analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New folder (31).rar

Full analysis: https://app.any.run/tasks/9d96eb85-d814-40de-b35b-8a1736994c1b
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 06:43:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

139C914A7B5FFB8665FD525DADB58416

SHA1:

9F41D678AA40D79680BEA0A6E2D0F588E29947A8

SHA256:

8663215AC142ECC3FDBAECDA635E8172DD858CC708AB2BC6794B1F7EBBFC203E

SSDEEP:

24576:dqxU2BG4HxjTMcEoith+v2eXxFRrkzI6hd0Hbfuw/a3fVUEp10558Kakz7y9:cDhRPMcEDh+v2iRiMHjuw/a3f+EpI5TW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GABB 0.6.23 Rift Mod.exe (PID: 2768)
      • oofer.exe (PID: 1136)
      • GABB 0.6.23 Rift Mod.exe (PID: 3712)
      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)
      • GABB 0.6.23 Rift Mod.exe (PID: 2888)
      • GABB 0.6.23 Rift Mod.exe (PID: 1540)
      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2100)

    • Loads dropped or rewritten executable

      • GABB 0.6.23 Rift Mod.exe (PID: 3712)
      • SearchProtocolHost.exe (PID: 4020)

    • Changes the autorun value in the registry

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)

    • Actions looks like stealing of personal data

      • oofer.exe (PID: 1136)

    • Connects to CnC server

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)

    • Changes settings of System certificates

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2100)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GABB 0.6.23 Rift Mod.exe (PID: 2768)
      • WinRAR.exe (PID: 2724)
      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)
      • GABB 0.6.23 Rift Mod.exe (PID: 2888)

    • Changes tracing settings of the file or console

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)

    • Creates files in the program directory

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)

    • Checks for external IP

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 3808)

    • Adds / modifies Windows certificates

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2100)

  • INFO

    • Manual execution by user

      • GABB 0.6.23 Rift Mod.exe (PID: 2888)
      • GABB 0.6.23 Rift Mod.exe (PID: 2768)
      • WinRAR.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start winrar.exe winrar.exe no specs searchprotocolhost.exe no specs gabb 0.6.23 rift mod.exe gabb 0.6.23 rift mod.exe no specs windows driver foundation - user-mode driver framework host process.exe oofer.exe gabb 0.6.23 rift mod.exe gabb 0.6.23 rift mod.exe no specs windows driver foundation - user-mode driver framework host process.exe

Process information

PID
CMD
Path
Indicators
Parent process
2724"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\New folder (31).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2836"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\New folder (31).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4020"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2768"C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe" C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
GABB 0.6.23 Rift Mod
Exit code:
0
Version:
0.6.23.0
3712"C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe" C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exeGABB 0.6.23 Rift Mod.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3808"C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe" C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe
GABB 0.6.23 Rift Mod.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Version:
1.0.0.0
1136"C:\Users\admin\AppData\Local\oofer.exe" /stext creds.txtC:\Users\admin\AppData\Local\oofer.exe
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
Web Browser Password Viewer
Exit code:
0
Version:
2.00
2888"C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe" C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
GABB 0.6.23 Rift Mod
Exit code:
0
Version:
0.6.23.0
1540"C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe" C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exeGABB 0.6.23 Rift Mod.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2100"C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe" C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe
GABB 0.6.23 Rift Mod.exe
User:
admin
Integrity Level:
HIGH
Version:
1.0.0.0
Total events
2 282
Read events
2 194
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1136oofer.exeC:\Users\admin\AppData\Local\Temp\bhvC306.tmp
MD5:
SHA256:
1136oofer.exeC:\Users\admin\AppData\Local\creds.txt
MD5:
SHA256:
2724WinRAR.exeC:\Users\admin\Desktop\New folder (31)\GABB.initext
MD5:BA94DAF75A782D40C07AFD060DCB0F0A
SHA256:F6B9C244A4D48F35338DAC62B583D1FF577A3FB47C3A79C8566718F086A075AF
2768GABB 0.6.23 Rift Mod.exeC:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exeexecutable
MD5:A8AC417D26CA845B2A5091369F2F0741
SHA256:4696AD7EDA7D502E3C6AB4A54DA7BBC3FEC1CFCDFDDEED46EE573B0A95EE214C
2768GABB 0.6.23 Rift Mod.exeC:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exeexecutable
MD5:46AB7A03567F974185B6EC0B83D96C06
SHA256:1F683346925D14D0BDEA1E9D3A48EECF482F39D4C5FCCBEBE1B19A8A2CE4DE51
2724WinRAR.exeC:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exeexecutable
MD5:5E2C4F9A8BD5964022D6A7F5DDA5F6E5
SHA256:ED240655162D5C1D449FF0ED19B1117D2AD18168030528B03410F536AD98881D
2888GABB 0.6.23 Rift Mod.exeC:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exeexecutable
MD5:A8AC417D26CA845B2A5091369F2F0741
SHA256:4696AD7EDA7D502E3C6AB4A54DA7BBC3FEC1CFCDFDDEED46EE573B0A95EE214C
2888GABB 0.6.23 Rift Mod.exeC:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exeexecutable
MD5:46AB7A03567F974185B6EC0B83D96C06
SHA256:1F683346925D14D0BDEA1E9D3A48EECF482F39D4C5FCCBEBE1B19A8A2CE4DE51
2724WinRAR.exeC:\Users\admin\Desktop\New folder (31)\GDLL.dllexecutable
MD5:8A12CB004CDBAAA80114F3C183848EFD
SHA256:92C1C18666563DF90CCA6C49CDA917B569061AE23ECD1556148E231CD6420517
3712GABB 0.6.23 Rift Mod.exeC:\Users\admin\Desktop\New folder (31)\GABB.initext
MD5:B1B8FE3658ACFA008FC6B19C2CA7BCCB
SHA256:623E4356C58DFA235FB83EEBD1187D6C110000A66DE7CA9B30CD323C16D9BF11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
GET
200
136.144.56.255:80
http://icanhazip.com/
NL
text
15 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2100
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
172.67.214.70:443
nusumu.wtf
US
malicious
2100
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
216.58.205.238:443
play.google.com
Google Inc.
US
whitelisted
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
104.18.36.74:443
nusumu.ga
Cloudflare Inc
US
suspicious
2100
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
104.18.36.74:443
nusumu.ga
Cloudflare Inc
US
suspicious
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
172.67.214.70:443
nusumu.wtf
US
malicious
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
136.144.56.255:80
icanhazip.com
LeaseWeb Netherlands B.V.
NL
malicious
2100
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
104.27.143.46:443
nusumu.wtf
Cloudflare Inc
US
malicious
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
216.58.205.238:443
play.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
nusumu.ga
  • 104.18.36.74
  • 104.18.37.74
  • 172.67.206.220
suspicious
play.google.com
  • 216.58.205.238
whitelisted
nusumu.wtf
  • 172.67.214.70
  • 104.27.143.46
  • 104.27.142.46
unknown
icanhazip.com
  • 136.144.56.255
  • 147.75.47.199
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ga) in TLS SNI
3808
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
New folder (31).rar