analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| download: | DoxRapist.rar |
| Full analysis: | https://app.any.run/tasks/4f7456e0-b9d9-42dd-a995-6b2dbb7440e4 |
| Verdict: | Malicious activity |
| Analysis date: | July 13, 2020, 02:07:36 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | CF34FB5A2B91838EDE42E1C053DBF22B |
| SHA1: | 7A9ADE4F00B502615276CDADFAD02F1762086C2D |
| SHA256: | 6838EBD274C81502325AD44283C1065CB9A76FFFC3731552BBE8EB41A064C29D |
| SSDEEP: | 98304:nNCZr0/D9OC+8ArkNLdgGKLn+pI3oqjHYlfl+ioTOqkp9:UG9SVYdgGKLnGIxHYlflR9 |
MALICIOUS
Application was dropped or rewritten from another process
- DoxRapist.exe (PID: 1888)
- DoxRapist.exe (PID: 1480)
- DoxRapist.exe (PID: 2112)
- DoxRapist.exe (PID: 1364)
Changes settings of System certificates
- DoxRapist.exe (PID: 1888)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2084)
Creates files in the user directory
- DoxRapist.exe (PID: 1888)
Reads internet explorer settings
- DoxRapist.exe (PID: 1888)
Reads Internet Cache Settings
- DoxRapist.exe (PID: 1888)
Adds / modifies Windows certificates
- DoxRapist.exe (PID: 1888)
INFO
Manual execution by user
- DoxRapist.exe (PID: 2112)
- DoxRapist.exe (PID: 1364)
Reads settings of System Certificates
- DoxRapist.exe (PID: 1888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2084 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\DoxRapist.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
| 1480 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2084.41076\DoxRapist.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2084.41076\DoxRapist.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Description: DoxRapist Exit code: 3221226540 Version: 4.7.0.0 | ||||
| 1888 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2084.41076\DoxRapist.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2084.41076\DoxRapist.exe | WinRAR.exe | |
User: admin Integrity Level: HIGH Description: DoxRapist Version: 4.7.0.0 | ||||
| 2112 | "C:\Users\admin\Desktop\DoxRapist.exe" | C:\Users\admin\Desktop\DoxRapist.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: DoxRapist Exit code: 3221226540 Version: 4.7.0.0 | ||||
| 1364 | "C:\Users\admin\Desktop\DoxRapist.exe" | C:\Users\admin\Desktop\DoxRapist.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: DoxRapist Exit code: 0 Version: 4.7.0.0 | ||||
Total events
1 824
Read events
583
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
7
Text files
5
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\Local\Temp\Tar26A1.tmp | — | |
MD5:— | SHA256:— | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_E922AD58644B813DAC336E7D2F393E13 | binary | |
MD5:8A1208925021B0D76AB2E7A08640CB13 | SHA256:1EADC4E6694E43D60DDB06ECF16907457C34EF5398722A96F91F99E12BA2A7DE | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\AZ5C1E58.txt | text | |
MD5:6BF07D232B11307B73C316C361AC4A99 | SHA256:09B74DA9A6C9917FC7DF53265BFC0B813ED58FCE0682617E8DD860E7A53BDF66 | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_21186D07D721C0F54AF48F7972D0ED1B | der | |
MD5:01319ADCD9C9917CF4FDFBF779E939B8 | SHA256:DDB348BB25FEAA177BEDF4997D95B5CFDF2500F16D77B054DBFD5703591C5B99 | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | der | |
MD5:1C400D233070530C717A810D7F9BC99E | SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0 | |||
| 2084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2084.41076\DoxRapist.exe | executable | |
MD5:135E1B6DABC928C02B1D533EB51EFC0F | SHA256:50B7AAC5261723D62FD94695D8D8EC968CBC0859A95DCCF43E0265346ED1AE5F | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\api[1].js | text | |
MD5:3FEF60A1A3886C8042EE72C06A68B3F4 | SHA256:60E4DA764E03AE5C3A42F4BCACC87BBA10F56F0E121C5A306D8DDFCEC95CD62D | |||
| 2084 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2084.41224\DoxRapist.exe | executable | |
MD5:135E1B6DABC928C02B1D533EB51EFC0F | SHA256:50B7AAC5261723D62FD94695D8D8EC968CBC0859A95DCCF43E0265346ED1AE5F | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1URRHOQU.txt | text | |
MD5:40160017736223E106B5EA12D8086B8F | SHA256:5BFCE6EE903F774A0D06FE33E22B75900B22FAC1E28C05CF9CCC599D4E052834 | |||
| 1888 | DoxRapist.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B | binary | |
MD5:8F3C483C903C903F3C375A2CE016502F | SHA256:DC52AEDF205C8EB1B83103111CF589AA8363135B606B6FA10E89EA660288A228 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1888 | DoxRapist.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDCBDbuX62tRAgAAAABvB68%3D | US | der | 471 b | whitelisted |
1888 | DoxRapist.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
1888 | DoxRapist.exe | GET | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD9bz4kmMJbHQgAAAAAR%2FAz | US | der | 472 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1888 | DoxRapist.exe | 172.217.18.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1888 | DoxRapist.exe | 172.217.22.67:443 | www.gstatic.com | Google Inc. | US | whitelisted |
1364 | DoxRapist.exe | 145.14.145.135:443 | doxrapistdatabase.000webhostapp.com | Hostinger International Limited | US | shared |
1888 | DoxRapist.exe | 145.14.145.135:443 | doxrapistdatabase.000webhostapp.com | Hostinger International Limited | US | shared |
1888 | DoxRapist.exe | 172.217.23.100:443 | www.google.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
doxrapistdatabase.000webhostapp.com |
| shared |
www.google.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
www.gstatic.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) |
1888 | DoxRapist.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |
1364 | DoxRapist.exe | Not Suspicious Traffic | ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com) |