analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Best PC Software 2023.zip

Full analysis: https://app.any.run/tasks/29fdd1a8-8022-4539-a2cd-bd0a293313cb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 14:14:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
raccoon
recordbreaker
trojan
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

80751C2729541619281B6EBC3F4759D1

SHA1:

B9DCC1FEFB0E3498E2B9AFBB06498F51957A8823

SHA256:

6C1BC4C2526FF9F627B778EF80637EA9D40F79A9AA8575371037089D9F11CD0D

SSDEEP:

196608:8s1+Ewp2to9nzctJTqH1ADxVS/7EZwNgOtW/FRXvjt67CxPo0eF8aa/I8:8KwpjzcXIqxVIYuNJApx6XTap

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • HN2v0SSo.exe (PID: 2888)

    • Connects to the CnC server

      • Sеtup.exe (PID: 3480)

    • RACCOON was detected

      • Sеtup.exe (PID: 3480)

    • Actions looks like stealing of personal data

      • Sеtup.exe (PID: 3480)

  • SUSPICIOUS

    • Searches for installed software

      • Sеtup.exe (PID: 3480)

    • Reads the Internet Settings

      • Sеtup.exe (PID: 3480)

    • Executable content was dropped or overwritten

      • Sеtup.exe (PID: 3480)

    • Connects to the server without a host name

      • Sеtup.exe (PID: 3480)

    • Process requests binary or script from the Internet

      • Sеtup.exe (PID: 3480)

    • Reads browser cookies

      • Sеtup.exe (PID: 3480)

  • INFO

    • Reads the machine GUID from the registry

      • Sеtup.exe (PID: 3480)

    • Reads the computer name

      • Sеtup.exe (PID: 3480)

    • Checks supported languages

      • HN2v0SSo.exe (PID: 2888)
      • Sеtup.exe (PID: 3480)

    • Checks proxy server information

      • Sеtup.exe (PID: 3480)

    • The process checks LSA protection

      • Sеtup.exe (PID: 3480)

    • Reads Environment values

      • Sеtup.exe (PID: 3480)

    • Reads product name

      • Sеtup.exe (PID: 3480)

    • Create files in a temporary directory

      • Sеtup.exe (PID: 3480)

    • Creates files or folders in the user directory

      • Sеtup.exe (PID: 3480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2023:04:01 08:44:18
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Best PC Software 2023/
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs #RACCOON sеtup.exe hn2v0sso.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2588"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Best PC Software 2023.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
3480"C:\Users\admin\AppData\Local\Temp\Rar$EXb2588.46119\Best PC Software 2023\Sеtup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2588.46119\Best PC Software 2023\Sеtup.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb2588.46119\best pc software 2023\sеtup.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
2888"C:\Users\admin\AppData\Roaming\HN2v0SSo.exe" C:\Users\admin\AppData\Roaming\HN2v0SSo.exeSеtup.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\hn2v0sso.exe
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
5 440
Read events
5 384
Write events
56
Delete events
0

Modification events

(PID) Process:(2588) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2588) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
18
Suspicious files
2
Text files
4
Unknown types
12

Dropped files

PID
Process
Filename
Type
2588WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2588.46119\Best PC Software 2023\Sеtup.exe
MD5:
SHA256:
3480Sеtup.exeC:\Users\admin\AppData\Roaming\HN2v0SSo.exeexecutable
MD5:29D3F4AA52D5E748585480880661348A
SHA256:A8DC9CF18FAA505F034C5E0BA42C132E73DA7411D5237EC036C792A09E2B6A71
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\99XS1j1J66Susqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\VW7VkMW4MYvFsqlite
MD5:D02907BE1C995E1E51571EEDB82FA281
SHA256:2189977F6EA58BDAD5883720B099E12B869F223FB9B18AC40E7D37C5954A55DD
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\raLi6rN6ebmksqlite
MD5:23D08A78BC908C0B29E9800D3D5614E7
SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\3vo0XMzEk122sqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\LEGs0YtD7M3Otext
MD5:E7CE898AADD69F4E4280010B7808116E
SHA256:C9214BB54F10242AA254F0758372A440C8D8F49934021F8F08B6DF9FB377EB02
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\raLi6rN6ebmk-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\softokn3.dllexecutable
MD5:63A1FE06BE877497C4C2017CA0303537
SHA256:44BE3153C15C2D18F49674A092C135D3482FB89B77A1B2063D01D02985555FE0
3480Sеtup.exeC:\Users\admin\AppData\LocalLow\sqlite3.dllexecutable
MD5:DBF4F8DCEFB8056DC6BAE4B67FF810CE
SHA256:47B64311719000FA8C432165A0FDCDFED735D5B54977B052DE915B1CBBBF9D68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3480
Sеtup.exe
GET
200
37.220.87.61:80
http://37.220.87.61/Clip1.exe
UZ
executable
6.78 Mb
malicious
3480
Sеtup.exe
GET
200
77.73.134.35:80
http://77.73.134.35/bebra.exe
KZ
executable
13.8 Mb
malicious
3480
Sеtup.exe
POST
200
37.220.87.66:80
http://37.220.87.66/
UZ
text
7.22 Kb
malicious
3480
Sеtup.exe
POST
200
37.220.87.66:80
http://37.220.87.66/bae082128e0e1333be4bf5447da6da4c
UZ
text
8 b
malicious
3480
Sеtup.exe
POST
200
37.220.87.66:80
http://37.220.87.66/bae082128e0e1333be4bf5447da6da4c
UZ
text
8 b
malicious
3480
Sеtup.exe
GET
200
37.220.87.66:80
http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
UZ
executable
78.2 Kb
malicious
3480
Sеtup.exe
GET
200
37.220.87.66:80
http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
UZ
executable
1.05 Mb
malicious
3480
Sеtup.exe
GET
200
37.220.87.66:80
http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
UZ
executable
668 Kb
malicious
3480
Sеtup.exe
GET
200
37.220.87.66:80
http://37.220.87.66/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
UZ
executable
1.95 Mb
malicious
3480
Sеtup.exe
POST
200
37.220.87.66:80
http://37.220.87.66/bae082128e0e1333be4bf5447da6da4c
UZ
text
8 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
37.220.87.61:80
LLC Internet Tehnologii
UZ
malicious
3480
Sеtup.exe
77.73.134.35:80
Partner LLC
KZ
malicious
3480
Sеtup.exe
37.220.87.66:80
LLC Internet Tehnologii
UZ
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3480
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/RecordBreaker CnC Checkin M1
3480
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
3480
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3480
Sеtup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
3480
Sеtup.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3480
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3480
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3480
Sеtup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
3480
Sеtup.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
3480
Sеtup.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Best PC Software 2023.zip