analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

CrystalCrypter2.zip

Full analysis: https://app.any.run/tasks/432d738b-565d-4a02-a7ec-673c9818fe01
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: June 27, 2022, 09:56:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
stealer
asyncrat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

C6A2E7778294128F204654BE18FC4BB1

SHA1:

B4483E311FB3510964FEFF512D4E86B41B4DFDDD

SHA256:

79929C389CE10E81B34FD52F257C076BEE6847756174D2110BFA9B3E05A654D2

SSDEEP:

98304:6fK/fCcjKoZeupHwsL8cD+mSWr4o5iGuUPz8V3id0qpK:6fKnFVwRml4o96MpK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3172)
      • CrystalCrypter2.exe (PID: 3388)
      • win64obf.exe (PID: 2772)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3556)

    • Application was dropped or rewritten from another process

      • CrystalCrypter2.exe (PID: 3388)
      • CrystalCrypter2.exe (PID: 1612)
      • win32dll.exe (PID: 2168)
      • win64obf.exe (PID: 2772)
      • 12.exe (PID: 1844)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3692)
      • cmd.exe (PID: 3472)

    • Stealing of credential data

      • 12.exe (PID: 1844)

    • Steals credentials from Web Browsers

      • 12.exe (PID: 1844)

    • Actions looks like stealing of personal data

      • 12.exe (PID: 1844)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 924)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 984)

    • ASYNCRAT detected by memory dumps

      • win32dll.exe (PID: 2168)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3172)
      • CrystalCrypter2.exe (PID: 3388)
      • win64obf.exe (PID: 2772)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3172)
      • CrystalCrypter2.exe (PID: 3388)
      • win64obf.exe (PID: 2772)

    • Reads the computer name

      • WinRAR.exe (PID: 3172)
      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 1788)
      • 12.exe (PID: 1844)
      • win64obf.exe (PID: 2772)
      • powershell.exe (PID: 2340)
      • win32dll.exe (PID: 2168)

    • Checks supported languages

      • WinRAR.exe (PID: 3172)
      • CrystalCrypter2.exe (PID: 3388)
      • cmd.exe (PID: 3472)
      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 1788)
      • cmd.exe (PID: 3692)
      • cmd.exe (PID: 992)
      • cmd.exe (PID: 2072)
      • win64obf.exe (PID: 2772)
      • cmd.exe (PID: 2348)
      • 12.exe (PID: 1844)
      • powershell.exe (PID: 2340)
      • cmd.exe (PID: 3468)
      • cmd.exe (PID: 924)
      • win32dll.exe (PID: 2168)

    • Starts CMD.EXE for commands execution

      • CrystalCrypter2.exe (PID: 3388)
      • win64obf.exe (PID: 2772)

    • Reads the cookies of Mozilla Firefox

      • 12.exe (PID: 1844)

    • Reads Windows Product ID

      • 12.exe (PID: 1844)

    • Creates files in the user directory

      • 12.exe (PID: 1844)
      • win64obf.exe (PID: 2772)

    • Reads Environment values

      • 12.exe (PID: 1844)

    • Checks for external IP

      • 12.exe (PID: 1844)

    • Searches for installed software

      • 12.exe (PID: 1844)

  • INFO

    • Manual execution by user

      • CrystalCrypter2.exe (PID: 1612)
      • CrystalCrypter2.exe (PID: 3388)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 1788)
      • powershell.exe (PID: 2340)

    • Reads settings of System Certificates

      • powershell.exe (PID: 4064)
      • powershell.exe (PID: 2340)

    • Reads the computer name

      • schtasks.exe (PID: 984)

    • Checks supported languages

      • schtasks.exe (PID: 984)
      • timeout.exe (PID: 2488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2168) win32dll.exe
Install_Folder%AppData%
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Aes_Keye25c9eefe2303a70a9bc899133e386df497c24dfae74b0c9c8b8545af545e6bb
BotnetYouTube
bdosfalse
PasteBinnull
AntiVMfalse
Server_SignatureHQuG+mi0Oi1Vl9KZFfjd1D8A7usHxos8nh0FyMs0RsXDs0J+6Fbd0dAaWrRq9yg8IRX5uwIZNAW1tsUU1WyiEQIGHLk1Zjt93f1qp/GF435d3/kyfDctk/P/BWJYCvhJyDuPLlPkzVegp3V//SfjN4npu+4MDoQG+eG3bD3JKcPuErKBpaN7BOnXnkMSryDXGdkQ4wJLk+9BwNHXDIw/5QQd0UuwFwNv7t4xmRlz+klcPbZ+SC9zsCmG4du6pzf3ucMgnBLDAjUaA8rOhttAecKsjKvZgreW9u3CkZHDnSko...
CertificateMIIE8jCCAtqgAwIBAgIQAPtRUe35Ba2BQknB3nZQgzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNTMxMTQ0NTQ2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJPeAGnilCmBFX0TG4tnG+7PkUdJz/5qVqxHFTk+bbj+0Qi2p64FqRA7KQ+AppswCc9IabcTjeof...
MutexWindows-DLL_0s0QnaPNG
Autoruntrue
Version0.5.7B
Ports (1)60671
C2 (1)ggho5t.duckdns.org
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: CrystalCrypter2/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2022:06:27 11:37:09
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
19
Malicious processes
11
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs crystalcrypter2.exe no specs crystalcrypter2.exe cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs win64obf.exe 12.exe powershell.exe no specs cmd.exe cmd.exe no specs schtasks.exe no specs timeout.exe no specs #ASYNCRAT win32dll.exe

