analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Новая папка (2).rar

Full analysis: https://app.any.run/tasks/d0b0721a-dc6b-4bf1-8e39-7300da504da5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 11:36:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

F00C29A5C1831EB7EF758549AD62E4A9

SHA1:

E3F89E543C4CDD4371C161093036DB4CE19398A5

SHA256:

585BE9405B325B3639602A9377211B4CA5608C50F165AD990659EE7894834CC3

SSDEEP:

196608:iBfuWALAqFhiO4ngPNbFXZfSUSn/kQECeiENtH6LJLKP:vWuyOOYjXZfSrudnNtao

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1Macro.exe (PID: 2704)
      • 1Macro.exe (PID: 948)
      • FY0GPLT3JZKTSG8.exe (PID: 2116)
      • spoofer.exe (PID: 3748)
      • FY0GPLT3JZKTSG8.exe (PID: 2492)

    • Loads dropped or rewritten executable

      • FY0GPLT3JZKTSG8.exe (PID: 2116)
      • SearchProtocolHost.exe (PID: 3832)
      • FY0GPLT3JZKTSG8.exe (PID: 2492)

    • Stealing of credential data

      • spoofer.exe (PID: 3748)

    • Actions looks like stealing of personal data

      • spoofer.exe (PID: 3748)

    • Changes settings of System certificates

      • spoofer.exe (PID: 3748)

  • SUSPICIOUS

    • Creates files in the user directory

      • 1Macro.exe (PID: 2704)
      • spoofer.exe (PID: 3748)

    • Executable content was dropped or overwritten

      • 1Macro.exe (PID: 2704)
      • WinRAR.exe (PID: 2708)

    • Reads the cookies of Mozilla Firefox

      • spoofer.exe (PID: 3748)

    • Creates files in the Windows directory

      • FY0GPLT3JZKTSG8.exe (PID: 2116)

    • Checks for external IP

      • spoofer.exe (PID: 3748)

    • Reads the cookies of Google Chrome

      • spoofer.exe (PID: 3748)

    • Application launched itself

      • FY0GPLT3JZKTSG8.exe (PID: 2116)

    • Reads Environment values

      • spoofer.exe (PID: 3748)

    • Adds / modifies Windows certificates

      • spoofer.exe (PID: 3748)

    • Searches for installed software

      • spoofer.exe (PID: 3748)

  • INFO

    • Manual execution by user

      • 1Macro.exe (PID: 2704)
      • 1Macro.exe (PID: 948)

    • Reads settings of System Certificates

      • spoofer.exe (PID: 3748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe searchprotocolhost.exe no specs 1macro.exe no specs 1macro.exe fy0gplt3jzktsg8.exe spoofer.exe fy0gplt3jzktsg8.exe

Process information

PID
CMD
Path
Indicators
Parent process
2708"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Новая папка (2).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3832"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
948"C:\Users\admin\Desktop\1Macro.exe" C:\Users\admin\Desktop\1Macro.exeexplorer.exe
User:
admin
Company:
MacroEngine
Integrity Level:
MEDIUM
Description:
Macro
Exit code:
3221226540
Version:
5.1.1.0
2704"C:\Users\admin\Desktop\1Macro.exe" C:\Users\admin\Desktop\1Macro.exe
explorer.exe
User:
admin
Company:
MacroEngine
Integrity Level:
HIGH
Description:
Macro
Exit code:
0
Version:
5.1.1.0
2116"C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe" C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe
1Macro.exe
User:
admin
Integrity Level:
HIGH
Description:
OneMacro
Exit code:
0
Version:
1.3.3.7
3748"C:\Users\admin\AppData\Roaming\spoofer.exe" C:\Users\admin\AppData\Roaming\spoofer.exe
1Macro.exe
User:
admin
Company:
Intel plugin
Integrity Level:
HIGH
Description:
Intel plugin
Exit code:
0
Version:
2.0.0.0
2492"C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe" C:\Users\admin\AppData\Roaming\FY0GPLT3JZKTSG8.exe
FY0GPLT3JZKTSG8.exe
User:
admin
Integrity Level:
HIGH
Description:
OneMacro
Exit code:
0
Version:
1.3.3.7
Total events
1 526
Read events
1 469
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
1
Text files
19
Unknown types
14

