analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NetExternal glow july 4.2020.rar

Full analysis: https://app.any.run/tasks/f1c1129a-2030-48b3-bda0-72531e921772
Verdict: Malicious activity
Analysis date: July 12, 2020, 22:52:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

06C2868FE31F7EBC4F6E38D77A075CB4

SHA1:

EE6A6E75BA0B889611EAA6A878295A50FC9A3D27

SHA256:

5CD510487BBFB6B806DAF41DD128E8556CD619B6D8F06B49738E6277DB89595E

SSDEEP:

12288:7vQMRgSW2QOQlM3+1SONNs9BFGQV9k7n+pytvuLF:rLLjQlO+1SOHD+pyIp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NET-EXTERNAL.exe (PID: 3892)
    • Changes settings of System certificates

      • NET-EXTERNAL.exe (PID: 3892)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1952)
    • Starts Internet Explorer

      • NET-EXTERNAL.exe (PID: 3892)
    • Adds / modifies Windows certificates

      • NET-EXTERNAL.exe (PID: 3892)
  • INFO

    • Manual execution by user

      • NET-EXTERNAL.exe (PID: 3892)
    • Changes internet zones settings

      • iexplore.exe (PID: 1384)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 1384)
    • Application launched itself

      • iexplore.exe (PID: 1384)
    • Creates files in the user directory

      • iexplore.exe (PID: 1472)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1472)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1472)
      • NET-EXTERNAL.exe (PID: 3892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe net-external.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NetExternal glow july 4.2020.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3892"C:\Users\admin\Desktop\NET-EXTERNAL.exe" C:\Users\admin\Desktop\NET-EXTERNAL.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NET
Exit code:
4294967295
Version:
2.7.3.2
1384"C:\Program Files\Internet Explorer\iexplore.exe" https://gofile.io/d/ToBZY6C:\Program Files\Internet Explorer\iexplore.exe
NET-EXTERNAL.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1472"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1384 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
8 395
Read events
1 608
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
62
Text files
47
Unknown types
29

Dropped files

PID
Process
Filename
Type
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab9472.tmp
MD5:
SHA256:
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar9473.tmp
MD5:
SHA256:
1952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1952.18688\NET-EXTERNAL.exeexecutable
MD5:2CC37A90D871FF08FE8BB7BE8241794F
SHA256:4C53DE30D57630EBBB63C05D0B7E8CC03E1091D0AB85017EB8C6559DD92363A3
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab981D.tmp
MD5:
SHA256:
1952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1952.18688\Chams.initext
MD5:19353894E67CEFECA2DDD8D81071B1C7
SHA256:2418FCBA2F3E6F4B024FF184293F5815DC44212606FAB019628D40608660027F
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab984E.tmp
MD5:
SHA256:
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar982E.tmp
MD5:
SHA256:
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar984F.tmp
MD5:
SHA256:
3892NET-EXTERNAL.exeC:\Users\admin\Documents\offsets.initext
MD5:F826C7DDC7C9F786AAD3ACC9F509502E
SHA256:88EE7519D9CF5DF33776124FAE570B9CD909A3DF72668085B39D57B41F2EB896
1472iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B63B2070F62BD5F36E309FAED531189der
MD5:90BA58990B46BFFD3A686E883B9AF4BF
SHA256:B0FA5937EDB874F7CF52B8F9F9F91668CAB1DCEB4D1F5949422EA743EB022FAE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
44
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
471 b
whitelisted
1472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
471 b
whitelisted
1472
iexplore.exe
GET
200
2.16.107.73:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
1472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
1472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
471 b
whitelisted
1472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
1472
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80
US
der
1.49 Kb
whitelisted
1472
iexplore.exe
GET
200
2.16.107.114:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRONazAeVbvveojcZVjfG8wZg%3D%3D
unknown
der
527 b
whitelisted
1472
iexplore.exe
GET
200
2.16.107.114:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRONazAeVbvveojcZVjfG8wZg%3D%3D
unknown
der
527 b
whitelisted
1472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3892
NET-EXTERNAL.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
3892
NET-EXTERNAL.exe
104.23.98.190:443
pastebin.com
Cloudflare Inc
US
malicious
3892
NET-EXTERNAL.exe
151.101.0.133:443
raw.githubusercontent.com
Fastly
US
malicious
1472
iexplore.exe
2.16.107.80:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
1472
iexplore.exe
213.32.73.239:443
gofile.io
OVH SAS
FR
unknown
1472
iexplore.exe
2.16.107.73:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
1472
iexplore.exe
2.16.107.114:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
suspicious
1472
iexplore.exe
172.217.22.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1472
iexplore.exe
151.101.2.109:443
cdn.jsdelivr.net
Fastly
US
suspicious
1472
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
shared
pastebin.com
  • 104.23.99.190
  • 104.23.98.190
shared
gofile.io
  • 213.32.73.239
  • 217.182.142.52
  • 217.182.142.131
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.107.73
  • 2.16.107.80
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.107.114
  • 2.16.107.43
whitelisted
fonts.googleapis.com
  • 172.217.22.10
whitelisted
cdn.jsdelivr.net
  • 151.101.2.109
  • 151.101.66.109
  • 151.101.130.109
  • 151.101.194.109
whitelisted
cdn.buymeacoffee.com
  • 104.26.11.39
  • 104.26.10.39
  • 172.67.70.99
whitelisted
cdn.datatables.net
  • 104.22.50.93
  • 104.22.51.93
  • 172.67.14.139
whitelisted
cdn.rawgit.com
  • 151.139.237.11
whitelisted

Threats

No threats detected
No debug info