File name:

Новая папка (2).rar

Full analysis: https://app.any.run/tasks/d0b0721a-dc6b-4bf1-8e39-7300da504da5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 11:36:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

F00C29A5C1831EB7EF758549AD62E4A9

SHA1:

E3F89E543C4CDD4371C161093036DB4CE19398A5

SHA256:

585BE9405B325B3639602A9377211B4CA5608C50F165AD990659EE7894834CC3

SSDEEP:

196608:iBfuWALAqFhiO4ngPNbFXZfSUSn/kQECeiENtH6LJLKP:vWuyOOYjXZfSrudnNtao

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3832)
      • FY0GPLT3JZKTSG8.exe (PID: 2116)
      • FY0GPLT3JZKTSG8.exe (PID: 2492)

    • Application was dropped or rewritten from another process

      • 1Macro.exe (PID: 948)
      • 1Macro.exe (PID: 2704)
      • FY0GPLT3JZKTSG8.exe (PID: 2492)
      • FY0GPLT3JZKTSG8.exe (PID: 2116)
      • spoofer.exe (PID: 3748)

    • Stealing of credential data

      • spoofer.exe (PID: 3748)

    • Changes settings of System certificates

      • spoofer.exe (PID: 3748)

    • Actions looks like stealing of personal data

      • spoofer.exe (PID: 3748)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2708)
      • 1Macro.exe (PID: 2704)

    • Creates files in the user directory

      • 1Macro.exe (PID: 2704)
      • spoofer.exe (PID: 3748)

    • Creates files in the Windows directory

      • FY0GPLT3JZKTSG8.exe (PID: 2116)

    • Application launched itself

      • FY0GPLT3JZKTSG8.exe (PID: 2116)

    • Reads the cookies of Mozilla Firefox

      • spoofer.exe (PID: 3748)

    • Reads the cookies of Google Chrome

      • spoofer.exe (PID: 3748)

    • Adds / modifies Windows certificates

      • spoofer.exe (PID: 3748)

    • Reads Environment values

      • spoofer.exe (PID: 3748)

    • Checks for external IP

      • spoofer.exe (PID: 3748)

    • Searches for installed software

      • spoofer.exe (PID: 3748)

  • INFO

    • Manual execution by user

      • 1Macro.exe (PID: 948)
      • 1Macro.exe (PID: 2704)

    • Reads settings of System Certificates

      • spoofer.exe (PID: 3748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe searchprotocolhost.exe no specs 1macro.exe no specs 1macro.exe fy0gplt3jzktsg8.exe spoofer.exe fy0gplt3jzktsg8.exe

Process information

PID
CMD
Path
Indicators
Parent process
948"C:\Users\admin\Desktop\1Macro.exe" C:\Users\admin\Desktop\1Macro.exeexplorer.exe
User:
admin
Company:
MacroEngine
Integrity Level:
MEDIUM
Description:
Macro
Exit code:
3221226540
Version:
5.1.1.0
Modules
Images
c:\users\admin\desktop\1macro.exe
c:\systemroot\system32\ntdll.dll
2116"C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe" C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe
1Macro.exe
User:
admin
Integrity Level:
HIGH
Description:
OneMacro
Exit code:
0
Version:
1.3.3.7
Modules
Images
c:\users\admin\appdata\roaming\fy0gplt3jzktsg8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2492"C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe" C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe
FY0GPLT3JZKTSG8.exe
User:
admin
Integrity Level:
HIGH
Description:
OneMacro
Exit code:
0
Version:
1.3.3.7
Modules
Images
c:\users\admin\appdata\roaming\fy0gplt3jzktsg8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2704"C:\Users\admin\Desktop\1Macro.exe" C:\Users\admin\Desktop\1Macro.exe
explorer.exe
User:
admin
Company:
MacroEngine
Integrity Level:
HIGH
Description:
Macro
Exit code:
0
Version:
5.1.1.0
Modules
Images
c:\users\admin\desktop\1macro.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2708"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Новая папка (2).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3748"C:\Users\admin\AppData\Roaming\spoofer.exe" C:\Users\admin\AppData\Roaming\spoofer.exe
1Macro.exe
User:
admin
Company:
Intel plugin
Integrity Level:
HIGH
Description:
Intel plugin
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\spoofer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3832"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 526
Read events
1 469
Write events
57
Delete events
0

