| File name: | Codelux Crypter v3.0 Cracked.rar |
| Full analysis: | https://app.any.run/tasks/ff8a5dba-fa85-42a8-8fec-1694e7326312 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | September 11, 2018, 16:58:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v4, os: Win32, flags: FirstVolume |
| MD5: | A87B6D6601A3684D116091B2B51FE83F |
| SHA1: | 426AB308B45BEB466C9DF1B163C4018321FA35C5 |
| SHA256: | 50567F285F15A136821B420E1C95DF758741F264C99FA0755B51566F0F88495B |
| SSDEEP: | 49152:/qecfaIBqeJyXEfcbX/VTqz6hQAtQzQ3sjEx0Mb8Go2qp4mYu9DW:knBTyXNLVqz6HtL8wxlb8GoBp47u9i |
| .rar | | | RAR compressed archive (v-4.x) (58.3) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (41.6) |
| CompressedSize: | 6182 |
|---|---|
| UncompressedSize: | 13312 |
| OperatingSystem: | Win32 |
| ModifyDate: | 2014:08:06 17:45:26 |
| PackingMethod: | Normal |
| ArchivedFileName: | Codelux Crypter v3.0\CodeluxCore.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 456 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\-iycknr5.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | — | 221.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) Modules
| |||||||||||||||
| 704 | "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\24h1zupn.cmdline" | C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe | CodeluxCrypterV3 - Cracked by Meth.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 3.5.30729.5420 built by: Win7SP1 Modules
| |||||||||||||||
| 772 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=884,17239374524747702776,16679595196919604641,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=698BD704AD3FAC7DFE5FF2A7CEFC9C00 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=698BD704AD3FAC7DFE5FF2A7CEFC9C00 --renderer-client-id=7 --mojo-platform-channel-handle=3656 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 1112 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=884,17239374524747702776,16679595196919604641,131072 --enable-features=PasswordImport --service-pipe-token=D2DF0891627B709764EC854C1E477776 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=D2DF0891627B709764EC854C1E477776 --renderer-client-id=6 --mojo-platform-channel-handle=2104 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 1140 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=948,3976621973244238051,3202052639315945145,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=B1E32FFCFCC4AF1D6D69BDC22D11E90A --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=B1E32FFCFCC4AF1D6D69BDC22D11E90A --renderer-client-id=13 --mojo-platform-channel-handle=3496 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 1224 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | ||||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 1356 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=948,3976621973244238051,3202052639315945145,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=02EF42D8681014DE1A7D6ABA3BCD22DA --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=02EF42D8681014DE1A7D6ABA3BCD22DA --renderer-client-id=12 --mojo-platform-channel-handle=1672 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 Modules
| |||||||||||||||
| 1404 | reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\admin\AppData\Roaming\quRlbmbw.exe" | C:\Windows\system32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1412 | "C:\Users\admin\Desktop\Codelux Crypter v3.0\CodeluxCrypterV3 - Cracked by Meth.exe" | C:\Users\admin\Desktop\Codelux Crypter v3.0\CodeluxCrypterV3 - Cracked by Meth.exe | — | explorer.exe | |||||||||||
User: admin Company: Codelux Software Inc. Integrity Level: MEDIUM Description: Codelux Crypter v3.0 Exit code: 3221226540 Version: 3.6.5.0 Modules
| |||||||||||||||
| 1480 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES2BF6.tmp" "c:\Users\admin\AppData\Local\Temp\CSC2BF5.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) Modules
| |||||||||||||||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Codelux Crypter v3.0 Cracked.rar | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (1992) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\CodeluxCore.dll | — | |
MD5:— | SHA256:— | |||
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\CodeluxCrypterV3 - Cracked by Meth.exe | — | |
MD5:— | SHA256:— | |||
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\Icons.zip | — | |
MD5:— | SHA256:— | |||
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\Mono.Cecil.dll | — | |
MD5:— | SHA256:— | |||
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\README.txt | — | |
MD5:— | SHA256:— | |||
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\Resources\runpe.exe | — | |
MD5:— | SHA256:— | |||
| 1992 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1992.28571\Codelux Crypter v3.0\Resources\stub.cs | — | |
MD5:— | SHA256:— | |||
| 1224 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5B97F445-4C8.pma | — | |
MD5:— | SHA256:— | |||
| 1224 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index | — | |
MD5:— | SHA256:— | |||
| 1224 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 | — | |
MD5:— | SHA256:— | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3636 | vbc.exe | GET | — | 176.123.0.55:80 | http://marcabets.in/assets/bu/shit.exe | MD | — | — | malicious |
3636 | vbc.exe | POST | — | 176.123.0.55:80 | http://marcabets.in/assets/bu/gate.php | MD | — | — | malicious |
1224 | chrome.exe | GET | 301 | 151.101.2.49:80 | http://urlhaus.abuse.ch/browse | US | — | — | whitelisted |
1224 | chrome.exe | GET | 200 | 204.11.58.151:80 | http://innlhome.com/tyt/putty.exe | US | executable | 775 Kb | malicious |
3636 | vbc.exe | POST | — | 176.123.0.55:80 | http://marcabets.in/assets/bu/gate.php | MD | — | — | malicious |
3664 | 221.exe | GET | 200 | 93.184.221.240:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 53.8 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1224 | chrome.exe | 172.217.17.35:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1224 | chrome.exe | 172.217.19.195:443 | www.google.com.ua | Google Inc. | US | whitelisted |
1224 | chrome.exe | 172.217.17.99:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
1224 | chrome.exe | 172.217.17.45:443 | accounts.google.com | Google Inc. | US | whitelisted |
1224 | chrome.exe | 216.58.205.228:443 | www.google.com | Google Inc. | US | whitelisted |
1224 | chrome.exe | 172.217.23.131:443 | www.gstatic.com | Google Inc. | US | whitelisted |
1224 | chrome.exe | 172.217.19.206:443 | apis.google.com | Google Inc. | US | whitelisted |
1224 | chrome.exe | 151.101.2.49:80 | urlhaus.abuse.ch | Fastly | US | malicious |
1224 | chrome.exe | 151.101.2.49:443 | urlhaus.abuse.ch | Fastly | US | malicious |
1224 | chrome.exe | 216.58.206.14:443 | play.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
|---|---|---|
www.google.com.ua |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
www.google.com |
| malicious |
www.google.fr |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
|---|---|---|---|
1224 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3636 | vbc.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
3636 | vbc.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3636 | vbc.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3636 | vbc.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
3636 | vbc.exe | Potentially Bad Traffic | ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) |
3636 | vbc.exe | Potential Corporate Privacy Violation | ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System |
3636 | vbc.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer |
3636 | vbc.exe | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 |
3636 | vbc.exe | A Network Trojan was detected | ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 |
Process | Message |
|---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppᜊѿ찻䧰ǔᘌѿ
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cppĒ |
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|