analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Gemini.zip

Full analysis: https://app.any.run/tasks/67f20c5a-40bd-46e0-96fd-04f70d965fa3
Verdict: Malicious activity
Analysis date: January 14, 2022, 21:22:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

CBFE5673D23E90CC29F1B3B4CA54FB4D

SHA1:

E6B38188153691D1F0D6F5F656728D8C30982FED

SHA256:

64A2713DAE65C9B69DDC8595BF5D16E1D9A60AF83F9654EA1CA931348F29778A

SSDEEP:

98304:pXyoj/EHL/nB8oGfIMWX8pYWLp+ItQwNZDsISlO9eP9XEk4DS33QhDt8yIp:pXyKkL/nB8oSIDXCfAItQk9sDw90Gjm3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1228)
      • Explorer.EXE (PID: 1656)
    • Drops executable file immediately after starts

      • Explorer.EXE (PID: 1656)
    • Application was dropped or rewritten from another process

      • Project_Gemini_3.4.exe (PID: 3488)
      • RtkBtManServ.exe (PID: 3380)
      • bfsvc.exe (PID: 2072)
      • snuvcdsm.exe (PID: 1088)
      • Project_Gemini_3.4.exe (PID: 1672)
      • Project_Gemini_3.4.exe (PID: 2268)
      • hh.exe (PID: 3920)
      • splwow64.exe (PID: 1096)
      • winhlp32.exe (PID: 1648)
      • xwizard.exe (PID: 2312)
      • RtkBtManServ.exe (PID: 2460)
    • Steals credentials from Web Browsers

      • RtkBtManServ.exe (PID: 3380)
      • snuvcdsm.exe (PID: 1088)
      • RtkBtManServ.exe (PID: 2460)
    • Actions looks like stealing of personal data

      • RtkBtManServ.exe (PID: 3380)
      • snuvcdsm.exe (PID: 1088)
      • xwizard.exe (PID: 2312)
      • RtkBtManServ.exe (PID: 2460)
  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2280)
      • Project_Gemini_3.4.exe (PID: 3488)
      • RtkBtManServ.exe (PID: 3380)
      • WScript.exe (PID: 420)
      • WScript.exe (PID: 2252)
      • bfsvc.exe (PID: 2072)
      • snuvcdsm.exe (PID: 1088)
      • Project_Gemini_3.4.exe (PID: 1672)
      • Project_Gemini_3.4.exe (PID: 2268)
      • WScript.exe (PID: 1408)
      • winhlp32.exe (PID: 1648)
      • WScript.exe (PID: 4076)
      • RtkBtManServ.exe (PID: 2460)
    • Checks supported languages

      • WinRAR.exe (PID: 2280)
      • Project_Gemini_3.4.exe (PID: 3488)
      • RtkBtManServ.exe (PID: 3380)
      • WScript.exe (PID: 420)
      • cmd.exe (PID: 2880)
      • bfsvc.exe (PID: 2072)
      • WScript.exe (PID: 2252)
      • Project_Gemini_3.4.exe (PID: 1672)
      • cmd.exe (PID: 2236)
      • snuvcdsm.exe (PID: 1088)
      • WScript.exe (PID: 1408)
      • Project_Gemini_3.4.exe (PID: 2268)
      • cmd.exe (PID: 3056)
      • winhlp32.exe (PID: 1648)
      • splwow64.exe (PID: 1096)
      • hh.exe (PID: 3920)
      • WScript.exe (PID: 4076)
      • cmd.exe (PID: 3612)
      • xwizard.exe (PID: 2312)
      • RtkBtManServ.exe (PID: 2460)
      • cmd.exe (PID: 880)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2280)
      • Explorer.EXE (PID: 1656)
      • Project_Gemini_3.4.exe (PID: 3488)
      • RtkBtManServ.exe (PID: 3380)
      • Project_Gemini_3.4.exe (PID: 1672)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2280)
      • Explorer.EXE (PID: 1656)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2280)
      • Explorer.EXE (PID: 1656)
      • RtkBtManServ.exe (PID: 3380)
    • Reads Environment values

      • RtkBtManServ.exe (PID: 3380)
      • RtkBtManServ.exe (PID: 2460)
    • Reads the cookies of Mozilla Firefox

      • RtkBtManServ.exe (PID: 3380)
      • RtkBtManServ.exe (PID: 2460)
    • Executes scripts

      • RtkBtManServ.exe (PID: 3380)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 420)
      • WScript.exe (PID: 2252)
      • WScript.exe (PID: 1408)
      • WScript.exe (PID: 4076)
      • RtkBtManServ.exe (PID: 3380)
    • Reads the cookies of Google Chrome

      • winhlp32.exe (PID: 1648)
    • Loads DLL from Mozilla Firefox

      • splwow64.exe (PID: 1096)
    • Creates files in the user directory

      • splwow64.exe (PID: 1096)
      • xwizard.exe (PID: 2312)
    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 880)
  • INFO

    • Checks supported languages

      • SearchProtocolHost.exe (PID: 1228)
      • choice.exe (PID: 2568)
    • Reads the computer name

      • SearchProtocolHost.exe (PID: 1228)
    • Reads settings of System Certificates

      • RtkBtManServ.exe (PID: 3380)
      • RtkBtManServ.exe (PID: 2460)
    • Checks Windows Trust Settings

