analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Tower.rar

Full analysis: https://app.any.run/tasks/ba5f1fb1-6fff-4a40-b9df-2c8ed5945ca9
Verdict: Malicious activity
Analysis date: November 16, 2019, 21:38:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

E5D722BA8D843228BDE659795F7BAFB7

SHA1:

354A5D94E5A0199DCDC1F6649AE12B49CE6DABC5

SHA256:

85A405C82BAAD65258E506FC5F99D32B50D74B1B2083BE7B5D186377F6D647CF

SSDEEP:

49152:R9KHfNyEokwjhwWW4v0XqjVvBGwThP04zRqgwrZ:a8EokqMvXqj9BGkp04oZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Tower.exe (PID: 3852)
  • SUSPICIOUS

    • Creates files in the user directory

      • Tower.exe (PID: 3852)
    • Reads internet explorer settings

      • Tower.exe (PID: 3852)
    • Reads Internet Cache Settings

      • Tower.exe (PID: 3852)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2300)
  • INFO

    • Manual execution by user

      • Tower.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe tower.exe

Process information

PID
CMD
Path
Indicators
Parent process
2300"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Tower.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3852"C:\Users\admin\Desktop\Tower.exe" C:\Users\admin\Desktop\Tower.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Tower
Exit code:
3221225547
Version:
0.0.6.0
Total events
605
Read events
549
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\check[1].htm
MD5:
SHA256:
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019111620191117\index.datdat
MD5:EA76C795A12D8E78EE7CA5907A84ECF5
SHA256:A7B00B42AF9C89FB20EF08E467820F40F04AADAA782EB61B9F90CBFB22739D44
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\check[1].phptext
MD5:7DD4C3CFC87249A8827A9A25A161F55B
SHA256:892C17310AF17DDDC73D8F321FD67C243F823C3073246DB98EF6CF48CEFF2132
3852Tower.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txttext
MD5:05AD5CC3FF704373150BAEC524B2DCC0
SHA256:FD17FB94E7FB00232BF432ECC6275BEBC18580561C77B219375F7068CF2D45B2
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\check[1].phptext
MD5:7DD4C3CFC87249A8827A9A25A161F55B
SHA256:892C17310AF17DDDC73D8F321FD67C243F823C3073246DB98EF6CF48CEFF2132
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\check[2].phptext
MD5:B35F1928252CCF7A3F6A1C956F343A71
SHA256:6A5BC097101485A28D22BB8E6903E7E7EB49D08CD9D1B0640A54D97F79772DA5
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\check[1].phptext
MD5:7DD4C3CFC87249A8827A9A25A161F55B
SHA256:892C17310AF17DDDC73D8F321FD67C243F823C3073246DB98EF6CF48CEFF2132
2300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2300.32595\Tower.exeexecutable
MD5:DE8E04E49070A04B8363ED9F31EB13CD
SHA256:B21C9F73095B243C652DB9F76A4A6A5C90914D7524A9DA8859981ADD05FBB28C
3852Tower.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\aes[1].jstext
MD5:78A66859739B0C9E18BC5B4538C03BF9
SHA256:D2701C86A2A31A641520E72121749DBBABEED4B1A59AECE20BBF14F9C9DE82BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f&i=1
GB
text
31 b
malicious
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=Azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f
GB
text
31 b
malicious
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/check.php?username=sadcloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f
GB
compressed
31 b
malicious
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f
GB
html
626 b
malicious
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/aes.js
GB
text
30.4 Kb
malicious
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/check.php?username=skotaiz%20&%20password=zob&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f
GB
text
31 b
malicious
3852
Tower.exe
GET
200
185.27.134.129:80
http://towerclub.epizy.com/check.php?username=sad%20cloud%20&%20password=azerty44&hwid=90059c37-1320-41a4-b58d-2b75a9850d2f
GB
text
31 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3852
Tower.exe
185.27.134.129:80
towerclub.epizy.com
Wildcard UK Limited
GB
malicious

DNS requests

Domain
IP
Reputation
towerclub.epizy.com
  • 185.27.134.129
malicious

Threats

PID
Process
Class
Message
3852
Tower.exe
Misc activity
SUSPICIOUS [PTsecurity] Encryptor aes.js script (seen PedCont ransomware)
No debug info