File name: | hah.rar |
Full analysis: | https://app.any.run/tasks/a12fe25d-cbbd-4836-aa2e-b78e3e56321d |
Verdict: | Malicious activity |
Threats: | Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of. |
Analysis date: | January 24, 2022, 21:48:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | B2A07A6A9AF4A4EE733241C1E88BF174 |
SHA1: | FE416F9832D6AD67E38584583CB4CA532AA92EE7 |
SHA256: | 887A7B19BDFC625F8B9B3C28A94A7090D484C296F8A8E566503EE08B63918094 |
SSDEEP: | 196608:zge8Z+qMRHC+DJvreE/IMl3OEJD6kpepUzOgj+yJdYpIVjgwLy3z/+woO:zgei+ZRHC2hrei1OEEkIpUKgCy2Ugwul |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3316 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\hah.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3968 | "C:\Users\admin\Desktop\hah\mash_full_setup.exe" | C:\Users\admin\Desktop\hah\mash_full_setup.exe | Explorer.EXE | ||||||||||||
User: admin Company: BellCraft Technologies Integrity Level: MEDIUM Description: MASH Setup Exit code: 0 Version: Modules
| |||||||||||||||
3268 | "C:\Users\admin\AppData\Local\Temp\is-BV4VV.tmp\mash_full_setup.exe.tmp" /SL5="$201C2,6008127,53248,C:\Users\admin\Desktop\hah\mash_full_setup.exe" | C:\Users\admin\AppData\Local\Temp\is-BV4VV.tmp\mash_full_setup.exe.tmp | — | mash_full_setup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.48.0.0 Modules
| |||||||||||||||
1412 | "C:\Users\admin\Desktop\hah\mash_full_setup.exe" /SPAWNWND=$2021E /NOTIFYWND=$201C2 | C:\Users\admin\Desktop\hah\mash_full_setup.exe | mash_full_setup.exe.tmp | ||||||||||||
User: admin Company: BellCraft Technologies Integrity Level: HIGH Description: MASH Setup Exit code: 0 Version: Modules
| |||||||||||||||
3464 | "C:\Users\admin\AppData\Local\Temp\is-70DEP.tmp\mash_full_setup.exe.tmp" /SL5="$3021C,6008127,53248,C:\Users\admin\Desktop\hah\mash_full_setup.exe" /SPAWNWND=$2021E /NOTIFYWND=$201C2 | C:\Users\admin\AppData\Local\Temp\is-70DEP.tmp\mash_full_setup.exe.tmp | mash_full_setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.48.0.0 Modules
| |||||||||||||||
4004 | "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMDLG32.OCX" | C:\Windows\system32\regsvr32.exe | — | mash_full_setup.exe.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1368 | "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSCOMCTL.OCX" | C:\Windows\system32\regsvr32.exe | — | mash_full_setup.exe.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1304 | "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\RICHTX32.OCX" | C:\Windows\system32\regsvr32.exe | — | mash_full_setup.exe.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1168 | "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MSVBVM60.dll" | C:\Windows\system32\regsvr32.exe | — | mash_full_setup.exe.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2768 | "C:\Users\admin\AppData\Local\Temp\is-68PMJ.tmp\msagent.exe" /Q:A | C:\Users\admin\AppData\Local\Temp\is-68PMJ.tmp\msagent.exe | mash_full_setup.exe.tmp | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Win32 Cabinet Self-Extractor Exit code: 0 Version: 4.71.1015.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3316 | WinRAR.exe | C:\Users\admin\Desktop\hah\MerlinKill 2.0.exe | executable | |
MD5:51E2055D3467726FFE787DBDBAEA0544 | SHA256:9CC8768C526D601A04B2AA46CEB1ADF4986312FFBDFDABBECDE4F45EA10086DF | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\is-JHR4O.tmp | chm | |
MD5:CC7C6CF1ADAF17773589C90D65F8C173 | SHA256:7C0570592C435AC95B029762FEB25D9ACEE95FABF8BA4D3EA772DB466A5FCAE3 | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\is-RTJT3.tmp | text | |
MD5:816D59B6DA5F34FE80B8E2D1647FE63D | SHA256:88D20E6925F7BC11434A2793D6A9FA37FBB26366A0F8CE50B3C1779C594F13CA | |||
3464 | mash_full_setup.exe.tmp | C:\Users\admin\AppData\Local\Temp\is-68PMJ.tmp\_isetup\_RegDLL.tmp | executable | |
MD5:C594B792B9C556EA62A30DE541D2FB03 | SHA256:5DCC1E0A197922907BCA2C4369F778BD07EE4B1BBBDF633E987A028A314D548E | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\is-4M7F3.tmp | text | |
MD5:43C8F9189162D2FD142B261AC06B90C9 | SHA256:26512915E5E2E8E1FAD2F6FFB904B0A3F22EF87B8D094D423E45FA2B672AAF9F | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\MASH.ini | ini | |
MD5:14EE168040435559B97C3F6E16A85BD8 | SHA256:3E0493BDE8EED23B62B9C10675370F6B08E4203FD27FD903822659E12B3965EB | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\is-88PM5.tmp | executable | |
MD5:B3A3BDBC5F8B5BCB1B969744CEEF49EE | SHA256:6F132475676FAEEBF08272949140A54E6BA6743F93DBE5634864964504F8DD4E | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\is-6CHDU.tmp | ini | |
MD5:14EE168040435559B97C3F6E16A85BD8 | SHA256:3E0493BDE8EED23B62B9C10675370F6B08E4203FD27FD903822659E12B3965EB | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\is-632K7.tmp | executable | |
MD5:09CB2C84E23E4E0F2A6CCFA83266CF1B | SHA256:5DAE582A0F939CD8EB425D0520C242AA1FF02496695E3513D50154B7EA866601 | |||
3464 | mash_full_setup.exe.tmp | C:\Program Files\BellCraft.com\MASH\unins000.exe | executable | |
MD5:09CB2C84E23E4E0F2A6CCFA83266CF1B | SHA256:5DAE582A0F939CD8EB425D0520C242AA1FF02496695E3513D50154B7EA866601 |
Process | Message |
---|---|
AgentSvr.exe |
++++++ ITTSCentral::Release() Called ++++++
|
AgentSvr.exe |
++++++ ITTSCentral::Release() Called ++++++
|
AgentSvr.exe | ClaimOutput
|
AgentSvr.exe | UnclaimOutput
|
AgentSvr.exe | ClaimOutput
|
AgentSvr.exe | UnclaimOutput
|
AgentSvr.exe | ClaimOutput
|
AgentSvr.exe | UnclaimOutput
|
AgentSvr.exe | ClaimOutput
|
AgentSvr.exe | UnclaimOutput
|