Malware analysis GNBot - _ed by Baseult.zip Malicious activity

Add for printing

File name:	GNBot - _ed by Baseult.zip
Full analysis:	https://app.any.run/tasks/2d8c26de-8e0b-4228-9e20-ee5abf303557
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 01, 2021, 04:31:13
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ransomware
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	EA41FF7A615770803B741D466A17224F
SHA1:	6A663E193A4D27598F9F3F2BCE1FCD061DC528AF
SHA256:	8AC561AEAB3B3FE1415DE4BB51994A70E840E468802191652DA97E6D95DDD5FE
SSDEEP:	393216:jNDFfdDJJ359zkHNbSZqvW4XYRWb957rmpm8Uimal5fyt:dFfdDfp94RYq+4XZRrmpfUimEyt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.74)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 3112)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
  - explorer.exe (PID: 656)
- Changes settings of System certificates
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Application was dropped or rewritten from another process
  - GNLauncher - (Cracked by Baseult).exe (PID: 2108)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2196)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2604)
- Drops a file that was compiled in debug mode
  - WinRAR.exe (PID: 2604)
- Creates files like Ransomware instruction
  - WinRAR.exe (PID: 2604)
- Drops a file with too old compile date
  - WinRAR.exe (PID: 2604)
- Reads Environment values
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Starts Internet Explorer
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
- Adds / modifies Windows certificates
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Reads internet explorer settings
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
INFO
- Manual execution by user
  - GNLauncher - (Cracked by Baseult).exe (PID: 2108)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2680)
- Reads settings of System Certificates
  - iexplore.exe (PID: 2112)
  - iexplore.exe (PID: 2948)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 2112)
  - iexplore.exe (PID: 2948)
- Application launched itself
  - iexplore.exe (PID: 2948)
- Changes settings of System certificates
  - iexplore.exe (PID: 2112)
  - iexplore.exe (PID: 2948)
- Changes internet zones settings
  - iexplore.exe (PID: 2948)
- Creates files in the user directory
  - iexplore.exe (PID: 2112)
- Reads internet explorer settings
  - iexplore.exe (PID: 2112)
- Dropped object may contain Bitcoin addresses
  - iexplore.exe (PID: 2112)
  - GNLauncher - (Cracked by Baseult).exe (PID: 2780)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2021:02:19 18:29:29
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	GNBot - Cracked by Baseult/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

656

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\winanr.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll

2108

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

GNLauncher

Exit code:

3221226540

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll

2112

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2948 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

2196

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

GNLauncher

Exit code:

3221226540

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll

2604

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\GNBot - _ed by Baseult.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

2680

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

GNLauncher

Exit code:

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2780

"C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe"

C:\Users\admin\Desktop\GNBot - Cracked by Baseult\GNLauncher - (Cracked by Baseult).exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

GNLauncher

Exit code:

Version:

1.0.197.58675

Modules

Images
c:\users\admin\desktop\gnbot - cracked by baseult\gnlauncher - (cracked by baseult).exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll

2948

"C:\Program Files\Internet Explorer\iexplore.exe" http://baseult.xyz/discord

C:\Program Files\Internet Explorer\iexplore.exe

GNLauncher - (Cracked by Baseult).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

3112

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\System32\SearchProtocolHost.exe

—

SearchIndexer.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Windows Search Protocol Host

Exit code:

Version:

7.00.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

6 503

Read events

6 231

Write events

270

Delete events

Modification events


(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\NetworkExplorer.dll,-1
Value: Network
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\GNBot - _ed by Baseult.zip
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2604) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@C:\Windows\system32\notepad.exe,-469
Value: Text Document

