File name:

Anubis Crypter FUD.zip

Full analysis: https://app.any.run/tasks/63ec1165-0718-455b-b0bf-3729a52962ec
Verdict: Malicious activity
Analysis date: March 06, 2024, 01:40:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

A13C23D5EBA2838E675A10765874FD8E

SHA1:

39C86102300420DC6594D8D6B28C9C10005763B2

SHA256:

8222DB6AD6FEA8631D3771C6756F371F79B6B6E5B7F8D99F2C7F26AB82C703BF

SSDEEP:

98304:RwX72o/79+qgKxNx6NMFWW/cWReAy11zukxCTH70pq1h0ptDvU9GZI23CnFq8I1U:CCjRhZrfa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2472)
      • svchost.exe (PID: 1876)

    • Create files in the Startup directory

      • svchost.exe (PID: 1876)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 2472)
      • svchost.exe (PID: 1876)

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 1876)

  • INFO

    • Manual execution by a user

      • DataAnubis.exe (PID: 3736)
      • svchost.exe (PID: 1876)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2472)

    • Checks supported languages

      • DataAnubis.exe (PID: 3736)
      • svchost.exe (PID: 1876)

    • Reads the computer name

      • DataAnubis.exe (PID: 3736)
      • svchost.exe (PID: 1876)

    • Reads the machine GUID from the registry

      • DataAnubis.exe (PID: 3736)
      • svchost.exe (PID: 1876)

    • Creates files or folders in the user directory

      • svchost.exe (PID: 1876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.kmz | Google Earth saved working session (60)
.zip | ZIP compressed archive (40)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:12:26 07:24:14
ZipCRC: 0xff829623
ZipCompressedSize: 3008560
ZipUncompressedSize: 6405120
ZipFileName: DataAnubis.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe dataanubis.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1876"C:\Users\admin\Desktop\svchost.exe" C:\Users\admin\Desktop\svchost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2472"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3736"C:\Users\admin\Desktop\DataAnubis.exe" C:\Users\admin\Desktop\DataAnubis.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Encrypt
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\dataanubis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
3 973
Read events
3 943
Write events
16
Delete events
14

Modification events

(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2472) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD.zip
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2472) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
15
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD\DataAnubis.exeexecutable
MD5:696493DC19825DC66D7167567CD5DDEC
SHA256:2ED6653B023B53AA4E3EED7303A765CB18D7C4C20FD99A76F674CC1463A8066D
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD\svchost.exeexecutable
MD5:F83C1904404D2B40622D28A5C05420F9
SHA256:58FA8679EB278C0FBE4B9348E61CD274234037AF160878289A988260EAF6246E
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
2472WinRAR.exeC:\Users\admin\AppData\Local\Temp\Anubis Crypter FUD\Stub.exeexecutable
MD5:2B9ECB8EDE4DC4F5BB709DA1ED006736
SHA256:5F514A6E41B8D7C773212C38760DF6C99A32FF09ECE46B345B90657650C73625
2472WinRAR.exeC:\Users\admin\Desktop\MetroFramework.Design.dllexecutable
MD5:AB4C3529694FC8D2427434825F71B2B8
SHA256:0A4A96082E25767E4697033649B16C76A652E120757A2CECAB8092AD0D716B65
2472WinRAR.exeC:\Users\admin\Desktop\DataAnubis.exeexecutable
MD5:696493DC19825DC66D7167567CD5DDEC
SHA256:2ED6653B023B53AA4E3EED7303A765CB18D7C4C20FD99A76F674CC1463A8066D
2472WinRAR.exeC:\Users\admin\Desktop\MetroFramework.Fonts.dllexecutable
MD5:65EF4B23060128743CEF937A43B82AA3
SHA256:C843869AACA5135C2D47296985F35C71CA8AF4431288D04D481C4E46CC93EE26
2472WinRAR.exeC:\Users\admin\Desktop\MetroFramework.dllexecutable
MD5:34EA7F7D66563F724318E322FF08F4DB
SHA256:C2C12D31B4844E29DE31594FC9632A372A553631DE0A0A04C8AF91668E37CF49
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Anubis Crypter FUD.zip