File name: | New folder (31).rar |
Full analysis: | https://app.any.run/tasks/27ffd3af-c348-4021-804b-bf087fa91387 |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | October 20, 2020, 06:25:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 139C914A7B5FFB8665FD525DADB58416 |
SHA1: | 9F41D678AA40D79680BEA0A6E2D0F588E29947A8 |
SHA256: | 8663215AC142ECC3FDBAECDA635E8172DD858CC708AB2BC6794B1F7EBBFC203E |
SSDEEP: | 24576:dqxU2BG4HxjTMcEoith+v2eXxFRrkzI6hd0Hbfuw/a3fVUEp10558Kakz7y9:cDhRPMcEDh+v2iRiMHjuw/a3f+EpI5TW |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2480 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New folder (31).rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3484 | "C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe" | C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: GABB 0.6.23 Rift Mod Exit code: 0 Version: 0.6.23.0 | ||||
2136 | "C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe" | C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe | — | GABB 0.6.23 Rift Mod.exe |
User: admin Integrity Level: MEDIUM | ||||
1832 | "C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe" | C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe | GABB 0.6.23 Rift Mod.exe | |
User: admin Integrity Level: MEDIUM Version: 1.0.0.0 | ||||
3388 | "C:\Users\admin\AppData\Local\oofer.exe" /stext creds.txt | C:\Users\admin\AppData\Local\oofer.exe | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | |
User: admin Company: NirSoft Integrity Level: MEDIUM Description: Web Browser Password Viewer Exit code: 0 Version: 2.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2480 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2480.48884\New folder (31)\GABB 0.6.23 Rift Mod.exe | — | |
MD5:— | SHA256:— | |||
2480 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2480.48884\New folder (31)\GABB.ini | — | |
MD5:— | SHA256:— | |||
2480 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2480.48884\New folder (31)\GDLL.dll | — | |
MD5:— | SHA256:— | |||
3388 | oofer.exe | C:\Users\admin\AppData\Local\Temp\bhv8542.tmp | — | |
MD5:— | SHA256:— | |||
3484 | GABB 0.6.23 Rift Mod.exe | C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe | executable | |
MD5:46AB7A03567F974185B6EC0B83D96C06 | SHA256:1F683346925D14D0BDEA1E9D3A48EECF482F39D4C5FCCBEBE1B19A8A2CE4DE51 | |||
3484 | GABB 0.6.23 Rift Mod.exe | C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe | executable | |
MD5:A8AC417D26CA845B2A5091369F2F0741 | SHA256:4696AD7EDA7D502E3C6AB4A54DA7BBC3FEC1CFCDFDDEED46EE573B0A95EE214C | |||
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | C:\Users\admin\AppData\Local\oofer.exe | executable | |
MD5:62A4AFEA4D7DC230E838F2345B212C36 | SHA256:60E4C3FD7AC43183CC501B1608276630C1306699B6EC93C230FA885C82DE491F | |||
3388 | oofer.exe | C:\Users\admin\AppData\Local\creds.txt | text | |
MD5:3E1E093DCCE32C716267A28292E0EE27 | SHA256:56285445424AD06DC043154819B5BDABAA7C26F5779CA3E37E08424ED9926CB8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | GET | 200 | 147.75.47.199:80 | http://icanhazip.com/ | US | text | 14 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 216.58.206.14:443 | play.google.com | Google Inc. | US | whitelisted |
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 104.18.37.74:443 | nusumu.ga | Cloudflare Inc | US | suspicious |
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 104.27.143.46:443 | nusumu.wtf | Cloudflare Inc | US | malicious |
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 147.75.47.199:80 | icanhazip.com | Packet Host, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
nusumu.ga |
| suspicious |
play.google.com |
| whitelisted |
nusumu.wtf |
| unknown |
icanhazip.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ga Domain |
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | Potentially Bad Traffic | ET INFO Suspicious Domain (*.ga) in TLS SNI |
1832 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |