analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

New folder (31).rar

Full analysis: https://app.any.run/tasks/f010f051-cb46-42b4-a4ed-b47c84249226
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 06:33:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

139C914A7B5FFB8665FD525DADB58416

SHA1:

9F41D678AA40D79680BEA0A6E2D0F588E29947A8

SHA256:

8663215AC142ECC3FDBAECDA635E8172DD858CC708AB2BC6794B1F7EBBFC203E

SSDEEP:

24576:dqxU2BG4HxjTMcEoith+v2eXxFRrkzI6hd0Hbfuw/a3fVUEp10558Kakz7y9:cDhRPMcEDh+v2iRiMHjuw/a3f+EpI5TW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GABB 0.6.23 Rift Mod.exe (PID: 1940)
      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)
      • oofer.exe (PID: 3568)

    • Connects to CnC server

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)

    • Changes the autorun value in the registry

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)

    • Actions looks like stealing of personal data

      • oofer.exe (PID: 3568)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • GABB 0.6.23 Rift Mod.exe (PID: 1792)
      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)

    • Creates files in the program directory

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)

    • Checks for external IP

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)

    • Changes tracing settings of the file or console

      • Windows Driver Foundation - User-mode Driver Framework Host Process.exe (PID: 2200)

  • INFO

    • Manual execution by user

      • GABB 0.6.23 Rift Mod.exe (PID: 1792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe no specs gabb 0.6.23 rift mod.exe gabb 0.6.23 rift mod.exe no specs windows driver foundation - user-mode driver framework host process.exe oofer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\New folder (31).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1792"C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe" C:\Users\admin\Desktop\New folder (31)\GABB 0.6.23 Rift Mod.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
GABB 0.6.23 Rift Mod
Exit code:
0
Version:
0.6.23.0
1940"C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exe" C:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exeGABB 0.6.23 Rift Mod.exe
User:
admin
Integrity Level:
MEDIUM
2200"C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe" C:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exe
GABB 0.6.23 Rift Mod.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3762504530
Version:
1.0.0.0
3568"C:\Users\admin\AppData\Local\oofer.exe" /stext creds.txtC:\Users\admin\AppData\Local\oofer.exe
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
Web Browser Password Viewer
Exit code:
0
Version:
2.00
Total events
1 277
Read events
1 237
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2496.49760\New folder (31)\GABB 0.6.23 Rift Mod.exe
MD5:
SHA256:
2496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2496.49760\New folder (31)\GABB.ini
MD5:
SHA256:
2496WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2496.49760\New folder (31)\GDLL.dll
MD5:
SHA256:
3568oofer.exeC:\Users\admin\AppData\Local\Temp\bhv12BD.tmp
MD5:
SHA256:
3568oofer.exeC:\Users\admin\AppData\Local\creds.txt
MD5:
SHA256:
1792GABB 0.6.23 Rift Mod.exeC:\Users\admin\AppData\Local\Temp\GABB 0.6.23 Rift Mod.exeexecutable
MD5:46AB7A03567F974185B6EC0B83D96C06
SHA256:1F683346925D14D0BDEA1E9D3A48EECF482F39D4C5FCCBEBE1B19A8A2CE4DE51
1792GABB 0.6.23 Rift Mod.exeC:\Users\admin\Documents\Windows Driver Foundation - User-mode Driver Framework Host Process.exeexecutable
MD5:A8AC417D26CA845B2A5091369F2F0741
SHA256:4696AD7EDA7D502E3C6AB4A54DA7BBC3FEC1CFCDFDDEED46EE573B0A95EE214C
2200Windows Driver Foundation - User-mode Driver Framework Host Process.exeC:\Users\admin\AppData\Local\oofer.exeexecutable
MD5:62A4AFEA4D7DC230E838F2345B212C36
SHA256:60E4C3FD7AC43183CC501B1608276630C1306699B6EC93C230FA885C82DE491F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2200
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
172.217.18.14:443
play.google.com
Google Inc.
US
whitelisted
2200
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
136.144.56.255:80
icanhazip.com
LeaseWeb Netherlands B.V.
NL
malicious
2200
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
104.18.36.74:443
nusumu.ga
Cloudflare Inc
US
suspicious
2200
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
172.67.214.70:443
nusumu.wtf
US
malicious

DNS requests

Domain
IP
Reputation
nusumu.ga
  • 104.18.36.74
  • 104.18.37.74
  • 172.67.206.220
suspicious
play.google.com
  • 172.217.18.14
whitelisted
nusumu.wtf
  • 172.67.214.70
  • 104.27.143.46
  • 104.27.142.46
unknown
icanhazip.com
  • 136.144.56.255
  • 147.75.47.199
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
2200
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ga) in TLS SNI
2200
Windows Driver Foundation - User-mode Driver Framework Host Process.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
New folder (31).rar