analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Ableton live 11.rar |
| Full analysis: | https://app.any.run/tasks/103ece8c-085a-4915-b24b-b19c1fea7f89 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | April 01, 2023, 12:30:40 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 30F18867E9A1C69C099F7590337BD4F7 |
| SHA1: | 260AED49A6C8F052C48C69CD3F6BC3C6B08BFA96 |
| SHA256: | 8DC37A2458CF8504A9021E1B76B8894B5AED28CCE7517E80BAEB56E7BA42BCE2 |
| SSDEEP: | 196608:N2emSW7JNmUEJs9LWqh1Or75mEAlNzgHpUmNdykow5wbsb:N2sW73wspWqOr7QT01w65h |
MALICIOUS
Application was dropped or rewritten from another process
- Engine.exe (PID: 3836)
- jsc.exe (PID: 2840)
REDLINE was detected
- jsc.exe (PID: 2840)
REDLINE detected by memory dumps
- jsc.exe (PID: 2840)
Connects to the CnC server
- jsc.exe (PID: 2840)
Steals credentials from Web Browsers
- jsc.exe (PID: 2840)
Actions looks like stealing of personal data
- jsc.exe (PID: 2840)
SUSPICIOUS
Executable content was dropped or overwritten
- installer.exe (PID: 3896)
- Possess.exe.pif (PID: 2992)
Starts CMD.EXE for commands execution
- Engine.exe (PID: 3836)
- cmd.exe (PID: 1620)
Application launched itself
- cmd.exe (PID: 1620)
Get information on the list of running processes
- cmd.exe (PID: 116)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 116)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 116)
Starts application with an unusual extension
- cmd.exe (PID: 116)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 116)
Reads the Windows owner or organization settings
- Engine.exe (PID: 3836)
Connects to unusual port
- jsc.exe (PID: 2840)
Searches for installed software
- jsc.exe (PID: 2840)
Reads browser cookies
- jsc.exe (PID: 2840)
INFO
Checks supported languages
- installer.exe (PID: 3896)
- Engine.exe (PID: 3836)
- Possess.exe.pif (PID: 2992)
- jsc.exe (PID: 2840)
- wmpnscfg.exe (PID: 3320)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2644)
Create files in a temporary directory
- installer.exe (PID: 3896)
- powershell.exe (PID: 2820)
- powershell.exe (PID: 2452)
- cmd.exe (PID: 116)
- Possess.exe.pif (PID: 2992)
Reads the computer name
- Engine.exe (PID: 3836)
- Possess.exe.pif (PID: 2992)
- jsc.exe (PID: 2840)
- wmpnscfg.exe (PID: 3320)
Reads security settings of Internet Explorer
- powershell.exe (PID: 2820)
- powershell.exe (PID: 2452)
The process checks LSA protection
- powershell.exe (PID: 2820)
- powershell.exe (PID: 2452)
- jsc.exe (PID: 2840)
- wmpnscfg.exe (PID: 3320)
Reads mouse settings
- Possess.exe.pif (PID: 2992)
Reads the machine GUID from the registry
- jsc.exe (PID: 2840)
- wmpnscfg.exe (PID: 3320)
Manual execution by a user
- wmpnscfg.exe (PID: 3320)
Reads product name
- jsc.exe (PID: 2840)
Reads Environment values
- jsc.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
RedLine
(PID) Process(2840) jsc.exe
US (153)
LEnvironmentogiEnvironmentn DatEnvironmenta
Environment
WSystem.Texteb DatSystem.Texta
System.Text
CoCryptographyokieCryptographys
Cryptography
ExtGenericension CooGenerickies
Generic
OFileInfopeFileInfora GFileInfoX StabFileInfole
FileInfo
OpLinqera GLinqX
Linq
ApGenericpDaGenericta\RGenericoamiGenericng\
Network
Extension
UNKNOWN
cFileStreamredFileStreamit_cFileStreamardFileStreams
FileStream
\
Host
Port
:
User
Pass
cookies.sqlite
GetDirectories
Entity12
EnumerateDirectories
String.Replace
String.Remove
bcrFileStream.IOypt.dFileStream.IOll
FileStream.IO
BCrstring.EmptyyptOpestring.EmptynAlgorithmProvistring.Emptyder
string.Empty
BCruintyptCloseAlgorituinthmProvuintider
uint
BCrUnmanagedTypeyptDecrUnmanagedTypeypt
UnmanagedType
BCrhKeyyptDeshKeytroyKhKeyey
hKey
BCpszPropertyryptGepszPropertytPropepszPropertyrty
pszProperty
BCEncodingryptSEncodingetPrEncodingoperEncodingty
Encoding
BCrbMasterKeyyptImbMasterKeyportKbMasterKeyey
bMasterKey
windows-1251
AES
Microsoft Primitive Provider
ChainingModeGCM
AuthTagLength
ChainingMode
ObjectLength
KeyDataBlob
-
{0}
net.tcp://
/
localhost
ed8e10f66ddbd565f24efb9e98faa630
Authorization
ns1
HygiAygYPGMgBTMdPhMZWCAcKAU2FCVc
ASs1AAYcLyQ1OEJY
Plovery
Yandex\YaAddon
asf
*wallet*
ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtu...
