Malware analysis GNBot - _ed by Baseult.zip Malicious activity

Add for printing

File name:	GNBot - _ed by Baseult.zip
Full analysis:	https://app.any.run/tasks/2d8c26de-8e0b-4228-9e20-ee5abf303557
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 01, 2021, 04:31:13
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ransomware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	EA41FF7A615770803B741D466A17224F
SHA1:	6A663E193A4D27598F9F3F2BCE1FCD061DC528AF
SHA256:	8AC561AEAB3B3FE1415DE4BB51994A70E840E468802191652DA97E6D95DDD5FE
SSDEEP:	393216:jNDFfdDJJ359zkHNbSZqvW4XYRWb957rmpm8Uimal5fyt:dFfdDfp94RYq+4XZRrmpfUimEyt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.74)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - GNLauncher - (Cracked by Baseult).exe (PID: 2108)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2196)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 3112)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
  - explorer.exe (PID: 656)
- Changes settings of System certificates
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
SUSPICIOUS
- Drops a file that was compiled in debug mode
  - WinRAR.exe (PID: 2604)
- Starts Internet Explorer
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
- Drops a file with too old compile date
  - WinRAR.exe (PID: 2604)
- Reads Environment values
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Creates files like Ransomware instruction
  - WinRAR.exe (PID: 2604)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2604)
- Adds / modifies Windows certificates
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Reads internet explorer settings
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 2948)
- Manual execution by user
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2108)
- Changes settings of System certificates
  - iexplore.exe (PID: 2112)
  - iexplore.exe (PID: 2948)
- Creates files in the user directory
  - iexplore.exe (PID: 2112)
- Application launched itself
  - iexplore.exe (PID: 2948)
- Reads settings of System Certificates
  - iexplore.exe (PID: 2112)
  - iexplore.exe (PID: 2948)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 2112)
  - iexplore.exe (PID: 2948)
- Reads internet explorer settings
  - iexplore.exe (PID: 2112)
- Dropped object may contain Bitcoin addresses
  - iexplore.exe (PID: 2112)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2021:02:19 18:29:29
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	GNBot - Cracked by Baseult/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

656

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\winanr.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll

2108

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

GNLauncher

Exit code:

3221226540

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll

2112

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2948 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

2196

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

GNLauncher

Exit code:

3221226540

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll

2604

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GNBot - _ed by Baseult.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2680

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

GNLauncher

Exit code:

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2780

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

GNLauncher

Exit code:

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2948

"C:\Program Files\Internet Explorer\iexplore.exe" http://baseult.xyz/discord

C:\Program Files\Internet Explorer\iexplore.exe

GNLauncher - (Cracked by Baseult).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

3112

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

6 503

Read events

6 231

Write events

270

Delete events

Modification events


(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\NetworkExplorer.dll,-1
Value: Network
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\GNBot - _ed by Baseult.zip
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\notepad.exe,-469
Value: Text Document

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\AgeZbot.png		image
		MD5:898156FDCF20163D0090A1703E3F1483	SHA256:E530C7C60321FF82E1E21FFF27BF8B18500787B825A8CC65261574867DD1D4E1
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\BWbot.png		image
		MD5:8284379E400B9F7E159CFD22C040C79B	SHA256:95308A909F3B46540606FC5E96B9123E53C5DF8BEBF0B6E1D23AE75D4F9D2F9E
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\AmsBot.png		image
		MD5:7CF405BA0FDCC804F5B5140C3216CE1D	SHA256:04F6219085527A41BC92ADE83AED2E6C0714B41DCA2C020A8F04BB31A6A16252
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\AForge.Math.dll		executable
		MD5:C69973F674D9D113411D0FA2D1DBE222	SHA256:A4F24C9A46705C66FF7838C3A4C61759F5BA58EE8A5B061D05340C61D790C0B7
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\ConquestBot.png		image
		MD5:A66C662B62685B00DB20D6BD53860332	SHA256:969B1C2AF5C009CF4BCC98B8B06E846BBC9F15C74A6022D50EFFEABAD8CE19A8
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\CoeBot.png		image
		MD5:4FCB6A72F7514606D06996B7AFE10E50	SHA256:6251A19393164C3CA7D22BC31AF5829637308CC4A494ECE4F0F67D43A7F3E935
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\AForge.dll		executable
		MD5:02C63F568E598AAD85DD401D7B26E82A	SHA256:966A474060A8ACA70C73BA09D0B6FE2353035961C7107B9003EF879C010FF8DA
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\KoAbot.png		image
		MD5:3E1B654C03CC38E99C22C2443081CDB3	SHA256:DA49BF058546D5F0A1114DD896227923965FD8AB424CDEBC3CF8A74F26950069
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\GunsBot.png		image
		MD5:54222EA8E62DD97F506636F54587721D	SHA256:DA9B6B46E302ACD3F9698E8CF0393928F92FF0CDD742E6FFD5EB741CFC3F4D87
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\KingsBotWest.png		image
		MD5:1EC9A4B3676D95B8B61F7B581BBD8D60	SHA256:2E8D978F7C94146F95F3316EFB475F52448CD062640B40167F60DDDC23B79374