Modification events

(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2708) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Новая папка (2).rar
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2708) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2704) 1Macro.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
11
Suspicious files
1
Text files
19
Unknown types
14

Dropped files

PID
Process
Filename
Type
27041Macro.exeC:\Users\admin\AppData\Local\Temp\nsv1644.tmp
MD5:
SHA256:
27041Macro.exeC:\Users\admin\AppData\Roaming\JTextBox.dllexecutable
MD5:
SHA256:
2708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\1Macro.exeexecutable
MD5:
SHA256:
2708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\JTextBox.dllexecutable
MD5:
SHA256:
27041Macro.exeC:\Users\admin\AppData\Roaming\File.xmlxml
MD5:
SHA256:
27041Macro.exeC:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exeexecutable
MD5:
SHA256:
27041Macro.exeC:\Users\admin\AppData\Roaming\spoofer.exeexecutable
MD5:
SHA256:
3748spoofer.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T12_37_21.8337500+01_001414sqlite
MD5:
SHA256:
3748spoofer.exeC:\Users\admin\AppData\Roaming\DVLRNDZuL1F8BFBFF000506E3C4BA364742\421F8BFBFF000506E3C4BA3647DVLRNDZuL\Browsers\Cookies\Cookies_Mozilla.txttext
MD5:
SHA256:
3748spoofer.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T12_37_22.0368750+01_001414sqlite
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
6
DNS requests
5
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3748
spoofer.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
433 b
malicious
3748
spoofer.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
433 b
malicious
3748
spoofer.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
433 b
malicious
2116
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/Simplifica.ttf
RU
ttf
55.5 Kb
malicious
2492
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/auth1.php?hwid=1F8BFBFF000506E300371461220350285564
RU
text
32 b
malicious
3748
spoofer.exe
POST
200
94.24.36.14:80
http://gfs262n304.userstorage.mega.co.nz/ul/-wzQKLTtVo-7-gJ_24g07IN_rxUuQqGv9zdMMMQeUdsXnW6ju5C8ovgcj0t0m9lCRcRwoLNe5F8_kea8rdk4nA/0
RO
text
36 b
suspicious
2492
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/server1.php
RU
text
6 b
malicious
2492
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/version.txt
RU
text
3 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2492
FY0GPLT3JZKTSG8.exe
46.174.50.8:80
1macro.ru
RS-Media LLC
RU
malicious
2116
FY0GPLT3JZKTSG8.exe
46.174.50.8:80
1macro.ru
RS-Media LLC
RU
malicious
3748
spoofer.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
3748
spoofer.exe
54.204.14.42:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
3748
spoofer.exe
94.24.36.14:80
gfs262n304.userstorage.mega.co.nz
RO
suspicious
3748
spoofer.exe
66.203.125.15:443
g.api.mega.co.nz
RealNetworks, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
1macro.ru
  • 46.174.50.8
malicious
api.ipify.org
  • 54.204.14.42
  • 23.21.109.69
  • 54.235.83.248
  • 23.21.126.66
  • 23.21.252.4
  • 54.235.169.38
  • 54.225.169.28
  • 54.235.182.194
shared
ip-api.com
  • 208.95.112.1
malicious
g.api.mega.co.nz
  • 66.203.125.15
  • 66.203.125.12
  • 66.203.125.13
  • 66.203.125.11
  • 66.203.125.14
shared
gfs262n304.userstorage.mega.co.nz
  • 94.24.36.14
suspicious

Threats

PID
Process
Class
Message
3748
spoofer.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
3748
spoofer.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3748
spoofer.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3748
spoofer.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3748
spoofer.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST to MEGA Userstorage
3748
spoofer.exe
A Network Trojan was detected
STEALER [PTsecurity] Agensla.gen
1 ETPRO signatures available at the full report
Process
Message
spoofer.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Новая папка (2).rar