File name:

zarar.exe

Full analysis: https://app.any.run/tasks/1883573e-c1e3-48b8-96ed-1f2987028598
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 16:44:44
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
telegram
python
pyinstaller
ims-api
generic
crypto-regex
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

3664934135266461B176DC3D5447FA8D

SHA1:

EE6DEA06FD808B78E61ABC9FFF3789092DB9B995

SHA256:

6CE8BB5BA3427086F9970D55266B17B92D7F577FA16D1CC2A4760CD281595CE3

SSDEEP:

196608:0hBiCWMG+A7q/T+pmWOwQb3LTyYPu7Nddg7JVSRDKAmnu:kvWJzq/qkWOz7TywcNddSJ0rmnu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • zarar.exe (PID: 1212)

    • Steals credentials from Web Browsers

      • zarar.exe (PID: 1212)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • zarar.exe (PID: 512)

    • Process drops python dynamic module

      • zarar.exe (PID: 512)

    • Process drops legitimate windows executable

      • zarar.exe (PID: 512)

    • Executable content was dropped or overwritten

      • zarar.exe (PID: 512)

    • Application launched itself

      • zarar.exe (PID: 512)

    • Loads Python modules

      • zarar.exe (PID: 1212)

    • Found regular expressions for crypto-addresses (YARA)

      • zarar.exe (PID: 1212)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • zarar.exe (PID: 1212)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • zarar.exe (PID: 1212)

    • There is functionality for taking screenshot (YARA)

      • zarar.exe (PID: 1212)

  • INFO

    • Reads the computer name

      • zarar.exe (PID: 512)
      • zarar.exe (PID: 1212)

    • Checks supported languages

      • zarar.exe (PID: 512)
      • zarar.exe (PID: 1212)

    • Create files in a temporary directory

      • zarar.exe (PID: 512)
      • zarar.exe (PID: 1212)

    • The sample compiled with english language support

      • zarar.exe (PID: 512)

    • Checks proxy server information

      • zarar.exe (PID: 1212)
      • slui.exe (PID: 6240)

    • PyInstaller has been detected (YARA)

      • zarar.exe (PID: 512)
      • zarar.exe (PID: 1212)

    • Reads the software policy settings

      • slui.exe (PID: 6240)

    • Application based on Rust

      • zarar.exe (PID: 1212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(1212) zarar.exe
Telegram-Tokens (1)7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Telegram-Info-Links
7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Get info about bothttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getMe
Get incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getUpdates
Get webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook?drop_pending_updates=true
Telegram-Tokens (1)7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Telegram-Info-Links
7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Get info about bothttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getMe
Get incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getUpdates
Get webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
End-PointsendMessage
Args
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:09:03 16:32:36+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 179712
InitializedDataSize: 155136
UninitializedDataSize: -
EntryPoint: 0xc650
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zarar.exe conhost.exe no specs zarar.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\Desktop\zarar.exe" C:\Users\admin\Desktop\zarar.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\zarar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1212"C:\Users\admin\Desktop\zarar.exe" C:\Users\admin\Desktop\zarar.exe
zarar.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\zarar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(1212) zarar.exe
Telegram-Tokens (1)7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Telegram-Info-Links
7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Get info about bothttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getMe
Get incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getUpdates
Get webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook?drop_pending_updates=true
(PID) Process(1212) zarar.exe
Telegram-Tokens (1)7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Telegram-Info-Links
7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
Get info about bothttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getMe
Get incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getUpdates
Get webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7846233211:AAFzKPEOS43qwV6cKb0sFuWX88c5AFeB0VI
End-PointsendMessage
Args
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6240C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exezarar.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 888
Read events
3 888
Write events
0
Delete events
0

Modification events

No data
Executable files
47
Suspicious files
7
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\VCRUNTIME140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_ctypes.pydexecutable
MD5:5377AB365C86BBCDD998580A79BE28B4
SHA256:6C5F31BEF3FDBFF31BEAC0B1A477BE880DDA61346D859CF34CA93B9291594D93
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\Pythonwin\mfc140u.dllexecutable
MD5:84B82C149B450D3C8E0D06F09A416B5D
SHA256:1EC2A31A1302E720C799BAD2FD90CF3457C6B2A375C4B41FAEFEE1A91D92F3E0
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\VCRUNTIME140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_hashlib.pydexecutable
MD5:A25BC2B21B555293554D7F611EAA75EA
SHA256:43ACECDC00DD5F9A19B48FF251106C63C975C732B9A2A7B91714642F76BE074D
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_overlapped.pydexecutable
MD5:737F46E8DAC553427A823C5F0556961C
SHA256:2187281A097025C03991CD8EB2C9CA416278B898BD640A8732421B91ADA607E8
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_lzma.pydexecutable
MD5:9E94FAC072A14CA9ED3F20292169E5B2
SHA256:A46189C5BD0302029847FED934F481835CB8D06470EA3D6B97ADA7D325218A9F
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_socket.pydexecutable
MD5:69801D1A0809C52DB984602CA2653541
SHA256:67ACA001D36F2FCE6D88DBF46863F60C0B291395B6777C22B642198F98184BA3
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_ssl.pydexecutable
MD5:90F080C53A2B7E23A5EFD5FD3806F352
SHA256:FA5E6FE9545F83704F78316E27446A0026FBEBB9C0C3C63FAED73A12D89784D4
512zarar.exeC:\Users\admin\AppData\Local\Temp\_MEI5122\_multiprocessing.pydexecutable
MD5:41EE16713672E1BFC4543E6AE7588D72
SHA256:2FEB0BF9658634FE8405F17C4573FEB1C300E9345D7965738BEDEB871A939E6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
46
DNS requests
21
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1040
RUXIMICS.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1268
svchost.exe
GET
200
2.17.251.99:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
1268
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
400
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.32.72:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
200
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
16.7 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1040
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1040
RUXIMICS.exe
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.17.251.99:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1212
zarar.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
1212
zarar.exe
45.112.123.126:443
api.gofile.io
AMAZON-02
SG
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.17.251.99
  • 2.17.251.116
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.200.197.152
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.75.242.210
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
  • 40.126.31.128
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
1212
zarar.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
2200
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
2200
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
1212
zarar.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
1212
zarar.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
zarar.exe