| File name: | SQLI Dumper V.8.5.rar |
| Full analysis: | https://app.any.run/tasks/f059da92-df49-4069-9e77-5a9372878009 |
| Verdict: | Malicious activity |
| Analysis date: | December 25, 2023, 12:48:57 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | C410EDC2953DAF6F0EBBDFD01663180D |
| SHA1: | CC686CB3139B1204FE08BC9BB201E099B6572F0D |
| SHA256: | 53784C4B938689F405D1FEDFCAF71B87485716F0B333AA2F98159FB3DE52B632 |
| SSDEEP: | 98304:t3c6tu9tjHflQHuBrumywvbHMefKOqDBbEBPwyrdw25YcdnJ+Ei36QzpfdqM0ffY:RA378 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Requests information from PasteBin
- SQLi v.8.5.exe (PID: 1380)
Reads Microsoft Outlook installation path
- SQLi v.8.5.exe (PID: 1380)
Reads the Internet Settings
- SQLi v.8.5.exe (PID: 1380)
Reads settings of System Certificates
- SQLi v.8.5.exe (PID: 1380)
Reads Internet Explorer settings
- SQLi v.8.5.exe (PID: 1380)
INFO
Create files in a temporary directory
- SQLi v.8.5.exe (PID: 1380)
Checks supported languages
- SQLi v.8.5.exe (PID: 1380)
Reads Environment values
- SQLi v.8.5.exe (PID: 1380)
Manual execution by a user
- SQLi v.8.5.exe (PID: 1380)
Checks proxy server information
- SQLi v.8.5.exe (PID: 1380)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 128)
Reads the machine GUID from the registry
- SQLi v.8.5.exe (PID: 1380)
Reads the computer name
- SQLi v.8.5.exe (PID: 1380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLI Dumper V.8.5.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1380 | "C:\Users\admin\Desktop\SQLI Dumper V.8.5\SQLi v.8.5.exe" | C:\Users\admin\Desktop\SQLI Dumper V.8.5\SQLi v.8.5.exe | explorer.exe | ||||||||||||
User: admin Company: SQLi Trush Corp Integrity Level: MEDIUM Description: SQLi Dumper v8.0 Exit code: 0 Version: 8.0.0.0 Modules
| |||||||||||||||
Total events
5 861
Read events
5 828
Write events
33
Delete events
0
Modification events
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1380) SQLi v.8.5.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
1
Suspicious files
5
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.3121\SQLI Dumper V.8.5\GeoIP.dat | binary | |
MD5:CB9AD69965F9F4CFF8572983F60BE67C | SHA256:56C7079DC309168D9C41DD4A7A61033ACD264A120CA8D2E2182ABB5B9AE6B0A3 | |||
| 1380 | SQLi v.8.5.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:AC05D27423A85ADC1622C714F2CB6184 | SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.3121\SQLI Dumper V.8.5\DIC\dic_admin.txt | text | |
MD5:F4675FA366AAE47396F8CFB2F3EB1B9A | SHA256:826FBBAA5DE45C1238FC7B9F4436C1B87444F8103F4F65180F8547E3F271A413 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.3121\SQLI Dumper V.8.5\DIC\dic_file_dump.txt | text | |
MD5:351CACFFC2884FCD4E69BB1FB04DDEB5 | SHA256:C67BCC0B4ED5E5EF72AA1134C0838D9201A97C2BF462FDFF0AC9052A53B286A2 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.3121\SQLI Dumper V.8.5\Settings(1).xml | xml | |
MD5:6CADCD28429156CBC1D77447BBDDDF42 | SHA256:88AD0488FE62D131F1CA29A7DE9470038E436F33F76CE1A83D6B41BDF3DC6C7C | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.3121\SQLI Dumper V.8.5\Settings.xml | xml | |
MD5:C1325A39D0E3739DD525F4ECD429482C | SHA256:25ED34E441EA3DA5BB496470D8C3E32D0FBA0F3DBE1B61126BE25288472A3FD5 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.3121\SQLI Dumper V.8.5\SQLi v.8.5.exe | executable | |