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2680	GNLauncher - (Cracked by Baseult).exe	POST	200	89.245.47.12:80	http://89.245.47.12/login.php	DE	text	7 b	unknown
2112	iexplore.exe	GET	301	198.54.115.164:80	http://baseult.xyz/discord	US	html	235 b	malicious
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	US	der	1.47 Kb	whitelisted
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAfdgkhmvPm4LTkRato%2BqFw%3D	US	der	279 b	whitelisted
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAfdgkhmvPm4LTkRato%2BqFw%3D	US	der	279 b	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEA8aVkWYLIkXQFXHYN8Oxso%3D	US	der	471 b	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	POST	200	89.245.47.12:80	http://89.245.47.12/register.php	DE	text	7 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2680	GNLauncher - (Cracked by Baseult).exe	198.54.115.164:443	lolspam.fun	Namecheap, Inc.	US	suspicious
2680	GNLauncher - (Cracked by Baseult).exe	89.245.47.12:80	—	1&1 Versatel Deutschland GmbH	DE	unknown
2948	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	198.54.115.164:443	lolspam.fun	Namecheap, Inc.	US	suspicious
2780	GNLauncher - (Cracked by Baseult).exe	192.124.249.15:443	www.gnbots.com	Sucuri	US	malicious
2780	GNLauncher - (Cracked by Baseult).exe	160.153.209.242:80	www.goodnightbot.net	GoDaddy.com, LLC	US	suspicious
2780	GNLauncher - (Cracked by Baseult).exe	89.245.47.12:80	—	1&1 Versatel Deutschland GmbH	DE	unknown
2780	GNLauncher - (Cracked by Baseult).exe	172.217.18.99:80	ocsp.pki.goog	Google Inc.	US	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	192.124.249.41:80	ocsp.godaddy.com	Sucuri	US	suspicious
—	—	142.250.186.131:443	fonts.gstatic.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
lolspam.fun	198.54.115.164	suspicious
baseult.xyz	198.54.115.164	malicious
discord.gg	162.159.134.234 162.159.135.234 162.159.136.234 162.159.130.234 162.159.133.234	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
discord.com	162.159.128.233 162.159.136.232 162.159.135.232 162.159.138.232 162.159.137.232	whitelisted
api.bing.com	13.107.5.80	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
www.goodnightbot.net	160.153.209.242	suspicious

Threats

PID	Process	Class	Message
2112	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
2112	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain

Add for printing

No debug info

General Info

GNBot - _ed by Baseult.zip

EA41FF7A615770803B741D466A17224F

6A663E193A4D27598F9F3F2BCE1FCD061DC528AF

8AC561AEAB3B3FE1415DE4BB51994A70E840E468802191652DA97E6D95DDD5FE

393216:jNDFfdDJJ359zkHNbSZqvW4XYRWb957rmpm8Uimal5fyt:dFfdDfp94RYq+4XZRrmpfUimEyt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Changes settings of System certificates

SUSPICIOUS

Drops a file that was compiled in debug mode

Starts Internet Explorer

Drops a file with too old compile date

Reads Environment values

Creates files like Ransomware instruction

Executable content was dropped or overwritten

Adds / modifies Windows certificates

Reads internet explorer settings

INFO

Changes internet zones settings

Manual execution by user

Changes settings of System certificates

Creates files in the user directory

Application launched itself

Reads settings of System Certificates

Adds / modifies Windows certificates

Reads internet explorer settings

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings