File name:

@#Full_Istaller_PcSetup_3377_ṔḁṨṨẄṏṛḋ^$.rar

Full analysis: https://app.any.run/tasks/268fb3de-4d61-45b1-ab62-f58b78fbea46
Verdict: Malicious activity
Threats:

CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 07:40:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
cryptbot
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

4AFA6DF856AEEF43F946A8FB88FA0EB5

SHA1:

7356748DDA0A3CC4A3A50D20C89799F25F686F60

SHA256:

6F848DD7B20B76EE893512963FC7B5BEF1E638C99A43EE40AABFB16341290DCC

SSDEEP:

98304:Y8B+AuYUvEbORdjt++GsSme56DZfBMN8tfo3fUzjBXFmkVEH8b2ug3F6sScsO2+X:St5ESDuv9XWVwXPFVB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • Sеtup.exe (PID: 3272)

    • Actions looks like stealing of personal data

      • Sеtup.exe (PID: 3272)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3384)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3384)

    • Searches for installed software

      • Sеtup.exe (PID: 3272)

    • Reads browser cookies

      • Sеtup.exe (PID: 3272)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3384)

    • Reads the computer name

      • Sеtup.exe (PID: 3272)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3384)

    • Checks supported languages

      • Sеtup.exe (PID: 3272)
      • Sеtup.exe (PID: 2492)
      • Sеtup.exe (PID: 2192)
      • Sеtup.exe (PID: 764)
      • Sеtup.exe (PID: 3164)

    • Manual execution by a user

      • Sеtup.exe (PID: 3164)
      • taskmgr.exe (PID: 2428)
      • Sеtup.exe (PID: 2192)
      • Sеtup.exe (PID: 2492)
      • taskmgr.exe (PID: 3612)
      • Sеtup.exe (PID: 764)

    • Reads CPU info

      • Sеtup.exe (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe sеtup.exe sеtup.exe no specs sеtup.exe no specs taskmgr.exe no specs taskmgr.exe no specs sеtup.exe no specs sеtup.exe

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Users\admin\Desktop\Sеtup.exe" C:\Users\admin\Desktop\Sеtup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\sеtup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2192"C:\Users\admin\Desktop\Sеtup.exe" C:\Users\admin\Desktop\Sеtup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sеtup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
2428"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2492"C:\Users\admin\Desktop\Sеtup.exe" C:\Users\admin\Desktop\Sеtup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sеtup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3164"C:\Users\admin\Desktop\Sеtup.exe" C:\Users\admin\Desktop\Sеtup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\sеtup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3272"C:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Sеtup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Sеtup.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb3384.33504\sеtup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3384"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\@#Full_Istaller_PcSetup_3377_ṔḁṨṨẄṏṛḋ^$.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3612"C:\Windows\system32\taskmgr.exe" /4C:\Windows\System32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
4 908
Read events
4 871
Write events
37
Delete events
0

Modification events

(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3384) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\@#Full_Istaller_PcSetup_3377_ṔḁṨṨẄṏṛḋ^$.rar
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3384) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
20
Suspicious files
46
Text files
50
Unknown types
32

Dropped files

PID
Process
Filename
Type
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\CMap\UniKS-UTF16-Vps
MD5:ABA47550AFFB435A1DCC6B70EFAB5B52
SHA256:7E403DAE40DF21FE3F9B221F7CE750F7F5BFF9CC73D82D011C4BCC48A0DB60ED
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\CourierStd-BoldOblique.otfotf
MD5:6804E7413898972E05823ADD91B1DFC5
SHA256:698FD9169AD62BD6FAEDD1C8E8637ABC9CC65B3B1A5BA8698242B1447303FBEE
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\CourierStd-Oblique.otfotf
MD5:71EC484296A30C9379607E36158CA809
SHA256:C54815A2729D633E400A6835679613090C20B91DA6CB40FA761AAA475EFB77F5
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\MinionPro-BoldIt.otfotf
MD5:A7487BEFBF3C7BA8C957D269D9BA24E1
SHA256:BEB1CA56F9B4F89FB1549FE63A4BC578D2BD8747F967C1DF26DACD3DED3F0223
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\CourierStd-Bold.otfotf
MD5:404952EC4D0AE00DD2F58FB980A99326
SHA256:A3C25F2EC60F8D44F150CD4E478067B06CC7267FBAAF844DA600CE1C31C6E5C1
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\AdobePIStd.otfotf
MD5:8653BFE4C32A8528E981748E28C59570
SHA256:5DBC496C0B5A12D9F9FFDB83A46B9FCDA8D1FC1FCD50832C783BE5E9277A698E
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\MyriadPro-It.otfotf
MD5:4413059068C27D82AD49621AE4AAEB5B
SHA256:F234ADAFB66AD5E47A024FF4881C2EDC347D0453C15E811288EF10EB573CC33E
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\CourierStd.otfotf
MD5:F4C2D3851E2781B2B3FF60A2E34E81AC
SHA256:54CB5C8E9775CB432AFE32B0AF688536354AD04EF9C9F1450EE7C88A73BC884D
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\CMap\Identity-Vbinary
MD5:B5084CBF0AB0C3DEAC97E06CD3CB2ECC
SHA256:7483DB44E4449A7AE232B30D6CBA0D8746592757D0E91BE82EC45B646C608807
3384WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3384.33504\Resource\Font\MinionPro-Regular.otfotf
MD5:A4EA2690CFD854B24C968AC6CDCE9C33
SHA256:327CB2238A82A89176FF6601139CBD0A5CDD8F8E1E057343EAE13FA9B1E10AB8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
13
DNS requests
5
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3272
Sеtup.exe
POST
200
5.188.88.16:80
http://tzten10sb.top/v1/upload.php
unknown
unknown
3272
Sеtup.exe
POST
200
5.188.88.16:80
http://tzten10sb.top/v1/upload.php
unknown
unknown
3272
Sеtup.exe
POST
200
5.188.88.16:80
http://tzten10sb.top/v1/upload.php
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
3272
Sеtup.exe
5.188.88.16:80
tzten10sb.top
PINVDS OU
RU
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
tzten10sb.top
  • 5.188.88.16
unknown

Threats

PID
Process
Class
Message
1060
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3272
Sеtup.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3272
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
3272
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
3272
Sеtup.exe
A Network Trojan was detected
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
@#Full_Istaller_PcSetup_3377_ṔḁṨṨẄṏṛḋ^$.rar