File name:

XSpoofer.rar

Full analysis: https://app.any.run/tasks/a4caabb0-86b4-4e2a-9a60-57ff54677d21
Verdict: Malicious activity
Analysis date: August 17, 2019, 16:27:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

51F4B3BFA925B4D5264093EB98A439AE

SHA1:

4D4C7A8262ED5799E2584D562E1BD84CE596BBE2

SHA256:

5A574EE19B713C6A40CC205A18A9C5D7205EA611EC29FF4772B214068B8DD394

SSDEEP:

24576:Ph7fWYJf6eUe5aOHtWWavjWrGSeO9HYWUSqJCbIdKDEkBYKJWGn:PF7R6epaKtRavj6jT94Z7CbkKDgKzn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • XSpoofer.exe (PID: 2716)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3480)

  • SUSPICIOUS

    • Reads Environment values

      • XSpoofer.exe (PID: 2716)

    • Adds / modifies Windows certificates

      • XSpoofer.exe (PID: 2716)

    • Creates files in the program directory

      • XSpoofer.exe (PID: 2776)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3668)
      • XSpoofer.exe (PID: 2776)
      • XSpoofer.exe (PID: 2792)
      • cmd.exe (PID: 1932)
      • cmd.exe (PID: 2972)

    • Starts CMD.EXE for self-deleting

      • XSpoofer.exe (PID: 2776)

    • Application launched itself

      • cmd.exe (PID: 1932)

  • INFO

    • Manual execution by user

      • XSpoofer.exe (PID: 2716)
      • XSpoofer.exe (PID: 2664)
      • XSpoofer.exe (PID: 2776)
      • XSpoofer.exe (PID: 2320)
      • XSpoofer.exe (PID: 2792)

    • Reads settings of System Certificates

      • XSpoofer.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs xspoofer.exe no specs xspoofer.exe xspoofer.exe no specs xspoofer.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs ping.exe no specs xspoofer.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
504C:\Windows\system32\cmd.exe /S /D /c" ECHO [OUTBUILT.OOO "C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1576ping 1.1.1.1 -n 1 -w 3000 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1932"cmd.exe" /c START CMD /C "COLOR C && TITLE OUTBUILT.OOO Protection && ECHO [OUTBUILT.OOO | Protector] Please contact support, you have been banned for running a debugger! && TIMEOUT 10"C:\Windows\system32\cmd.exeXSpoofer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2320"C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" C:\Users\admin\Desktop\XSpoofer\XSpoofer.exeexplorer.exe
User:
admin
Company:
PizzaXYZ-5795
Integrity Level:
MEDIUM
Description:
ConsoleApp1
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xspoofer\xspoofer.exe
c:\systemroot\system32\ntdll.dll
2388CMD /C "COLOR C && TITLE OUTBUILT.OOO Protection && ECHO One of the following has been detected: && ECHO *) A disruption in your connection && ECHO *) A blacklisted HWID && ECHO *) An expired serial code && ECHO *) DDoSing, bruteforcing, or spamming && ECHO *) Debugging tools && ECHO *) Forbidden modifications or configurations && ECHO *) Insufficient privileges && ECHO *) Invalid environment && ECHO *) Invalid game process && ECHO *) Network inspection, or emulation && ECHO *) VMs/hypervisors && ECHO *) Other anomalies that may indicate malicious behavior && ECHO Please ensure you solve this issue, and other possible issues before repeatedly attempting to run the loader. && TIMEOUT 10"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2664"C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" C:\Users\admin\Desktop\XSpoofer\XSpoofer.exeexplorer.exe
User:
admin
Company:
PizzaXYZ-5795
Integrity Level:
MEDIUM
Description:
ConsoleApp1
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xspoofer\xspoofer.exe
c:\systemroot\system32\ntdll.dll
2716"C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe
explorer.exe
User:
admin
Company:
PizzaXYZ-5795
Integrity Level:
HIGH
Description:
ConsoleApp1
Exit code:
3221225786
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xspoofer\xspoofer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2776"C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe
explorer.exe
User:
admin
Company:
PizzaXYZ-5795
Integrity Level:
HIGH
Description:
ConsoleApp1
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xspoofer\xspoofer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2792"C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe
explorer.exe
User:
admin
Company:
PizzaXYZ-5795
Integrity Level:
HIGH
Description:
ConsoleApp1
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\xspoofer\xspoofer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2972CMD /C "COLOR C && TITLE OUTBUILT.OOO Protection && ECHO [OUTBUILT.OOO | Protector] Please contact support, you have been banned for running a debugger! && TIMEOUT 10"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
255
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
703
Read events
666
Write events
37
Delete events
0

Modification events

(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3548) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\XSpoofer.rar
(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3548) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2716) XSpoofer.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage
Operation:writeName:Export
Value:
.NET Memory Cache 4.0
(PID) Process:(2716) XSpoofer.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WmiApRpl\Performance
Operation:writeName:1008
Value:
168790BF1855D501
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\BedsPrivate.dll
MD5:
SHA256:
3548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\Newtonsoft.Json.dll
MD5:
SHA256:
3548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\Outbuilt.dll
MD5:
SHA256:
3548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\TrinitySeal.dll
MD5:
SHA256:
3548WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\XSpoofer.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2716
XSpoofer.exe
104.31.75.44:443
auth.trinityseal.me
Cloudflare Inc
US
shared
2716
XSpoofer.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
malicious
auth.trinityseal.me
  • 104.31.75.44
  • 104.31.74.44
malicious

Threats

No threats detected
Process
Message
XSpoofer.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XSpoofer.rar