MD5:F558500B09118C2D5482C0097D41B986 | SHA256:4081A78BA280D28C56551983E515486A1DACF9BA26A3E76A71060982CC9E5ED7 | |||
| 1380 | SQLi v.8.5.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:E7104843451EB714E46A1953EAB91877 | SHA256:4D41E10977E4AC460A95B90DBF01E069BF82CD6A7281EB1FEE731D88EFF4802C | |||
| 1380 | SQLi v.8.5.exe | C:\Users\admin\AppData\Local\Temp\Cab110E.tmp | compressed | |
MD5:AC05D27423A85ADC1622C714F2CB6184 | SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D | |||
| 1380 | SQLi v.8.5.exe | C:\Users\admin\AppData\Local\Temp\Tar110F.tmp | binary | |
MD5:9C0C641C06238516F27941AA1166D427 | SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
591
TCP/UDP connections
535
DNS requests
20
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1380 | SQLi v.8.5.exe | GET | 301 | 104.20.67.143:80 | http://pastebin.com/raw/3vsJLpWu | unknown | — | — | unknown |
1380 | SQLi v.8.5.exe | GET | 302 | 104.18.36.224:80 | http://www.webcrawler.com/search/web?q=christin-katja%40arcor.de%3aangelina03 | unknown | — | — | unknown |
1380 | SQLi v.8.5.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=stylo9999%40interia.pl%3aqwerty | US | — | — | unknown |
1380 | SQLi v.8.5.exe | GET | 200 | 5.255.255.88:80 | http://www.yandex.com/yandsearch?text=christin-katja%40arcor.de%3aangelina03 | RU | html | 72.0 Kb | unknown |
1380 | SQLi v.8.5.exe | GET | 301 | 212.82.100.137:80 | http://www.wow.com/search?q=stylo9999%40interia.pl%3aqwerty | IE | text | 25 b | unknown |
1380 | SQLi v.8.5.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1242bcaa668520f0 | GB | compressed | 65.2 Kb | unknown |
1380 | SQLi v.8.5.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=luckybencat%4021cn.com%3a68908093 | US | — | — | unknown |
1380 | SQLi v.8.5.exe | GET | 200 | 2.16.100.130:80 | http://www.bing.com/search?q=marshall%40bikenut.org%3ahyrunes1&count=50 | DE | html | 72.7 Kb | unknown |
1380 | SQLi v.8.5.exe | GET | 200 | 2.16.100.130:80 | http://www.bing.com/search?q=rom1.vernier%40wanadoo.fr%3afutura&count=50 | DE | html | 72.8 Kb | unknown |
1380 | SQLi v.8.5.exe | GET | 302 | 5.255.255.88:80 | http://www.yandex.com/yandsearch?text=mariocervo%40cheapnet.it%3acervomario | RU | html | 72.0 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1380 | SQLi v.8.5.exe | 104.20.67.143:80 | pastebin.com | CLOUDFLARENET | — | unknown |
1380 | SQLi v.8.5.exe | 104.20.67.143:443 | pastebin.com | CLOUDFLARENET | — | unknown |
1380 | SQLi v.8.5.exe | 104.18.36.224:80 | www.webcrawler.com | CLOUDFLARENET | — | unknown |
1380 | SQLi v.8.5.exe | 5.255.255.88:80 | www.yandex.com | YANDEX LLC | RU | whitelisted |
1380 | SQLi v.8.5.exe | 151.101.2.114:80 | www.ask.com | FASTLY | US | unknown |
1380 | SQLi v.8.5.exe | 151.101.2.114:443 | www.ask.com | FASTLY | US | unknown |
1380 | SQLi v.8.5.exe | 104.18.36.224:443 | www.webcrawler.com | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pastebin.com |
| shared |
www.webcrawler.com |
| whitelisted |
www.yandex.com |
| whitelisted |
www.wow.com |
| whitelisted |
www.ask.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
search.yahoo.com |
| whitelisted |
www.bing.com |
| whitelisted |
search.aol.com |
| whitelisted |
pesquisa.sapo.pt |
| unknown |
Threats
1 ETPRO signatures available at the full report