File name:	ver4_file_x86x64.rar
Full analysis:	https://app.any.run/tasks/3a74e423-6968-4a77-bbd1-70ac1714aea0
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes. A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 30, 2024, 21:17:15
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	evasion privateloader opendir loader risepro stealer stealc gcleaner exfiltration miner adware innosetup amadey botnet meta metastealer redline neoreklami arechclient2 backdoor hijackloader
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	5AE053CD81560F67D718BAD44F6756F1
SHA1:	DE8A87073236605302FC65BD66AF2A6FABA82947
SHA256:	6818DBC64DD5C92DEF6FC4364F5E79FD7A9F409EF9C37C5CA52A8FC0FE2B5820
SSDEEP:	98304:TuMJgyOWmRKdhbgAPT8xCN5Jg9eMQ4KY61q/YH/zAnnQxyje8sUvG4kfZN5R0OlG:p2M/dPSzMK7oD9WsNaiomnEBckJ

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)


(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\Win7AndW2K8R2-KB3191566-x64.zip
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\curl-8.5.0_3-win64-mingw.zip
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\ver4_file_x86x64.rar
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1796) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80

PID	Process	Filename		Type
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\CMap\Identity-H		binary
		MD5:40F5DC1383E3E8F870ED8F763ED51878	SHA256:AAE946BC17203B5DF12838D07AE5CAFC9E85A1D42D1B94D8475AB2D42B77A5CB
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\CMap\Identity-V		binary
		MD5:B5084CBF0AB0C3DEAC97E06CD3CB2ECC	SHA256:7483DB44E4449A7AE232B30D6CBA0D8746592757D0E91BE82EC45B646C608807
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\CMap\UniKS-UTF16-H		binary
		MD5:F65C06189A55139E13885D9716BFE35C	SHA256:AB87D320C81E4C761B7A4CBD342E212DB4EBE169B5D10848F2F57D828874E342
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\CMap\UCS2-GBK-EUC		binary
		MD5:FB9D6CD4449EC7478EE8AD1BD7465BF5	SHA256:66CDCAED3AA94525C59A82A39A93B96885883BFFADEA1E572464D559D21443A6
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\CMap\UniKS-UTF16-V		ps
		MD5:ABA47550AFFB435A1DCC6B70EFAB5B52	SHA256:7E403DAE40DF21FE3F9B221F7CE750F7F5BFF9CC73D82D011C4BCC48A0DB60ED
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\Font\CourierStd-Bold.otf		otf
		MD5:404952EC4D0AE00DD2F58FB980A99326	SHA256:A3C25F2EC60F8D44F150CD4E478067B06CC7267FBAAF844DA600CE1C31C6E5C1
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\Font\AdobePIStd.otf		binary
		MD5:8653BFE4C32A8528E981748E28C59570	SHA256:5DBC496C0B5A12D9F9FFDB83A46B9FCDA8D1FC1FCD50832C783BE5E9277A698E
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\Font\CourierStd.otf		otf
		MD5:F4C2D3851E2781B2B3FF60A2E34E81AC	SHA256:54CB5C8E9775CB432AFE32B0AF688536354AD04EF9C9F1450EE7C88A73BC884D
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\Font\CourierStd-BoldOblique.otf		otf
		MD5:6804E7413898972E05823ADD91B1DFC5	SHA256:698FD9169AD62BD6FAEDD1C8E8637ABC9CC65B3B1A5BA8698242B1447303FBEE
1796	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXb1796.17911\Resource\Font\CourierStd-Oblique.otf		binary
		MD5:71EC484296A30C9379607E36158CA809	SHA256:C54815A2729D633E400A6835679613090C20B91DA6CB40FA761AAA475EFB77F5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2232	file.exe	GET	200	85.192.56.26:80	http://85.192.56.26/api/bing_release.php	unknown	—	—	unknown
2232	file.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?fedc2ea20a18172d	unknown	—	—	unknown
2232	file.exe	POST	200	85.192.56.26:80	http://85.192.56.26/api/flash.php	unknown	—	—	unknown
2232	file.exe	POST	200	85.192.56.26:80	http://85.192.56.26/api/flash.php	unknown	—	—	unknown
2232	file.exe	HEAD	—	185.172.128.203:80	http://185.172.128.203/dl.php	unknown	—	—	unknown
2232	file.exe	HEAD	200	5.42.65.64:80	http://5.42.65.64/download.php?pub=inte	unknown	—	—	unknown
2232	file.exe	GET	—	193.233.132.139:80	http://193.233.132.139/padla/fiona.exe	unknown	—	—	unknown
2232	file.exe	GET	—	5.42.66.10:80	http://5.42.66.10/download/th/retail.php	unknown	—	—	unknown
2232	file.exe	GET	—	185.172.128.203:80	http://185.172.128.203/dl.php	unknown	—	—	unknown
2232	file.exe	HEAD	—	188.114.97.3:80	http://sextipolar.sbs/qwqw	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
2232	file.exe	85.192.56.26:80	—	AEZA GROUP Ltd	NL	unknown
360	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2232	file.exe	104.26.8.59:443	api.myip.com	CLOUDFLARENET	US	unknown
2232	file.exe	199.232.210.172:80	ctldl.windowsupdate.com	FASTLY	US	unknown
2232	file.exe	34.117.186.192:443	ipinfo.io	GOOGLE-CLOUD-PLATFORM	US	unknown
2232	file.exe	5.42.65.64:80	—	CJSC Kolomna-Sviaz TV	RU	unknown
2232	file.exe	87.240.137.164:80	vk.com	VKontakte Ltd	RU	unknown

Domain	IP	Reputation
api.myip.com	104.26.8.59 104.26.9.59 172.67.75.163	malicious
ctldl.windowsupdate.com	199.232.210.172 199.232.214.172	whitelisted
ipinfo.io	34.117.186.192	shared
teredo.ipv6.microsoft.com	49.13.77.253	whitelisted
sextipolar.sbs	188.114.97.3 188.114.96.3	unknown
dkgxxh1czdosr.cloudfront.net	13.32.23.50 13.32.23.145 13.32.23.52 13.32.23.163	unknown
vk.com	87.240.137.164 93.186.225.194 87.240.132.72 87.240.129.133 87.240.132.78 87.240.132.67	whitelisted
zanzibarpivo.com	104.21.10.62 172.67.144.181	unknown
monoblocked.com	45.130.41.108	unknown
dod.fastbutters.com	188.114.97.3 188.114.96.3	unknown

PID	Process	Class	Message
2232	file.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
2232	file.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2232	file.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
—	—	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
—	—	A Network Trojan was detected	ET MALWARE Suspected PrivateLoader Activity (POST)
—	—	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
2232	file.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 32
2232	file.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 1
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

Process	Message
gyhJLw5s8IRyu5dmHKG8xWWi.exe	#@#^@#TGRERTERYERY
gyhJLw5s8IRyu5dmHKG8xWWi.exe	td ydrthrhfty
gyhJLw5s8IRyu5dmHKG8xWWi.exe	ewetwertyer eytdryrtdy
gyhJLw5s8IRyu5dmHKG8xWWi.exe	45 hgfch rtdyt gfch
XXIM__e0G3DHfPWwNFbUHPL0.exe	Dk43l_dwmk438*
XXIM__e0G3DHfPWwNFbUHPL0.exe	ewetwertyer eytdryrtdy
XXIM__e0G3DHfPWwNFbUHPL0.exe	td ydrthrhfty
XXIM__e0G3DHfPWwNFbUHPL0.exe	er ert 346 34634 6ch
gyhJLw5s8IRyu5dmHKG8xWWi.exe	drthdrthdrthdr hrtd hr
INy5MlIWJQ7M8Ba3SHyH.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

ver4_file_x86x64.rar

5AE053CD81560F67D718BAD44F6756F1

DE8A87073236605302FC65BD66AF2A6FABA82947

6818DBC64DD5C92DEF6FC4364F5E79FD7A9F409EF9C37C5CA52A8FC0FE2B5820

98304:TuMJgyOWmRKdhbgAPT8xCN5Jg9eMQ4KY61q/YH/zAnnQxyje8sUvG4kfZN5R0OlG:p2M/dPSzMK7oD9WsNaiomnEBckJ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file in the system directory

Actions looks like stealing of personal data

Drops the executable file immediately after the start

PRIVATELOADER has been detected (YARA)

PRIVATELOADER has been detected (SURICATA)

Changes the autorun value in the registry

RISEPRO has been detected (SURICATA)

Create files in the Startup directory

Starts CMD.EXE for self-deleting

Uses Task Scheduler to autorun other applications

STEALC has been detected (SURICATA)

Connects to the CnC server

Antivirus name has been found in the command line (generic signature)

Run PowerShell with an invisible window

Steals credentials from Web Browsers

Steals credentials

Uses WMIC.EXE to add exclusions to the Windows Defender

RISEPRO has been detected (YARA)

Generic malware mutex has been detected

HIJACKLOADER has been detected (YARA)

AMADEY has been detected (YARA)

GCLEANER has been detected (SURICATA)

AMADEY has been detected (SURICATA)

METASTEALER has been detected (SURICATA)

ARECHCLIENT2 has been detected (SURICATA)

Unusual connection from system programs

NEOREKLAMI has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Checks for external IP

Reads the Internet Settings

Connects to the server without a host name

Reads the BIOS version

Adds/modifies Windows certificates

Device Retrieving External IP Address Detected

Reads settings of System Certificates

Executable content was dropped or overwritten

Checks Windows Trust Settings

Process requests binary or script from the Internet

Process drops legitimate windows executable

Drops 7-zip archiver for unpacking

Executes as Windows Service

Reads the Windows owner or organization settings

Windows Defender mutex has been found

Starts itself from another location

Contacting a server suspected of hosting an CnC

Connects to unusual port

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Potential Corporate Privacy Violation

The process drops C-runtime libraries

Searches for installed software

Found strings related to reading or modifying Windows Defender settings

Searches and executes a command on selected files

Uses REG/REGEDIT.EXE to modify registry

Uses TASKKILL.EXE to kill process

Executing commands from a ".bat" file

Starts POWERSHELL.EXE for commands execution

Probably download files using WebClient

Get information on the list of running processes

Using 'findstr.exe' to search for text patterns in files and output

Powershell scripting: start process

Drops a file with a rarely used extension (PIF)

Suspicious file concatenation

Starts application with an unusual extension

The executable file from the user directory is run by the CMD process

Runs PING.EXE to delay simulation

Application launched itself

Reads browser cookies