.exe
PackingMethod: Normal
ModifyDate: 2007:12:08 20:57:08
OperatingSystem: Win32
UncompressedSize: 1426944
CompressedSize: 1336695
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
8
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs spyagentsetup.exe driver-setup.exe npf_mgm.exe no specs sysdiag.exe no specs explorer.exe no specs Thumbnail Cache Out of Proc Server no specs sysdiag.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3088"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3496"C:\Users\admin\Desktop\Spytech SpyAgent Stealth 6.2\SpyAgentSetup.exe" C:\Users\admin\Desktop\Spytech SpyAgent Stealth 6.2\SpyAgentSetup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2156"C:\PROGRA~1\SPYTEC~1\SPYTEC~1\driver-setup.exe" -sC:\PROGRA~1\SPYTEC~1\SPYTEC~1\driver-setup.exe
SpyAgentSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2200"C:\Program Files\WinConfig\npf_mgm.exe" -rC:\Program Files\WinConfig\npf_mgm.exedriver-setup.exe
User:
admin
Company:
CACE Technologies
Integrity Level:
HIGH
Description:
npf_mgm
Exit code:
0
Version:
3, 1, 0, 27
3664"C:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exe" C:\Program Files\Spytech Software\Spytech SpyAgent\sysdiag.exeSpyAgentSetup.exe
User:
admin
Integrity Level:
HIGH
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3432"C:\Users\admin\Desktop\Spytech SpyAgent Stealth 6.2\Crack\sysdiag.exe" C:\Users\admin\Desktop\Spytech SpyAgent Stealth 6.2\Crack\sysdiag.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
5 783
Read events
4 043
Write events
0
Delete events
0

Modification events

No data
Executable files
25
Suspicious files
5
Text files
93
Unknown types
11

Dropped files

PID
Process
Filename
Type
3088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3088.26283\Spytech SpyAgent Stealth 6.2\Crack\sysdiag.exe
MD5:
SHA256:
3088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3088.26283\Spytech SpyAgent Stealth 6.2\SpyAgentSetup.exe
MD5:
SHA256:
3088WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3088.26283\Spytech SpyAgent Stealth 6.2\te.nfo
MD5:
SHA256:
284explorer.exeC:\Users\admin\Desktop\Spytech SpyAgent Stealth 6.2
MD5:
SHA256:
3496SpyAgentSetup.exeC:\Users\admin\AppData\Local\Temp\~vis0000\miscdata.xyz
MD5:
SHA256:
3496SpyAgentSetup.exeC:\Users\admin\AppData\Local\Temp\~vis0000\uninstal.logtext
MD5:BEC6A3D8CC0E3F9825915F4E97261274
SHA256:66F228656E7A0D390D0C3457B0989823F6DFF09B75F3FE4F8FFB187F17BAF6B7
3496SpyAgentSetup.exeC:\Users\admin\AppData\Local\Temp\~vis0000\mainsplash.bmpimage
MD5:BA3248BBFAC9DAEFEDF96E8DDD358FCF
SHA256:5F2EFE11E1C17D8280A181A68825497A4BDC3A94F8BAE3A2C81A3A3980E24699
3496SpyAgentSetup.exeC:\Users\admin\AppData\Local\Temp\~vis0000\sidesplash.bmpimage
MD5:47EAA203BC42B602AE63E4F5BB409C48
SHA256:0DFE6DDF16C673D298BA0D7E40F6F0FF308EF71165F51DB24AF953B9C93CD4CB
3496SpyAgentSetup.exeC:\Users\admin\AppData\Local\Temp\~vis0000\vise32ex.dllexecutable
MD5:1D527A223FDED6CCA097884C30ED8B2B
SHA256:5032E0D6808786354022B24941DB42D5896E1B749DD4A2DDD299414C2477E975
3496SpyAgentSetup.exeC:\Users\admin\AppData\Local\Temp\~vis0000\uninst32.exeexecutable
MD5:2DF12458AE83E3F19723CF48866B21D4
SHA256:7E306136271DE860A01C1AE2454CB31209A529769577A5625386343A0B2C32FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.rar