File name:

123456.rar

Full analysis: https://app.any.run/tasks/334c883f-6599-4b27-adda-181df8fc1beb
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: April 25, 2019, 18:21:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trickbot
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

1760DDE79193CBC3A8B3A152668AE006

SHA1:

BA470940C569695AB08AF0DFDE82E47FB8F31372

SHA256:

630CA2C784D257B9A854A0956DB34ADFD918A5CDA62E6B767134E2B8E40F0D11

SSDEEP:

12288:YZx6+ePHcXGDvg6xHw5188C9PbagirbZljOQriwIs:YZ8tRg6xQv8H9tEbHKQ4s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stops/Deletes Windows Defender service

      • cmd.exe (PID: 2800)
      • cmd.exe (PID: 1684)
      • cmd.exe (PID: 3896)
      • cmd.exe (PID: 1140)

    • Application was dropped or rewritten from another process

      • 7nwqnoqi8.exe (PID: 2324)
      • 9pwspqsi8.exe (PID: 1088)
      • 9pwspqsi8.exe (PID: 2656)
      • 7nwqnoqi8.exe (PID: 3828)

    • Known privilege escalation attack

      • DllHost.exe (PID: 2504)

    • Loads the Task Scheduler COM API

      • 9pwspqsi8.exe (PID: 1088)
      • 9pwspqsi8.exe (PID: 2656)

    • Changes settings of System certificates

      • 9pwspqsi8.exe (PID: 2656)

    • TRICKBOT was detected

      • 9pwspqsi8.exe (PID: 2656)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 9pwspqsi8.exe (PID: 1088)
      • 7nwqnoqi8.exe (PID: 2324)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2596)
      • cmd.exe (PID: 2328)

    • Executable content was dropped or overwritten

      • 7nwqnoqi8.exe (PID: 2324)
      • 7nwqnoqi8.exe (PID: 3828)

    • Creates files in the user directory

      • 7nwqnoqi8.exe (PID: 2324)
      • powershell.exe (PID: 3068)
      • 9pwspqsi8.exe (PID: 2656)
      • powershell.exe (PID: 1956)

    • Starts itself from another location

      • 7nwqnoqi8.exe (PID: 3828)

    • Adds / modifies Windows certificates

      • 9pwspqsi8.exe (PID: 2656)

    • Checks for external IP

      • 9pwspqsi8.exe (PID: 2656)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
5
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs 7nwqnoqi8.exe cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs 9pwspqsi8.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs 7nwqnoqi8.exe #TRICKBOT 9pwspqsi8.exe

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\123456.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1088"C:\Users\admin\AppData\Roaming\gpuDriver\9pwspqsi8.exe" C:\Users\admin\AppData\Roaming\gpuDriver\9pwspqsi8.exeDllHost.exe
User:
admin
Integrity Level:
HIGH
Description:
RoundWindow MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\roaming\gpudriver\9pwspqsi8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1140/c sc delete WinDefendC:\Windows\system32\cmd.exe9pwspqsi8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
1484sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1656sc delete WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1684/c sc stop WinDefendC:\Windows\system32\cmd.exe9pwspqsi8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1062
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1956powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2324"C:\Users\admin\Desktop\7nwqnoqi8.exe" C:\Users\admin\Desktop\7nwqnoqi8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RoundWindow MFC Application
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\7nwqnoqi8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2328/c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\system32\cmd.exe9pwspqsi8.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2504C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 202
Read events
1 065
Write events
137
Delete events
0

Modification events

(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(916) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\123456.rar
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(916) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3068) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
12
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
916WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb916.1059\7nwqnoqi8.exe
MD5:
SHA256:
3068powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OJ5VUP0SU7YZAHBKOQT3.temp
MD5:
SHA256:
1956powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9C9WXN7NL7LDF1ATX35R.temp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE77F.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\TarE780.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE7AF.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\TarE7B0.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE7D1.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\TarE7D2.tmp
MD5:
SHA256:
26569pwspqsi8.exeC:\Users\admin\AppData\Local\Temp\CabE86F.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
7
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2656
9pwspqsi8.exe
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
2656
9pwspqsi8.exe
GET
200
52.202.139.131:80
http://checkip.amazonaws.com/
US
text
14 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
9pwspqsi8.exe
177.105.235.17:449
Internet Pinheirense Ltda - ME
BR
malicious
2656
9pwspqsi8.exe
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2656
9pwspqsi8.exe
200.122.209.78:449
EPM Telecomunicaciones S.A. E.S.P.
CO
malicious
2656
9pwspqsi8.exe
52.202.139.131:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
2656
9pwspqsi8.exe
198.12.71.40:447
ColoCrossing
US
suspicious

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.42
  • 205.185.216.10
  • 205.185.216.10
whitelisted
checkip.amazonaws.com
  • 52.202.139.131
  • 34.233.102.38
  • 52.206.161.133
  • 18.211.215.84
  • 52.6.79.229
  • 52.200.125.74
malicious
22.69.192.185.zen.spamhaus.org
unknown
22.69.192.185.cbl.abuseat.org
unknown
22.69.192.185.b.barracudacentral.org
unknown
22.69.192.185.dnsbl-1.uceprotect.net
unknown
22.69.192.185.spam.dnsbl.sorbs.net
unknown

Threats

PID
Process
Class
Message
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
Not Suspicious Traffic
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
2656
9pwspqsi8.exe
Misc activity
SUSPICIOUS TEST [PTsecurity] Suspicious SSL certificate detected
2656
9pwspqsi8.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dyre/Trickbot/Dridex SSL connection
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
123456.rar