File name: | New folder (31).rar |
Full analysis: | https://app.any.run/tasks/f010f051-cb46-42b4-a4ed-b47c84249226 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | October 20, 2020, 06:33:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 139C914A7B5FFB8665FD525DADB58416 |
SHA1: | 9F41D678AA40D79680BEA0A6E2D0F588E29947A8 |
SHA256: | 8663215AC142ECC3FDBAECDA635E8172DD858CC708AB2BC6794B1F7EBBFC203E |
SSDEEP: | 24576:dqxU2BG4HxjTMcEoith+v2eXxFRrkzI6hd0Hbfuw/a3fVUEp10558Kakz7y9:cDhRPMcEDh+v2iRiMHjuw/a3f+EpI5TW |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2496 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New folder (31).rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1792 | "C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe" | C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: GABB 0.6.23 Rift Mod Exit code: 0 Version: 0.6.23.0 | ||||
1940 | "C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe" | C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe | — | GABB 0.6.23 Rift Mod.exe |
User: admin Integrity Level: MEDIUM | ||||
2200 | "C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe" | C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe | GABB 0.6.23 Rift Mod.exe | |
User: admin Integrity Level: MEDIUM Exit code: 3762504530 Version: 1.0.0.0 | ||||
3568 | "C:\Users\admin\AppData\Local\oofer.exe" /stext creds.txt | C:\Users\admin\AppData\Local\oofer.exe | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | |
User: admin Company: NirSoft Integrity Level: MEDIUM Description: Web Browser Password Viewer Exit code: 0 Version: 2.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2496.49760\New folder (31)\GABB 0.6.23 Rift Mod.exe | — | |
MD5:— | SHA256:— | |||
2496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2496.49760\New folder (31)\GABB.ini | — | |
MD5:— | SHA256:— | |||
2496 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2496.49760\New folder (31)\GDLL.dll | — | |
MD5:— | SHA256:— | |||
3568 | oofer.exe | C:\Users\admin\AppData\Local\Temp\bhv12BD.tmp | — | |
MD5:— | SHA256:— | |||
3568 | oofer.exe | C:\Users\admin\AppData\Local\creds.txt | — | |
MD5:— | SHA256:— | |||
1792 | GABB 0.6.23 Rift Mod.exe | C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe | executable | |
MD5:46AB7A03567F974185B6EC0B83D96C06 | SHA256:1F683346925D14D0BDEA1E9D3A48EECF482F39D4C5FCCBEBE1B19A8A2CE4DE51 | |||
1792 | GABB 0.6.23 Rift Mod.exe | C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe | executable | |
MD5:A8AC417D26CA845B2A5091369F2F0741 | SHA256:4696AD7EDA7D502E3C6AB4A54DA7BBC3FEC1CFCDFDDEED46EE573B0A95EE214C | |||
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | C:\Users\admin\AppData\Local\oofer.exe | executable | |
MD5:62A4AFEA4D7DC230E838F2345B212C36 | SHA256:60E4C3FD7AC43183CC501B1608276630C1306699B6EC93C230FA885C82DE491F |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 172.217.18.14:443 | play.google.com | Google Inc. | US | whitelisted |
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 136.144.56.255:80 | icanhazip.com | LeaseWeb Netherlands B.V. | NL | malicious |
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 104.18.36.74:443 | nusumu.ga | Cloudflare Inc | US | suspicious |
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | 172.67.214.70:443 | nusumu.wtf | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
nusumu.ga |
| suspicious |
play.google.com |
| whitelisted |
nusumu.wtf |
| unknown |
icanhazip.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .ga Domain |
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | Potentially Bad Traffic | ET INFO Suspicious Domain (*.ga) in TLS SNI |
2200 | Windows Driver Foundation - User-mode Driver Framework Host Process.exe | Attempted Information Leak | ET POLICY IP Check Domain (icanhazip. com in HTTP Host) |