File name: | XSpoofer.rar |
Full analysis: | https://app.any.run/tasks/a4caabb0-86b4-4e2a-9a60-57ff54677d21 |
Verdict: | Malicious activity |
Analysis date: | August 17, 2019, 16:27:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 51F4B3BFA925B4D5264093EB98A439AE |
SHA1: | 4D4C7A8262ED5799E2584D562E1BD84CE596BBE2 |
SHA256: | 5A574EE19B713C6A40CC205A18A9C5D7205EA611EC29FF4772B214068B8DD394 |
SSDEEP: | 24576:Ph7fWYJf6eUe5aOHtWWavjWrGSeO9HYWUSqJCbIdKDEkBYKJWGn:PF7R6epaKtRavj6jT94Z7CbkKDgKzn |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3548 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\XSpoofer.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2320 | "C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" | C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe | — | explorer.exe |
User: admin Company: PizzaXYZ-5795 Integrity Level: MEDIUM Description: ConsoleApp1 Exit code: 3221226540 Version: 1.0.0.0 | ||||
2716 | "C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" | C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe | explorer.exe | |
User: admin Company: PizzaXYZ-5795 Integrity Level: HIGH Description: ConsoleApp1 Exit code: 3221225786 Version: 1.0.0.0 | ||||
2664 | "C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" | C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe | — | explorer.exe |
User: admin Company: PizzaXYZ-5795 Integrity Level: MEDIUM Description: ConsoleApp1 Exit code: 3221226540 Version: 1.0.0.0 | ||||
2776 | "C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe" | C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe | explorer.exe | |
User: admin Company: PizzaXYZ-5795 Integrity Level: HIGH Description: ConsoleApp1 Exit code: 0 Version: 1.0.0.0 | ||||
3668 | "cmd.exe" /c START CMD /C "COLOR C && TITLE OUTBUILT.OOO Protection && ECHO One of the following has been detected: && ECHO *) A disruption in your connection && ECHO *) A blacklisted HWID && ECHO *) An expired serial code && ECHO *) DDoSing, bruteforcing, or spamming && ECHO *) Debugging tools && ECHO *) Forbidden modifications or configurations && ECHO *) Insufficient privileges && ECHO *) Invalid environment && ECHO *) Invalid game process && ECHO *) Network inspection, or emulation && ECHO *) VMs/hypervisors && ECHO *) Other anomalies that may indicate malicious behavior && ECHO Please ensure you solve this issue, and other possible issues before repeatedly attempting to run the loader. && TIMEOUT 10" | C:\Windows\system32\cmd.exe | — | XSpoofer.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2388 | CMD /C "COLOR C && TITLE OUTBUILT.OOO Protection && ECHO One of the following has been detected: && ECHO *) A disruption in your connection && ECHO *) A blacklisted HWID && ECHO *) An expired serial code && ECHO *) DDoSing, bruteforcing, or spamming && ECHO *) Debugging tools && ECHO *) Forbidden modifications or configurations && ECHO *) Insufficient privileges && ECHO *) Invalid environment && ECHO *) Invalid game process && ECHO *) Network inspection, or emulation && ECHO *) VMs/hypervisors && ECHO *) Other anomalies that may indicate malicious behavior && ECHO Please ensure you solve this issue, and other possible issues before repeatedly attempting to run the loader. && TIMEOUT 10" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3480 | "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del C:\Users\admin\Desktop\XSpoofer\XSpoofer.exe | C:\Windows\System32\cmd.exe | — | XSpoofer.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3876 | TIMEOUT 10 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1576 | ping 1.1.1.1 -n 1 -w 3000 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\XSpoofer.rar | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3548) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2716) XSpoofer.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\.NET Memory Cache 4.0\Linkage |
Operation: | write | Name: | Export |
Value: .NET Memory Cache 4.0 | |||
(PID) Process: | (2716) XSpoofer.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WmiApRpl\Performance |
Operation: | write | Name: | 1008 |
Value: 168790BF1855D501 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3548 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\BedsPrivate.dll | — | |
MD5:— | SHA256:— | |||
3548 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\Newtonsoft.Json.dll | — | |
MD5:— | SHA256:— | |||
3548 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\Outbuilt.dll | — | |
MD5:— | SHA256:— | |||
3548 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\TrinitySeal.dll | — | |
MD5:— | SHA256:— | |||
3548 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3548.26814\XSpoofer\XSpoofer\XSpoofer.exe | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2716 | XSpoofer.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2716 | XSpoofer.exe | 104.31.75.44:443 | auth.trinityseal.me | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
auth.trinityseal.me |
| malicious |
Process | Message |
---|---|
XSpoofer.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |