File name:

SQLi Dumper v8.5 [Clean].rar

Full analysis: https://app.any.run/tasks/5a5e5e46-1e70-43f5-8de4-3468e979229f
Verdict: Malicious activity
Analysis date: August 20, 2024, 18:39:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D91BE36F8618562C808FB80F358591F7

SHA1:

BBC665A912CF0CA2255B6D2090EA7C1461429726

SHA256:

5E38BC98D4ECBEEEE7DE498244406B801BF0FE12AFF0C5D92307BE40B4CEECE1

SSDEEP:

98304:D3c6n8TWWOjAt+i5DQ5GN6JCrTs1FIu0DK+TkBJOpVHiT8kCFPlEx7BEipybvZ8u:j8A0tLxR+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • pebloso.exe (PID: 3176)

    • BITRAT has been detected (YARA)

      • pebloso.exe (PID: 6824)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 6968)
      • SQLi v.8.5.exe (PID: 6516)
      • 0.exe (PID: 6488)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 6968)
      • SQLi v.8.5.exe (PID: 6516)
      • pebloso.exe (PID: 3176)

    • Executable content was dropped or overwritten

      • SQLi v.8.5.exe (PID: 6516)
      • pebloso.exe (PID: 3176)

    • Reads the date of Windows installation

      • SQLi v.8.5.exe (PID: 6516)

    • Application launched itself

      • pebloso.exe (PID: 3176)

    • Detected use of alternative data streams (AltDS)

      • pebloso.exe (PID: 6824)

    • Reads Microsoft Outlook installation path

      • 0.exe (PID: 6488)

    • Reads Internet Explorer settings

      • 0.exe (PID: 6488)

  • INFO

    • Reads the computer name

      • SQLi v.8.5.exe (PID: 6516)
      • 0.exe (PID: 6488)
      • pebloso.exe (PID: 6824)
      • pebloso.exe (PID: 3176)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6968)

    • Checks supported languages

      • SQLi v.8.5.exe (PID: 6516)
      • 0.exe (PID: 6488)
      • pebloso.exe (PID: 3176)
      • pebloso.exe (PID: 6824)

    • Create files in a temporary directory

      • SQLi v.8.5.exe (PID: 6516)
      • pebloso.exe (PID: 3176)
      • 0.exe (PID: 6488)

    • Process checks computer location settings

      • SQLi v.8.5.exe (PID: 6516)

    • Creates files or folders in the user directory

      • pebloso.exe (PID: 6824)

    • Checks proxy server information

      • SQLi v.8.5.exe (PID: 6516)
      • 0.exe (PID: 6488)

    • Reads the machine GUID from the registry

      • 0.exe (PID: 6488)

    • Reads Environment values

      • 0.exe (PID: 6488)

    • Disables trace logs

      • 0.exe (PID: 6488)

    • Reads the software policy settings

      • 0.exe (PID: 6488)

    • UPX packer has been detected

      • pebloso.exe (PID: 6824)

    • Process checks Internet Explorer phishing filters

      • 0.exe (PID: 6488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sqli v.8.5.exe 0.exe pebloso.exe THREAT pebloso.exe

Process information

PID
CMD
Path
Indicators
Parent process
3176"C:\Users\admin\AppData\Local\Temp\pebloso.exe" C:\Users\admin\AppData\Local\Temp\pebloso.exe
SQLi v.8.5.exe
User:
admin
Company:
ekzoboko
Integrity Level:
MEDIUM
Description:
werwiksdi
Exit code:
0
Version:
1.1.2.3
Modules
Images
c:\users\admin\appdata\local\temp\pebloso.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
6488"C:\Users\admin\AppData\Local\Temp\0.exe" C:\Users\admin\AppData\Local\Temp\0.exe
SQLi v.8.5.exe
User:
admin
Company:
SQLi Trush Corp
Integrity Level:
MEDIUM
Description:
SQLi Dumper v8.0
Version:
8.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6516"C:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\SQLi v.8.5.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\SQLi v.8.5.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
barboroy
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa6968.771\sqli dumper v8.5 [clean]\sqli dumper v8.5 [clean]\sqli v.8.5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\msvcp_win.dll
6824"C:\Users\admin\AppData\Local\Temp\pebloso.exe"C:\Users\admin\AppData\Local\Temp\pebloso.exe
pebloso.exe
User:
admin
Company:
ekzoboko
Integrity Level:
MEDIUM
Description:
werwiksdi
Version:
1.1.2.3
Modules
Images
c:\users\admin\appdata\local\temp\pebloso.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll
6968"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SQLi Dumper v8.5 [Clean].rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
15 985
Read events
15 933
Write events
50
Delete events
2

