| File name: | MOD MENU GTA 5.rar |
| Full analysis: | https://app.any.run/tasks/0277b5cf-af15-40f5-bc67-34bac4bd9735 |
| Verdict: | Malicious activity |
| Threats: | RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. |
| Analysis date: | December 24, 2023, 16:27:31 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 546571914DAD3A425FB68F21FF90EC38 |
| SHA1: | 55A0EECBB5EA5974AEAB03C8F85FC4DA608E1261 |
| SHA256: | 5BD68552F0AC5D6B53F009CF821A3960C0B470E3768EC8834314F0641E30AB07 |
| SSDEEP: | 98304:w2bzlDpdy5SluBGT1uCumCC+dWfwFmEsJkt+7fZYgiv2Tr3st9evpz6g9s3dhiwt:DO |
MALICIOUS
REDLINE has been detected (SURICATA)
- modest-menu.exe (PID: 480)
Steals credentials from Web Browsers
- modest-menu.exe (PID: 480)
Create files in the Startup directory
- modest-menu.exe (PID: 480)
Actions looks like stealing of personal data
- modest-menu.exe (PID: 480)
SUSPICIOUS
The process creates files with name similar to system file names
- WinRAR.exe (PID: 124)
Reads browser cookies
- modest-menu.exe (PID: 480)
Searches for installed software
- modest-menu.exe (PID: 480)
Reads the Internet Settings
- modest-menu.exe (PID: 480)
Connects to unusual port
- modest-menu.exe (PID: 480)
INFO
Manual execution by a user
- modest-menu.exe (PID: 480)
- taskmgr.exe (PID: 1732)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 124)
- modest-menu.exe (PID: 480)
Checks supported languages
- modest-menu.exe (PID: 480)
- qemu-ga.exe (PID: 1832)
Reads product name
- modest-menu.exe (PID: 480)
Reads Environment values
- modest-menu.exe (PID: 480)
Reads the computer name
- modest-menu.exe (PID: 480)
- qemu-ga.exe (PID: 1832)
Reads the machine GUID from the registry
- modest-menu.exe (PID: 480)
Creates files or folders in the user directory
- modest-menu.exe (PID: 480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\MOD MENU GTA 5.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 480 | "C:\Users\admin\Desktop\MOD MENU GTA 5\modest-menu.exe" | C:\Users\admin\Desktop\MOD MENU GTA 5\modest-menu.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1732 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1832 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | — | modest-menu.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: qemu-ga Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
4 462
Read events
4 432
Write events
30
Delete events
0
Modification events
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (124) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
3
Suspicious files
11
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\modest-menu.exe | — | |
MD5:— | SHA256:— | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\tcpbidi.xml | xml | |
MD5:31B010EF50D54D548B4B8B211F421318 | SHA256:173B245285FA80B85108F62DB48C5ADF4B0EABF52B4627D6998EF14A1909D7BB | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\NarratorControlTemplates.xml | xml | |
MD5:74FDEEAC0C0C0F62F4D0D484A36DA23A | SHA256:A927ED842EBA5E095FA2AAB97D6DB73DBF66C69CAD4FE68C5737D7A41286193F | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\NetTrace.PLA.Diagnostics.xml | xml | |
MD5:C146E873B22C3B300B21A859FE66C27A | SHA256:B8EA3F3D3742B1C8888C81A02C74B0420F07159DD9AD82B037D2ECF075CF629A | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\db.log | binary | |
MD5:4230F1935F5D301A15F710129B659F0A | SHA256:2CC1AE948F5EBE7E43BE8D6854FFDD421C569A25326337B0028D3CEDAB7F0184 | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\enca.log | binary | |
MD5:1FC56D5A7300EE8949ABB7EBCA46B8CD | SHA256:FD43ECC8091B39E504D62786381EBB5E2526A540A38BB2BAEBDF5B4BDB310564 | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\DATA\Settings\Environment.ini | text | |
MD5:EFF856F44BBF8DF26BFF2BBF61A5A62D | SHA256:CB63DEA186E72609A066EF18F80F3FBB8A6276758F1FA20B3E9858E683CDB8E0 | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\ScavengeSpace.xml | xml | |
MD5:5C18CD22BE4628865FCB63337A6E5EF6 | SHA256:C67A772F5FA711011E0D015D2DDE69F891B52819CF8FAD5248E492DECA2ACA4B | |||
| 124 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb124.26297\MOD MENU GTA 5\pol\data.log | binary | |
MD5:6EF58127BF94AF4BAA0C63A9CBECF295 | SHA256:4973E763D5F0346A55CEAE956850D4960BE79FF90B960A60F8B4A319331FA748 | |||
| 480 | modest-menu.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | executable | |
MD5:D4910F56121AE1E3049EE0ED506ED5DC | SHA256:AC70C1847BDF903A698DE1BADB72B9F9539AE9CC75CB3ACC3062E4622977EE95 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
5
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
480 | modest-menu.exe | 45.15.156.186:29975 | — | Galaxy LLC | RU | malicious |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
480 | modest-menu.exe | Potentially Bad Traffic | ET INFO Microsoft net.tcp Connection Initialization Activity |
480 | modest-menu.exe | A Network Trojan was detected | ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) |
480 | modest-menu.exe | A Network Trojan was detected | ET MALWARE Redline Stealer Family Activity (Response) |
480 | modest-menu.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |
480 | modest-menu.exe | Successful Credential Theft Detected | SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt |