analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Desktop.rar

Full analysis: https://app.any.run/tasks/d7b67a3e-e6b5-459b-a6b8-ee238b13e858
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 08, 2020, 15:07:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

16774B14D44A6EDF9025B673EC1F8683

SHA1:

D562B9FCDCCEA770E8F0476E819200DA31FD6F32

SHA256:

51E4D299F7EB9072A59008A3B8D5915192C4FE629346622B5271793CD6E8724E

SSDEEP:

6144:z3ebXZhEqIpOMKCVc3lIQ4sQeEatBimQuZoO7+uZl5PvbcPPtI+Z2W5wIDv:zwXjEqbTQSlOZex7Q8oI+ql5Pj6S+8S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3460)
      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Application was dropped or rewritten from another process

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Actions looks like stealing of personal data

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Stealing of credential data

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

  • SUSPICIOUS

    • Reads Environment values

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Starts CMD.EXE for commands execution

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 972)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 2460)
      • cmd.exe (PID: 1008)
      • cmd.exe (PID: 2980)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 2460)
      • cmd.exe (PID: 844)
      • cmd.exe (PID: 1008)
      • cmd.exe (PID: 2980)
      • cmd.exe (PID: 3564)

    • Reads the cookies of Google Chrome

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Reads the cookies of Mozilla Firefox

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Reads CPU info

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Checks for external IP

      • Build.exe (PID: 2792)
      • Build.exe (PID: 1728)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 844)
      • cmd.exe (PID: 3564)

  • INFO

    • Reads settings of System Certificates

      • Build.exe (PID: 1728)

    • Manual execution by user

      • Build.exe (PID: 1728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
26
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe build.exe searchprotocolhost.exe no specs cmd.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs cmd.exe no specs chcp.com no specs netsh.exe no specs build.exe cmd.exe no specs chcp.com no specs taskkill.exe no specs timeout.exe no specs cmd.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs cmd.exe no specs chcp.com no specs netsh.exe no specs cmd.exe no specs chcp.com no specs taskkill.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
972"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Desktop.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2792"C:\Users\admin\AppData\Local\Temp\Rar$EXa972.10236\Build.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa972.10236\Build.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Neko
Exit code:
1
Version:
1.0.0.0
3460"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2144"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllC:\Windows\system32\cmd.exeBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2812chcp 65001 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3904netsh wlan show profile C:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2264findstr AllC:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2460"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssidC:\Windows\system32\cmd.exeBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3356chcp 65001 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3696netsh wlan show networks mode=bssidC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 030
Read events
777
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
119
Unknown types
2

Dropped files

PID
Process
Filename
Type
972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa972.10779\DotNetZip.dll
MD5:
SHA256:
972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa972.10779\Build.exe
MD5:
SHA256:
2792Build.exeC:\Users\admin\AppData\Local\Temp\places.raw
MD5:
SHA256:
2792Build.exeC:\Users\admin\AppData\Local\Temp\tmp31AA.tmp.dat
MD5:
SHA256:
2792Build.exeC:\Users\admin\AppData\Local\Temp\tmp31CB.tmp.dat
MD5:
SHA256:
972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa972.10236\Build.exeexecutable
MD5:81FA9B3508A11961CFD5A53A9B0C0D85
SHA256:2A471132106E379965C52B94AD28578FEF75369579747FEDF3AEDD240C8049B4
2792Build.exeC:\Users\admin\AppData\Local\8924f861b6d4a664e5ad5dc14b027965\admin@USER-PC_en-US\Directories\Desktop.txttext
MD5:E88CE3D2866D764D84012D11CE79A371
SHA256:29F2D53A2BA2B04294377D00916CD2D7F9339605E2F2B5F57A7E8FA9EF2989DC
2792Build.exeC:\Users\admin\AppData\Local\8924f861b6d4a664e5ad5dc14b027965\admin@USER-PC_en-US\System\Process.txttext
MD5:F4544FA11A3A7653CCC7B145EB8560A4
SHA256:A7A7E5E1D0D50258E863A42FFC8886C8BCFC0B431C5074E89D4EBC0332ABF793
2792Build.exeC:\Users\admin\AppData\Local\8924f861b6d4a664e5ad5dc14b027965\admin@USER-PC_en-US\Grabber\DRIVE-C\Users\admin\Pictures\ratestaking.pngimage
MD5:EABC048F352C62AE2198D5088EE29010
SHA256:128346B1C64262D94B22972801C13B19CE51B2C85D02ACB34AFED0AEE854A5F1
2792Build.exeC:\Users\admin\AppData\Local\Temp\tmp31CC.tmp.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1728
Build.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
13 b
shared
2792
Build.exe
GET
200
116.202.55.106:80
http://icanhazip.com/
IN
text
13 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1728
Build.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
2792
Build.exe
172.67.210.196:443
api.mylnikov.org
US
unknown
2792
Build.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
2792
Build.exe
45.148.16.42:443
api.anonfiles.com
malicious
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious
2792
Build.exe
116.202.55.106:80
icanhazip.com
334,Udyog Vihar
IN
malicious
1728
Build.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious
1728
Build.exe
172.67.210.196:443
api.mylnikov.org
US
unknown
1728
Build.exe
45.148.16.42:443
api.anonfiles.com
malicious
1728
Build.exe
116.202.55.106:80
icanhazip.com
334,Udyog Vihar
IN
malicious

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared
api.anonfiles.com
  • 45.148.16.42
unknown
icanhazip.com
  • 116.202.55.106
  • 116.202.244.153
shared
api.mylnikov.org
  • 172.67.210.196
  • 104.18.40.62
  • 104.18.41.62
suspicious
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
2792
Build.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2792
Build.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2792
Build.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1728
Build.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1728
Build.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
1728
Build.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Desktop.rar