Modification events

(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SQLi Dumper v8.5 [Clean].rar
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6968) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
4
Suspicious files
2
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\GeoIP.datbinary
MD5:CB9AD69965F9F4CFF8572983F60BE67C
SHA256:56C7079DC309168D9C41DD4A7A61033ACD264A120CA8D2E2182ABB5B9AE6B0A3
6968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\README.txttext
MD5:509EB75C7AEEB6E99AC610A1EB89F888
SHA256:C6C55285B44DDB762ACC871729A08ED683DFD80417C5A5B282E56266FD931F66
6968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\Settingsxml
MD5:6CADCD28429156CBC1D77447BBDDDF42
SHA256:88AD0488FE62D131F1CA29A7DE9470038E436F33F76CE1A83D6B41BDF3DC6C7C
6968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\DIC\dic_file_dump.txttext
MD5:351CACFFC2884FCD4E69BB1FB04DDEB5
SHA256:C67BCC0B4ED5E5EF72AA1134C0838D9201A97C2BF462FDFF0AC9052A53B286A2
6968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\DIC\dic_admin.txttext
MD5:F4675FA366AAE47396F8CFB2F3EB1B9A
SHA256:826FBBAA5DE45C1238FC7B9F4436C1B87444F8103F4F65180F8547E3F271A413
6516SQLi v.8.5.exeC:\Users\admin\AppData\Local\Temp\0.exeexecutable
MD5:F558500B09118C2D5482C0097D41B986
SHA256:4081A78BA280D28C56551983E515486A1DACF9BA26A3E76A71060982CC9E5ED7
6516SQLi v.8.5.exeC:\Users\admin\AppData\Local\Temp\pebloso.exeexecutable
MD5:4D28DE913B4B1E07F75C75E3CDD75ADD
SHA256:E43D70C273C8C083B5368E6C8DFD74E403A3F6B5E263609497940BB94ECC6F01
3176pebloso.exeC:\Users\admin\AppData\Local\Temp\shwifty.exeexecutable
MD5:4D28DE913B4B1E07F75C75E3CDD75ADD
SHA256:E43D70C273C8C083B5368E6C8DFD74E403A3F6B5E263609497940BB94ECC6F01
6968WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa6968.771\SQLi Dumper v8.5 [Clean]\SQLi Dumper v8.5 [Clean]\TXT\URL NonInjectables.xmlxml
MD5:796F81553D4C28791127DF6F10CAFA2D
SHA256:AE5B6A2A6389D8323428DA34D762A4EFB9E292598765B5AE719BB9C3FBB9D802
64880.exeC:\Users\admin\AppData\Local\Temp\DIC\dic_admin.txttext
MD5:A0E54634DDD435DF5B82E20EA20C7EFE
SHA256:963E3A1E46D5F4C35B85464DB61B7C346C5C44669E64A5C016192DDE078F997A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
53
DNS requests
26
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6488
0.exe
GET
404
104.20.3.235:80
http://pastebin.com/raw/3vsJLpWu
unknown
shared
6488
0.exe
GET
404
212.82.100.137:80
http://search.yahoo.com/search?n=100&p=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
49.13.77.253:80
http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
151.101.130.114:80
http://www.ask.com/web?q=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
212.82.100.137:80
http://search.aol.com/aol/search?&q=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
213.13.145.10:80
http://pesquisa.sapo.pt/?q=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
13.107.21.200:80
http://www.bing.com/search?q=%3fitem_id%3d&count=50
unknown
whitelisted
6488
0.exe
GET
404
77.88.55.88:80
http://www.yandex.com/yandsearch?text=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
172.64.151.32:80
http://www.webcrawler.com/search/web?q=%3fitem_id%3d
unknown
whitelisted
6488
0.exe
GET
404
212.82.100.137:80
http://www.wow.com/search?q=%3fitem_id%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2480
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
2480
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6488
0.exe
104.20.3.235:80
pastebin.com
CLOUDFLARENET
unknown
6824
pebloso.exe
80.85.156.209:8080
Chelyabinsk-Signal LLC
RU
malicious
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.110
whitelisted
pastebin.com
  • 104.20.3.235
  • 104.20.4.235
  • 172.67.19.24
shared
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.0
  • 20.190.159.64
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
  • 2603:1030:c02:2::284
whitelisted
171.39.242.20.in-addr.arpa
unknown
4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SQLi Dumper v8.5 [Clean].rar