Dropped files

PID
Process
Filename
Type
27041Macro.exeC:\Users\admin\AppData\Local\Temp\nsv1644.tmp
MD5:
SHA256:
27041Macro.exeC:\Users\admin\AppData\Roaming\CrackServer.dllexecutable
MD5:F15068868AC7EBF82EEF6D79768019EC
SHA256:1742EBB7FE6760CD62EA777434439F688B147E8C426D7EFFCE4FCF8D1138027A
3748spoofer.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T12_37_22.0368750+01_001414sqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
3748spoofer.exeC:\Users\admin\AppData\Roaming\DVLRNDZuL1F8BFBFF000506E3C4BA364742\421F8BFBFF000506E3C4BA3647DVLRNDZuL\Browsers\Cookies\Cookies_Mozilla.txttext
MD5:B9265145B0724A8CFF164F93B06B83FC
SHA256:D1B92521C343B4ACFD01E0EE9CEAE183BD385DD6F6C065430E32E46705271F8D
2708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\1Macro.exeexecutable
MD5:FE937A6C7019622541FDB8105F88BFF6
SHA256:D14E69553ECD0DCAE0CAD61BAA01AE3C86D83D7A1B27B9345102769B3DA0351A
27041Macro.exeC:\Users\admin\AppData\Roaming\JTextBox.dllexecutable
MD5:B0297443F4FF499DA015CB94744C6495
SHA256:F29BEC38BF0DEF7C6B3E69D927E28260CC605C5306DD93D8AE16958BBF10D902
3748spoofer.exeC:\Users\admin\AppData\Local\Temp\tempDataBase2020-09-30T12_37_21.8337500+01_001414sqlite
MD5:7C426E0FC19063A433349CE713DA84A0
SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C
2708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\CrackServer.dllexecutable
MD5:F15068868AC7EBF82EEF6D79768019EC
SHA256:1742EBB7FE6760CD62EA777434439F688B147E8C426D7EFFCE4FCF8D1138027A
2708WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2708.15515\JTextBox.dllexecutable
MD5:B0297443F4FF499DA015CB94744C6495
SHA256:F29BEC38BF0DEF7C6B3E69D927E28260CC605C5306DD93D8AE16958BBF10D902
2116FY0GPLT3JZKTSG8.exeC:\Users\admin\AppData\Local\Temp\font.ttfttf
MD5:22DD36F616C2ECE8A4B1CC2217095003
SHA256:E94D1A99BE4ECF5BCC9DFDA953F56EA936CBDB191CAF29701D16604E87BBBBC4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
6
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2116
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/Simplifica.ttf
RU
ttf
55.5 Kb
malicious
3748
spoofer.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
433 b
shared
2492
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/auth1.php?hwid=1F8BFBFF000506E300371461220350285564
RU
text
32 b
malicious
3748
spoofer.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
433 b
shared
3748
spoofer.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
433 b
shared
3748
spoofer.exe
POST
200
94.24.36.14:80
http://gfs262n304.userstorage.mega.co.nz/ul/-wzQKLTtVo-7-gJ_24g07IN_rxUuQqGv9zdMMMQeUdsXnW6ju5C8ovgcj0t0m9lCRcRwoLNe5F8_kea8rdk4nA/0
RO
text
36 b
suspicious
2492
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/version.txt
RU
text
3 b
malicious
2492
FY0GPLT3JZKTSG8.exe
GET
200
46.174.50.8:80
http://1macro.ru/API/server1.php
RU
text
6 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3748
spoofer.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2492
FY0GPLT3JZKTSG8.exe
46.174.50.8:80
1macro.ru
RS-Media LLC
RU
malicious
3748
spoofer.exe
54.204.14.42:443
api.ipify.org
Amazon.com, Inc.
US
suspicious
2116
FY0GPLT3JZKTSG8.exe
46.174.50.8:80
1macro.ru
RS-Media LLC
RU
malicious
3748
spoofer.exe
94.24.36.14:80
gfs262n304.userstorage.mega.co.nz
RO
suspicious
3748
spoofer.exe
66.203.125.15:443
g.api.mega.co.nz
RealNetworks, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
1macro.ru
  • 46.174.50.8
malicious
api.ipify.org
  • 54.204.14.42
  • 23.21.109.69
  • 54.235.83.248
  • 23.21.126.66
  • 23.21.252.4
  • 54.235.169.38
  • 54.225.169.28
  • 54.235.182.194
shared
ip-api.com
  • 208.95.112.1
shared
g.api.mega.co.nz
  • 66.203.125.15
  • 66.203.125.12
  • 66.203.125.13
  • 66.203.125.11
  • 66.203.125.14
shared
gfs262n304.userstorage.mega.co.nz
  • 94.24.36.14
suspicious

Threats

PID
Process
Class
Message
3748
spoofer.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
3748
spoofer.exe
Misc activity
SUSPICIOUS [PTsecurity] ipify.org External IP Check
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3748
spoofer.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3748
spoofer.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3748
spoofer.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3748
spoofer.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST to MEGA Userstorage
3748
spoofer.exe
A Network Trojan was detected
STEALER [PTsecurity] Agensla.gen
1 ETPRO signatures available at the full report
Process
Message
spoofer.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Новая папка (2).rar