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\CrystalCrypter2.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3556"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1612"C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe" C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exeExplorer.EXE
User:
admin
Company:
CrystalCrypter
Integrity Level:
MEDIUM
Description:
CrystalCrypter
Exit code:
3221226540
Version:
2,0,0,0
3388"C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe" C:\Users\admin\Desktop\CrystalCrypter2\CrystalCrypter2.exe
Explorer.EXE
User:
admin
Company:
CrystalCrypter
Integrity Level:
HIGH
Description:
CrystalCrypter
Exit code:
0
Version:
2,0,0,0
3692cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Unable to find VCCRuntime140.dll','Error','OK','Error')"C:\Windows\system32\cmd.exeCrystalCrypter2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3472cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exitC:\Windows\system32\cmd.exeCrystalCrypter2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1788powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Unable to find VCCRuntime140.dll','Error','OK','Error')"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
4064powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
992cmd /c start "" "C:\Users\admin\AppData\Local\Temp\Defender Smart Screen.exe"C:\Windows\system32\cmd.exeCrystalCrypter2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2348cmd /c start "" "C:\Users\admin\AppData\Local\Temp\12.exe"C:\Windows\system32\cmd.exeCrystalCrypter2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
10 867
Read events
10 765
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
7
Text files
11
Unknown types
9

Dropped files

PID
Process
Filename
Type
3388CrystalCrypter2.exeC:\Users\admin\AppData\Local\Temp\12.exeexecutable
MD5:758207CE12F9ED1930876EC50E551657
SHA256:63F4D2F0AD5C565C06CCC5A11F8ED963025F5907BB45D777CA848CFFBD7BC054
3172WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3172.44475\CrystalCrypter2\CrystalCrypter2.exeexecutable
MD5:4DD849100E2E48A8A480571A2A2CF9D3
SHA256:D50DAEFD779E07741CBE903112BFA47A233BE67A45DDB398CCB379862B7ADBB2
3388CrystalCrypter2.exeC:\Users\admin\AppData\Local\Temp\win64obf.exeexecutable
MD5:BD77B32341914D04CD62C48370661256
SHA256:B3BDDCC083EEF5B73C8001063826B21198BDEC69B6A3ACB2479CF6E311F62E64
3388CrystalCrypter2.exeC:\Users\admin\AppData\Local\Temp\Defender Smart Screen.exeexecutable
MD5:E1486780EF6518B239D78B6F967F6002
SHA256:17115FDCD55FBE2CC1D8544941F47EC42E3344825BE3DE0953CA7602E0832B0C
184412.exeC:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Files\writtenkeep.jpgimage
MD5:C9E435DD053132F1B0886FDD30241C18
SHA256:90CA8B5F357E40422EEC2010AC1DCEE39B3FE71D1D1FD44610345E5DA8810B9F
184412.exeC:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Files\littleface.jpgimage
MD5:9D8C12A8A88B57411A8942A876D659AF
SHA256:8CFA1E2ED75287785137653D93FC0D98F08C4CAABDFB52440229E5BB91A9783F
184412.exeC:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Processes.txttext
MD5:656246D1D66A71977DDC4143DAB056F4
SHA256:95876CAF0F5AD4F57454F12E39EE863FEB9EBAE6BA85A95F822209328C79E85E
184412.exeC:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Programms.txttext
MD5:D38F0F6C2FA09557C0C72B76F9053B32
SHA256:6B3EC615803EC8389C37ED1778950ACE10C9C22A82E59BA057AC41FDDD050BD9
4064powershell.exeC:\Users\admin\AppData\Local\Temp\vscera5y.v5q.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
184412.exeC:\Users\admin\AppData\Roaming\NPFLPTyNFPPNRNLywHNR1F8BFBFF000506E3C4BA364779\791F8BFBFF000506E3C4BA3647NPFLPTyNFPPNRNLywHNR\Files\pmdev.jpgimage
MD5:E4FFA4F2C5D917A5A3830033AD677395
SHA256:0AC261F276B08A1E7F7E49C26251831FB560523E61414386B4B5CFB76FFE0293
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1844
12.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
441 b
shared
1844
12.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml
unknown
xml
441 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1844
12.exe
3.220.57.224:443
api.ipify.org
US
malicious
1844
12.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
2168
win32dll.exe
156.96.151.132:60671
ggho5t.duckdns.org
XNS Technology Group Inc.
US
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
api.ipify.org
  • 3.220.57.224
  • 52.20.78.240
  • 3.232.242.170
  • 54.91.59.199
shared
ip-api.com
  • 208.95.112.1
shared
ggho5t.duckdns.org
  • 156.96.151.132
malicious

Threats

PID
Process
Class
Message
1844
12.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
1844
12.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1844
12.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
1844
12.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2168
win32dll.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CrystalCrypter2.zip