      • WScript.exe (PID: 2252)
      • WScript.exe (PID: 420)
      • WScript.exe (PID: 1408)
      • WScript.exe (PID: 4076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2098:01:01 01:00:00
ZipCRC: 0x4439a3d8
ZipCompressedSize: 391473
ZipUncompressedSize: 1324032
ZipFileName: BrotliSharpLib.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
24
Malicious processes
9
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs explorer.exe project_gemini_3.4.exe rtkbtmanserv.exe wscript.exe no specs cmd.exe no specs bfsvc.exe no specs wscript.exe no specs cmd.exe no specs snuvcdsm.exe project_gemini_3.4.exe project_gemini_3.4.exe no specs wscript.exe no specs cmd.exe no specs winhlp32.exe no specs splwow64.exe no specs hh.exe no specs wscript.exe no specs cmd.exe no specs xwizard.exe cmd.exe no specs choice.exe no specs rtkbtmanserv.exe

Process information

PID
CMD
Path
Indicators
Parent process
2280"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Gemini.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\usp10.dll
1228"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
1656C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3488"C:\Users\admin\Desktop\virus\Project_Gemini_3.4.exe" C:\Users\admin\Desktop\virus\Project_Gemini_3.4.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\virus\project_gemini_3.4.exe
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3380"C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4MrS8XYPae42vHBCmVGz5LuTrpOtikH8tggmmTYMabgILKk6ilwPmb43Ls83Nr/LHqiuZPbcUSt/o9uSOJIHReT7fF/YFDDj6zFV1jZBd/Kj/kBi8wyZPZMXDeiHjFPGc=C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe
Project_Gemini_3.4.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RtkBtManServ
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rtkbtmanserv.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
420"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\compile.vbs" C:\Windows\System32\WScript.exeRtkBtManServ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2880"C:\Windows\System32\cmd.exe" /c compile.batC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2072C:\Users\admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\admin\AppData\Local\Temp\capture.png"C:\Users\admin\AppData\Local\Temp\bfsvc.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
WebCamImageSave
Exit code:
3221225547
Version:
1.11
Modules
Images
c:\users\admin\appdata\local\temp\bfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2252"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\compile.vbs" C:\Windows\System32\WScript.exeRtkBtManServ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2236"C:\Windows\System32\cmd.exe" /c compile.batC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
17 788
Read events
17 528
Write events
258
Delete events
2

Modification events

(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2280) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Gemini.zip
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2280) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
33
Suspicious files
27
Text files
19
Unknown types
3

Dropped files

PID
Process
Filename
Type
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\TwoCaptcha.dllexecutable
MD5:0BA56E43509DF3D799C2D4BE6CF2F236
SHA256:DFC587F85A86A4DDDB2E7603E3D205E4B2F33D9CF9A943DA8A2213C5807EC9DE
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\MetroSuite 2.0.dllexecutable
MD5:7988C35882E1F099ACC9F8C2819F8121
SHA256:2FAAF6AFE6C42E60CEED13C2BDD3F9DF62D21ED85589D77112D84C6B79CA000A
1656Explorer.EXEC:\Users\admin\Desktop\virus\MetroSuite 2.0.dllexecutable
MD5:7988C35882E1F099ACC9F8C2819F8121
SHA256:2FAAF6AFE6C42E60CEED13C2BDD3F9DF62D21ED85589D77112D84C6B79CA000A
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\websocket-sharp-customheaders.dllexecutable
MD5:5F0E090A911EAA61DAA3C95818B76380
SHA256:9A77112F10C96B4C5F099208ECA409ABECC07E2395CD72ED1FDFE9839CC1262B
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\BrotliSharpLib.dllexecutable
MD5:7BA33B5FBFD4662D72B50BB09BDE7ED7
SHA256:EC1E6529A83DB97684474C1CB4E0A989EB7BCFEA98591AFC2C026B08F48600A0
1656Explorer.EXEC:\Users\admin\Desktop\virus\BrotliSharpLib.dllexecutable
MD5:7BA33B5FBFD4662D72B50BB09BDE7ED7
SHA256:EC1E6529A83DB97684474C1CB4E0A989EB7BCFEA98591AFC2C026B08F48600A0
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\Bunifu.UI.WinForms.1.5.3.dllexecutable
MD5:B4280D2898D92AB5C3911F0305D7672F
SHA256:E2248459DCC95183D0F0C5F3ABD3B0A2B93CD26CF8E130A1F43C8B32C58F4C8F
1656Explorer.EXEC:\Users\admin\Desktop\virus\Guna.UI.dllexecutable
MD5:6D6A1F28978D42AD2F0A8F278EAAC966
SHA256:FB23FA4FCA8F28BEBE7B7E39593A211CD3C3405DE5F948EC520E859B1BCAF91E
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\Bunifu.UI.WinForms.BunifuSlider.dllexecutable
MD5:DC256AF8A6709E8D02DBCA9955A73B32
SHA256:DC3BE56629858FF7327BFBB3A5986D87AF3A2D48E4D40806320AF5C1F8432005
2280WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2280.12312\Bunifu.Licensing.dllexecutable
MD5:8836EDB783CE89CA6481C297772325BC
SHA256:CFA1993C3E7272B3AEE610634592C26BEAF8E573AC9D3C59695E35A5D2372B17
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
12
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2460
RtkBtManServ.exe
162.159.138.232:443
discord.com
Cloudflare Inc
malicious
2460
RtkBtManServ.exe
162.159.137.232:443
discord.com
Cloudflare Inc
malicious
2460
RtkBtManServ.exe
162.159.135.232:443
discord.com
Cloudflare Inc
malicious
3380
RtkBtManServ.exe
162.159.128.233:443
discord.com
Cloudflare Inc
malicious
2460
RtkBtManServ.exe
162.159.136.232:443
discord.com
Cloudflare Inc
shared
2460
RtkBtManServ.exe
162.159.128.233:443
discord.com
Cloudflare Inc
malicious

DNS requests

Domain
IP
Reputation
itroublvehacker.gq
whitelisted
discord.com
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.137.232
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
No debug info