analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

kb3r1p.rar

Full analysis: https://app.any.run/tasks/bfc8d8ce-bd6d-436c-9b6b-833843f12151
Verdict: Malicious activity
Analysis date: April 23, 2019, 14:44:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
CARBANAK
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

06EFD1354B7418198C66A78FF3E68E59

SHA1:

666C0EF12715E0D554FF4080CCDC6AF8898CBC65

SHA256:

783B2EEFDB90EB78CFDA475073422EE86476ACA65D67FF2C9CF6A6F9067BA5FA

SSDEEP:

98304:1TyTT2A10WTUnbxQiJbTYQjhvAFl+MVCPmNh8:60WobxQUbEQjJwdri

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • makecert.exe (PID: 1732)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2564)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1492)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

ArchivedFileName: ?????\botep\.gitignore
PackingMethod: Normal
ModifyDate: 2016:03:24 11:20:17
OperatingSystem: Win32
UncompressedSize: 957
CompressedSize: 390
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe winrar.exe no specs makecert.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1492"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\kb3r1p.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3496"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\kb3r1p.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1732"C:\Users\admin\Desktop\сорцы\server\bin\debug\makecert.exe" C:\Users\admin\Desktop\сорцы\server\bin\debug\makecert.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ECM MakeCert
Exit code:
4294967295
Version:
6.2.9200.16384 (win8_rtm.120725-1247)
2564"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
982
Read events
940
Write events
42
Delete events
0

Modification events

(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1492) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\kb3r1p.rar
(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1492) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:Key:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
Executable files
22
Suspicious files
2
Text files
718
Unknown types
12

Dropped files

PID
Process
Filename
Type
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\main.htext
MD5:53B1E6698294ED62B8D7AEE5A9084F41
SHA256:DC80E4EDCA628B62F824E319D7B7F956552C578A90239B8480CE573AB95208FD
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\service.htext
MD5:B55D0D68496A89181290EF053A565923
SHA256:36952A71F06000DB06EA8028E01223F43023032D98B7B724B2E2D303F4B35A63
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\MonitoringProcesses.htext
MD5:32E83DD834E61D9E4464C412078C8C80
SHA256:BF9CB2C74D068CDC5E19233EE1165BA333524521BC77AAD4473DA8314AE89DCD
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\info.htext
MD5:B501C41939C8BE0944D330FD4031AE41
SHA256:206F5E7251BF10B6DAC0B29D48859F7FAE7A3D680A965E68EF1318043A2A9D70
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\bot.vcxprojxml
MD5:4B5C1457E3259653324DD2D573EB242D
SHA256:8C509AAE196FC0114337193AC38F8A1D530A215448E213D9CDBFF9884BF547A6
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\Manager.htext
MD5:444008023881AAC9CF563294A0127BD1
SHA256:9699CDD35E481A0EBED2639541A01B9F21D282E69E26C685EE8CADF8CC4A5733
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\AV.htext
MD5:DE27D0E35110E32E52C922540B3BF8D0
SHA256:390B99111F3E4051C1061AF5C06C2B312FF3233A6F9948D2960670B5313155B0
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\.gitignoretext
MD5:B0DFC2552001501660AE4D91D49FD414
SHA256:1901AC02CC9DBE96CEF516107F127EE767197B7DA8807457AFE095E662032BAE
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\plugins.htext
MD5:1739DC7819DB8A53217D49EBC191C0D3
SHA256:E493C0FF6D9BC461386ADC21B47398F5A8287A013FD90545914C839097B6DE90
1492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1492.21489\сорцы\botep\bot\include\system.htext
MD5:62B8F70195DE5B9505C67080C74A8A4C
SHA256:A2196BC92003BB6629CACBFB33B8A57342A168B968E961209FA50B857925F3BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
kb3r1p.rar