analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

release.rar

Full analysis: https://app.any.run/tasks/e34f5770-6111-45f4-b385-1d4f33c1f0f7
Verdict: Malicious activity
Analysis date: May 30, 2020, 03:51:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

716B085E71C6285F3B1D1DB544DD1730

SHA1:

A2E2953CF894E51045D08BAE5382F5178F75A3EE

SHA256:

4A05003267AB6AC0FA6B498005F8A4CBD72699AA5C414996CBFB9A3A77A03427

SSDEEP:

196608:aM2Beo54plm8qkZv/B/7c7g6LNfNtcDVRa1z5HU1InrYO3j8kKC989vbxitZXNwR:af53Bc3BTGXLxNtwAyij8kKLbxit4d/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • x32dbg.exe (PID: 2608)
      • x96dbg.exe (PID: 1704)
      • x96dbg.exe (PID: 688)
      • x32dbg.exe (PID: 2568)
      • x96dbg.exe (PID: 2960)
      • x96dbg.exe (PID: 1756)

    • Loads dropped or rewritten executable

      • x32dbg.exe (PID: 2608)
      • SearchProtocolHost.exe (PID: 3364)
      • x32dbg.exe (PID: 2568)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2472)

    • Application launched itself

      • x96dbg.exe (PID: 1704)

  • INFO

    • Manual execution by user

      • x96dbg.exe (PID: 1704)
      • x96dbg.exe (PID: 688)
      • x32dbg.exe (PID: 2568)
      • x96dbg.exe (PID: 1756)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs x96dbg.exe x32dbg.exe x96dbg.exe x96dbg.exe x96dbg.exe x32dbg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\release.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3364"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
688"C:\Users\admin\Desktop\x96dbg.exe" C:\Users\admin\Desktop\x96dbg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x64dbg
Exit code:
0
Version:
0.0.2.5
2608"C:\Users\admin\Desktop\x32\x32dbg.exe" C:\Users\admin\Desktop\x32\x32dbg.exe
x96dbg.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x64dbg
Exit code:
0
Version:
0.0.2.5
1704"C:\Users\admin\Desktop\x96dbg.exe" C:\Users\admin\Desktop\x96dbg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x64dbg
Exit code:
0
Version:
0.0.2.5
2960"C:\Users\admin\Desktop\x96dbg.exe" ::installC:\Users\admin\Desktop\x96dbg.exe
x96dbg.exe
User:
admin
Integrity Level:
HIGH
Description:
x64dbg
Exit code:
0
Version:
0.0.2.5
1756"C:\Users\admin\Desktop\x96dbg.exe" C:\Users\admin\Desktop\x96dbg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x64dbg
Exit code:
0
Version:
0.0.2.5
2568"C:\Users\admin\Desktop\x32\x32dbg.exe" C:\Users\admin\Desktop\x32\x32dbg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
x64dbg
Version:
0.0.2.5
Total events
1 030
Read events
983
Write events
0
Delete events
0

Modification events

No data
Executable files
29
Suspicious files
0
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\loaddll.exeexecutable
MD5:27D2D7608D6E8F010C3B22A44A066D93
SHA256:44F606640A1E75781DDA7A4EE7048C7E86126A355FDFB7C0694871227C2C70FB
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\TitanEngine.dllexecutable
MD5:DD36176B05DD264A0FF83C0A9774D2F4
SHA256:55DADFE1B88561CF14AFD52FE8EAD151D8F961A19C32B634680C0DF9AB208A8D
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\asmjit.dllexecutable
MD5:D70B3BD199EA6C80D751E8146F493BA6
SHA256:9D578A3DB04DB58DF4BC4F4000E93C8D51449CFD4547AD26B90445501CEC048F
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\DeviceNameResolver.dllexecutable
MD5:A35A5D965A7697242AF24F93F4978E19
SHA256:4FA654D71CE434F364575B642A745BDF4BA94544C762EABAF383449795EDD506
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\platforms\qwindows.dllexecutable
MD5:E25BAF30CFE9B709D3A1D4EA7D06900D
SHA256:476A108B5724F74A8AD7F23976BE6C9B385CAA816FAA7B55A9B4C635899F6C1C
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\dbghelp.dllexecutable
MD5:6329180A43F2E000AC991FEF82A2A7E3
SHA256:FCE7AD5C5D85FA547F86605C93F2E52654E5C43E686CEEAF24C28C157E91ED72
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\jansson.dllexecutable
MD5:112B0ACFB3EC66861FF569B4F370FCBC
SHA256:EDEA94824751746AB1498E9DBF15BE20E37ECE7533C51ED410EDDE724103CAA4
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\Scylla.dllexecutable
MD5:9CEC18438D3071B57770DB4EB0197EA3
SHA256:C860196803460448941BED5A99C5D77A8B16E8B6D57D7F26A740F52E26ABBAD8
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\ldconvert.dllexecutable
MD5:059891FB43C1E7D4135D2ED23D4A81B5
SHA256:BCE19949FD256954B98512C5DA06AFAE1639D6415B195730019533B76334BA2C
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2472.8002\x32\msdia140.dllexecutable
MD5:F497F6282663007EBA751A4E6A302DB6
SHA256:C04C19EE74EA1EDA357549A43FC4A340C43B05EE6F4B7E4B7E3613BA015765E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe"
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe"
x32dbg.exe
QMetaObject::connectSlotsByName: No matching signal for on_txtUnicode_clicked()¶
x32dbg.exe
QMetaObject::connectSlotsByName: No matching signal for on_txtUnicode_clicked()
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe"
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe"
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe" ::install
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe" ::install
x96dbg.exe
[x96dbg] Command line:
x96dbg.exe
"C:\Users\admin\Desktop\x96dbg.exe"
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
release.rar