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\BWbot.png		image
		MD5:8284379E400B9F7E159CFD22C040C79B	SHA256:95308A909F3B46540606FC5E96B9123E53C5DF8BEBF0B6E1D23AE75D4F9D2F9E
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\AForge.Imaging.dll		executable
		MD5:5392A22226E960D4AE7E408913C49D6C	SHA256:107DA9260B6D2796335B516F043B360250001FEB0AE3B1C8422F90B5B9F6E282
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\CGAbot.png		image
		MD5:2C5887ABECBE9052D6F3AFAE07FBE555	SHA256:46BE0B554C95F0ABA742CCE393FDDCB1C96CB5DB8A4BA820623E9DC835675831
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\AgeZbot.png		image
		MD5:898156FDCF20163D0090A1703E3F1483	SHA256:E530C7C60321FF82E1E21FFF27BF8B18500787B825A8CC65261574867DD1D4E1
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\AmsBot.png		image
		MD5:7CF405BA0FDCC804F5B5140C3216CE1D	SHA256:04F6219085527A41BC92ADE83AED2E6C0714B41DCA2C020A8F04BB31A6A16252
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\CoeBot.png		image
		MD5:4FCB6A72F7514606D06996B7AFE10E50	SHA256:6251A19393164C3CA7D22BC31AF5829637308CC4A494ECE4F0F67D43A7F3E935
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\CoqBot.png		image
		MD5:6E8BE8FC39CB696DC18B3D10998CE534	SHA256:B616BB55940E600F25E92024AE24FC430BB30E48C85CFC92A7A6DFB1CFF8F1B3
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\LssBot.png		image
		MD5:74080765E331C6A983CA60A72CBB5AE3	SHA256:3D75DE249EB29F2D320D9559C313F897997B9086C326F9EF9B339C7916E35029
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\MafiaBot.png		image
		MD5:2E32B8FFE41375E456123D0BE6E1F9E3	SHA256:9286ED4EC195EC779A3437E449170CEF0AD902ED4FE73C5842DCE7831BE14C9B
2604	WinRAR.exe	C:\Users\admin\Desktop\GNBot - Cracked by Baseult\app_images\GunsBot.png		image
		MD5:54222EA8E62DD97F506636F54587721D	SHA256:DA9B6B46E302ACD3F9698E8CF0393928F92FF0CDD742E6FFD5EB741CFC3F4D87

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2112	iexplore.exe	GET	301	198.54.115.164:80	http://baseult.xyz/discord	US	html	235 b	malicious
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAfdgkhmvPm4LTkRato%2BqFw%3D	US	der	279 b	whitelisted
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAfdgkhmvPm4LTkRato%2BqFw%3D	US	der	279 b	whitelisted
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	US	der	1.47 Kb	whitelisted
2112	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	US	der	1.47 Kb	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	POST	200	89.245.47.12:80	http://89.245.47.12/register.php	DE	text	7 b	unknown
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEA8aVkWYLIkXQFXHYN8Oxso%3D	US	der	471 b	whitelisted
2948	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2680	GNLauncher - (Cracked by Baseult).exe	198.54.115.164:443	lolspam.fun	Namecheap, Inc.	US	suspicious
2948	iexplore.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	198.54.115.164:443	lolspam.fun	Namecheap, Inc.	US	suspicious
2780	GNLauncher - (Cracked by Baseult).exe	89.245.47.12:80	—	1&1 Versatel Deutschland GmbH	DE	unknown
2780	GNLauncher - (Cracked by Baseult).exe	160.153.209.242:80	www.goodnightbot.net	GoDaddy.com, LLC	US	suspicious
2780	GNLauncher - (Cracked by Baseult).exe	192.124.249.15:443	www.gnbots.com	Sucuri	US	malicious
2112	iexplore.exe	162.159.128.233:443	discord.com	Cloudflare Inc	—	malicious
2948	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	142.250.185.106:443	fonts.googleapis.com	Google Inc.	US	whitelisted
2780	GNLauncher - (Cracked by Baseult).exe	192.124.249.41:80	ocsp.godaddy.com	Sucuri	US	suspicious

DNS requests

Domain	IP	Reputation
lolspam.fun	198.54.115.164	suspicious
baseult.xyz	198.54.115.164	malicious
discord.gg	162.159.134.234 162.159.135.234 162.159.136.234 162.159.130.234 162.159.133.234	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
discord.com	162.159.128.233 162.159.136.232 162.159.135.232 162.159.138.232 162.159.137.232	whitelisted
api.bing.com	13.107.5.80	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
www.goodnightbot.net	160.153.209.242	suspicious

Threats

PID	Process	Class	Message
2112	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
2112	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain

Add for printing

No debug info

General Info

GNBot - _ed by Baseult.zip

EA41FF7A615770803B741D466A17224F

6A663E193A4D27598F9F3F2BCE1FCD061DC528AF

8AC561AEAB3B3FE1415DE4BB51994A70E840E468802191652DA97E6D95DDD5FE

393216:jNDFfdDJJ359zkHNbSZqvW4XYRWb957rmpm8Uimal5fyt:dFfdDfp94RYq+4XZRrmpfUimEyt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Changes settings of System certificates

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Drops a file that was compiled in debug mode

Creates files like Ransomware instruction

Drops a file with too old compile date

Reads Environment values

Starts Internet Explorer

Adds / modifies Windows certificates

Reads internet explorer settings

INFO

Manual execution by user

Reads settings of System Certificates

Adds / modifies Windows certificates

Application launched itself

Changes settings of System certificates

Changes internet zones settings

Creates files in the user directory

Reads internet explorer settings

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings