File name: | File_Setup_Pass_1234.rar |
Full analysis: | https://app.any.run/tasks/d8da2fa4-93e3-4988-869e-e1635078b7f7 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 21, 2022, 10:24:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 41DEA84C2FCB05C4A3B30F8366006F62 |
SHA1: | 3C956D1D73915D02CE79901661332D5670383581 |
SHA256: | 639F5D7D13AF72E08FE10A584AFBE62AC4F508A8EEA9FB0923597599C21E5925 |
SSDEEP: | 98304:DCOrktHAyv5u5yY8Cjq/Z6tY89OnQEALRclDmKrHisfs5o0hc9gt/AxQoU2EsLWE:GwlyvtWm/Z6tN9OnX9BrC8yr/AxQZkt3 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3132 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\File_Setup_Pass_1234.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2584 | "C:\Users\admin\Desktop\Setup.exe" | C:\Users\admin\Desktop\Setup.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3244 | "C:\Users\admin\Desktop\Setup.exe" | C:\Users\admin\Desktop\Setup.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\File_Setup_Pass_1234.rar | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3132) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3132 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3132.32829\Setup.exe | executable | |
MD5:ADA1CF2FB2812726F5DE2F8172DA8DED | SHA256:12E81B998B37955C4E028A9F46378B8B664646E3CC5F177A867321C54AF30CA3 | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\nssdbm3.dll | executable | |
MD5:FDC6551687F1D915994DFFA27B3B9044 | SHA256:844F878AABB7E3C06986DD6879912BB403ECB81B1CFB13E95CAF9CBD350713AE | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\xIQp5czQuEO3 | image | |
MD5:6F4379D8F284CDF1F7683AB6F186FE0A | SHA256:93079701731C0B547BD5977A5FE63768883DBFDE2CE21EFB9BC1E74A6D47739A | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\vcruntime140.dll | executable | |
MD5:A2523EA6950E248CBDF18C9EA1A844F6 | SHA256:6823B98C3E922490A2F97F54862D32193900077E49F0360522B19E06E6DA24B4 | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\msvcp140.dll | executable | |
MD5:1FB93933FD087215A3C7B0800E6BB703 | SHA256:2DB7FD3C9C3C4B67F2D50A5A50E8C69154DC859780DD487C28A4E6ED1AF90D01 | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\J7evAc5h8h0g | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\jq33tFjQFt73 | sqlite | |
MD5:D02907BE1C995E1E51571EEDB82FA281 | SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\sqlite3.dll | executable | |
MD5:DBF4F8DCEFB8056DC6BAE4B67FF810CE | SHA256:47B64311719000FA8C432165A0FDCDFED735D5B54977B052DE915B1CBBBF9D68 | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\freebl3.dll | executable | |
MD5:15B61E4A910C172B25FB7D8CCB92F754 | SHA256:B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6 | |||
3244 | Setup.exe | C:\Users\admin\AppData\LocalLow\nss3.dll | executable | |
MD5:F67D08E8C02574CBC2F1122C53BFB976 | SHA256:C65B7AFB05EE2B2687E6280594019068C3D3829182DFE8604CE4ADF2116CC46E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3244 | Setup.exe | POST | 200 | 194.180.174.180:80 | http://194.180.174.180/ | DE | text | 4.34 Kb | malicious |
3244 | Setup.exe | GET | 200 | 94.158.247.44:80 | http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll | unknown | executable | 1.95 Mb | suspicious |
3244 | Setup.exe | GET | 200 | 94.158.247.44:80 | http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll | unknown | executable | 612 Kb | suspicious |
3244 | Setup.exe | GET | 200 | 94.158.247.44:80 | http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll | unknown | executable | 438 Kb | suspicious |
3244 | Setup.exe | POST | 200 | 194.180.174.180:80 | http://194.180.174.180/a45861571245e2ff333456d6cf90a60b | DE | text | 8 b | malicious |
3244 | Setup.exe | GET | 200 | 94.158.247.44:80 | http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll | unknown | executable | 668 Kb | suspicious |
3244 | Setup.exe | GET | 200 | 94.158.247.44:80 | http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll | unknown | executable | 90.6 Kb | suspicious |
3244 | Setup.exe | GET | 200 | 94.158.247.44:80 | http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll | unknown | executable | 248 Kb | suspicious |
3244 | Setup.exe | POST | 200 | 194.180.174.180:80 | http://194.180.174.180/a45861571245e2ff333456d6cf90a60b | DE | text | 8 b | malicious |
3244 | Setup.exe | POST | 200 | 194.180.174.180:80 | http://194.180.174.180/a45861571245e2ff333456d6cf90a60b | DE | text | 8 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3244 | Setup.exe | 194.180.174.180:80 | — | — | DE | malicious |
3244 | Setup.exe | 94.158.247.44:80 | — | — | — | suspicious |
PID | Process | Class | Message |
---|---|---|---|
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
3244 | Setup.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DLL Request |
Process | Message |
---|---|
Setup.exe | response:
|
Setup.exe | libs_nss3:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
libs_msvcp140:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
libs_vcruntime140:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
libs_mozglue:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
libs_freebl3:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
libs_softokn3:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings
ews_tronl:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings
libs_sqlite3:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
ews_bsc:fhbohimaelbohpjbbldcngcnapndodjp;BinanceChain;Local Extension Settings
ews_ronin:fnjhmkhhmkbjkkabndcnnogagogbneec;Ronin;Local Extension Settings
wlts_exodus:Exodus;26;exodus;*;*partitio*,*cache*,*dictionar*
wlts_atomic:Atomic;26;atomic;*;*cache*,*IndexedDB*
wlts_jaxxl:JaxxLiberty;26;com.liberty.jaxx;*;*cache*
wlts_binance:Binance;26;Binance;*app-store.*;-
wlts_coinomi:Coinomi;28;Coinomi\Coinomi\wallets;*;-
wlts_electrum:Electrum;26;Electrum\wallets;*;-
wlts_elecltc:Electrum-LTC;26;Electrum-LTC\wallets;*;-
wlts_elecbch:ElectronCash;26;ElectronCash\wallets;*;-
wlts_guarda:Guarda;26;Guarda;*;*cache*,*IndexedDB*
wlts_green:BlockstreamGreen;28;Blockstream\Green;*;cache,gdk,*logs*
wlts_ledger:Ledger Live;26;Ledger Live;*;*cache*,*dictionar*,*sqlite*
ews_ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings
ews_meta:nkbihfbeogaeaoehlefnkodbefgpgknn;MetaMask;Local Extension Settings
sstmnfo_System Info.txt:System Information:
|Installed applications:
|
libs_nssdbm3:http://94.158.247.44/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll
wlts_daedalus:Daedalus;26;Daedalus Mainnet;*;log*,*cache,chain,dictionar*
wlts_mymonero:MyMonero;26;MyMonero;*;*cache*
wlts_xmr:Monero;5;Monero\\wallets;*.keys;-
wlts_wasabi:Wasabi;26;WalletWasabi\\Client;*;*tor*,*log*
ews_metax:mcohilncbfahbmgdjkbpemcciiolgcge;MetaX;Local Extension Settings
ews_xdefi:hmeobnfnfcmdkdcmlblgagmfpfboieaf;XDEFI;IndexedDB
ews_waveskeeper:lpilbniiabackdjcionkobglmddfbcjo;WavesKeeper;Local Extension Settings
ews_solflare:bhhhlbepdkbapadjdnnojkbgioiodbic;Solflare;Local Extension Settings
ews_rabby:acmacodkjbdgmoleebolmdjonilkdbch;Rabby;Local Extension Settings
ews_cyano:dkdedlpgdmmkkfjabffeganieamfklkm;CyanoWallet;Local Extension Settings
ews_coinbase:hnfanknocfeofbddgcijnmhnfnkdnaad;Coinbase;IndexedDB
ews_auromina:cnmamaachppnkjgnildpdmkaakejnhae;AuroWallet;Local Extension Settings
ews_khc:hcflpincpppdclinealmandijcmnkbgn;KHC;Local Extension Settings
ews_tezbox:mnfifefkajgofkcjkemidiaecocnkjeh;TezBox;Local Extension Settings
ews_coin98:aeachknmefphepccionboohckonoeemg;Coin98;Local Extension Settings
ews_temple:ookjlbkiijinhpmnjffcofjonbfbgaoc;Temple;Local Extension Settings
ews_iconex:flpiciilemghbmfalicajoolhkkenfel;ICONex;Local Extension Settings
ews_sollet:fhmfendgdocmcbmfikdcogofphimnkno;Sollet;Local Extension Settings
ews_clover:nhnkbkgjikgcigadomkphalanndcapjk;CloverWallet;Local Extension Settings
ews_polymesh:jojhfeoedkpkglbfimdfabpdfjaoolaf;PolymeshWallet;Local Extension Settings
ews_neoline:cphhlgmgameodnhkjdmkpanlelnlohao;NeoLine;Local Extension Settings
ews_keplr:dmkamcknogkgcdfhhbddcghachkejeap;Keplr;Local Extension Settings
ews_terra_e:ajkhoeiiokighlmdnlakpjfoobnjinie;TerraStation;Local Extension Settings
ews_terra:aiifbnbfobpmeekipheeijimdpnlpgpp;TerraStation;Local Extension Settings
ews_liquality:kpfopkelmapcoipemfendmdcghnegimn;Liquality;Local Extension Settings
ews_saturn:nkddgncdjgjfcddamfgcmfnlhccnimig;SaturnWallet;Local Extension Settings
ews_guild:nanjmdknhkinifnkgdcggcfnhdaammmj;GuildWallet;Local Extension Settings
ews_phantom:bfnaelmomeimhlpmgjnjophhpkkoljpa;Phantom;Local Extension Settings
ews_tronlink:ibnejdfjmmkpcnlpebklmnkoeoihofec;TronLink;Local Extension Settings
ews_brave:odbfpeeihdkbihmopkbjmoonfanlbfcl;Brave;Local Extension Settings
ews_meta_e:ejbalbakoplchlghecdalmeeeajnimhm;MetaMask;Local Extension Settings
ews |
Setup.exe | _ronin_e:kjmoohlgokccodicjjfebfomlbljgfhk;Ronin;Local Extension Settings
ews_mewcx:nlbmnnijcnlegkjjpcfjclmcfggfefdm;MEW_CX;Sync Extension Settings
ews_ton:cgeeodpfagjceefieflmdfphplkenlfk;TON;Local Extension Settings
scrnsht_Screenshot.jpeg:1
tlgrm_Telegram:Telegram Desktop\tdata|*|*emoji*,*user_data*,*tdummy*,*dumps*
token:a45861571245e2ff333456d6cf90a60b |
Setup.exe |