analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Attachment.eml.rar

Full analysis: https://app.any.run/tasks/cf270164-a155-440c-b203-968af1491a54
Verdict: Malicious activity
Analysis date: March 30, 2020, 14:55:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

AB2F520654FBE5475F58F4E7574E9103

SHA1:

62B113BA54BD250F3888E5D8192B762B4627C6E0

SHA256:

85275D94B227A1EBA5070716CE800FDAA50850DEE2AA47207DFD1F225D455CE4

SSDEEP:

6144:C9E6y5Y36k65OHqfaTyGWwX8GPvuqqpks48JicaFwVVjlNbZAXl:C9+Y3v65OKfaRRZ924HHqVlM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • OUTLOOK.EXE (PID: 2868)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 2952)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2868)
  • INFO

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2868)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs outlook.exe winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Attachment.eml.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2868"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Rar$DIb2952.49882\Attachment.eml.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3928"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GGNTI05\pdf.iso"C:\Program Files\WinRAR\WinRAR.exeOUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
Total events
2 320
Read events
1 749
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
29
Unknown types
2

Dropped files

PID
Process
Filename
Type
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR22ED.tmp.cvr
MD5:
SHA256:
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GGNTI05\pdf (2).iso\:Zone.Identifier:$DATA
MD5:
SHA256:
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:6A94F93742006FF3162B1EF2B181B569
SHA256:37002E62BE4B5C057AA00D1BDDC914003C4CEBB9DCD403241E0BAC3415D3D422
2952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2952.49882\Attachment.eml.msgmsg
MD5:E3D30567608AE6F30FF125178B01B085
SHA256:098A4A25A0FF56E3CFCD5CEA167428B432725DD873E27BB252D148C221FD84C1
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GGNTI05\pdf.isocompressed
MD5:EAF9064591FBC41EA4F761C0FB0BD5C1
SHA256:5A36AC00BD4DA98CDA282CE51A3ECC070A5E37C03154F415016B64735BE11A8B
2868OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:54E554DA1A6988AA3B450942690BB78B
SHA256:19E928C462605315D7F35F59B98B5A1627A44D937A9A804C32CCBA97A035BB09
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E5BA2E52.datimage
MD5:4C3C78777AAEA7D0478023ED23DACE43
SHA256:6C186159E829A0BB0B91F990DB1662E9787DF79B3E60A5B21E81CA62B74B425B
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EEB062B.datimage
MD5:8CB436747EFBE45A26ECD353A360BE0F
SHA256:2F48DD8AFB5D0BD6C6DC74C4CC32166CD8F7383CDC2B362946F108C15CCAC656
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9GGNTI05\pdf (2).isocompressed
MD5:EAF9064591FBC41EA4F761C0FB0BD5C1
SHA256:5A36AC00BD4DA98CDA282CE51A3ECC070A5E37C03154F415016B64735BE11A8B
2868OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\{FCF0DBDC-FAD5-4788-9BC6-FFCF59496E53}\{1C306CB1-771E-4B4B-A902-86E897877F5B}.pngimage
MD5:4C61C12EDBC453D7AE184976E95258E1
SHA256:296526F9A716C1AA91BA5D6F69F0EB92FDF79C2CB2CFCF0CEB22B7CCBC27035F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2868
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2868
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
No debug info