_
T
e
l
gr
am
.
ex
\TeEnvironmentlegraEnvironmentm DEnvironmentesktoEnvironmentp\tdEnvironmentata
1
string.Replace
%USERPFile.WriteROFILE%\AppFile.WriteData\RoamiFile.Writeng
File.Write
Handler
npvo*
%USERPserviceInterface.ExtensionROFILE%\ApserviceInterface.ExtensionpData\LocaserviceInterface.Extensionl
serviceInterface.Extension
ProldCharotonVoldCharPN
oldChar
nSystem.CollectionspvoSystem.Collections*
System.Collections
(
UNIQUE
"
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
|
https://api.ip.sb/ip
SELSystem.Windows.FormsECT * FRSystem.Windows.FormsOM WinSystem.Windows.Forms32_ProcSystem.Windows.Formsessor
System.Windows.Forms
roSystem.Linqot\CISystem.LinqMV2
System.Linq
SELSystem.LinqECT * FRSystem.LinqOM WinSystem.Linq32_VideoCoSystem.Linqntroller
AdapterRAM
Name
SOFTWARE\WOW6432Node\Clients\StartMenuInternet
SOFTWARE\Clients\StartMenuInternet
shell\open\command
Unknown Version
SELESystem.ManagementCT * FRSystem.ManagementOM WiSystem.Managementn32_DisSystem.ManagementkDrivSystem.Managemente
System.Management
SerialNumber
SELSystem.Text.RegularExpressionsECT * FRSystem.Text.RegularExpressionsOM Win32_PSystem.Text.RegularExpressionsrocess WSystem.Text.RegularExpressionshere SessSystem.Text.RegularExpressionsionId='
System.Text.RegularExpressions
'
FileSystem
SSystem.ELECT * FRSystem.OM WiSystem.n32_ProcSystem.ess WherSystem.e SessiSystem.onId='
System.
ExecutablePath
[
]
Concat0 MConcatb oConcatr Concat0
Concat
SELEMemoryCT * FMemoryROM WiMemoryn32_OperMemoryatingSMemoryystem
Memory
{0}{1}{2}
x32
x64
x86
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
CSDVersion
Unknown
_[
Network\
String
Replace
80
81
0.0.0.0
Auth_valueed8e10f66ddbd565f24efb9e98faa630
Err_msg
Botnet@foruman
C2 (1)83.217.11.28:30827
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
57
Monitored processes
12
Malicious processes
7
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2644 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ableton live 11.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 3896 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb2644.26747\Ableton live 11\installer.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb2644.26747\Ableton live 11\installer.exe | WinRAR.exe | ||||||||||||
User: admin Company: Cod Forwarding Macro Hof. Integrity Level: MEDIUM Description: Learn Exit code: 0 Version: 2.3.9.8 Modules
| |||||||||||||||
| 3836 | C:\Users\admin\AppData\Local\Temp\SETUP_18999\Engine.exe /TH_ID=_3596 /OriginExe="C:\Users\admin\AppData\Local\Temp\Rar$EXb2644.26747\Ableton live 11\installer.exe" | C:\Users\admin\AppData\Local\Temp\SETUP_18999\Engine.exe | — | installer.exe | |||||||||||
User: admin Company: Pantaray Research Ltd. Integrity Level: MEDIUM Description: Setup/UnInstall Engine Exit code: 0 Version: 9.1.0.6 Modules
| |||||||||||||||
| 1620 | C:\Windows\system32\cMD.exe /c cmd < Successful | C:\Windows\System32\cmd.exe | — | Engine.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 116 | cmd | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2820 | powershell get-process avastui | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2452 | powershell get-process avgui | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3340 | findstr /V /R "^smithadministrationgroupsviolencechroniclef7f81a39-5f63-5b42-9efd-1f13b5431005quot; Slide | C:\Windows\System32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (QGREP) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2992 | 27066\\Possess.exe.pif 27066\\t | C:\Users\admin\AppData\Local\Temp\gdrwvx05.h4n\27066\Possess.exe.pif | cmd.exe | ||||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Version: 3, 3, 16, 1 Modules
| |||||||||||||||
| 2936 | ping localhost -n 8 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
8 662
Read events
8 622
Write events
34
Delete events
6
Modification events
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2644) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
10
Suspicious files
46
Text files
22
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2644 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2644.26747\Ableton live 11\config\resources.pak | — | |
MD5:— | SHA256:— | |||
| 2644 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2644.26747\Ableton live 11\installer.exe | — | |
MD5:— | SHA256:— | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\Cameron.qsp | ini | |
MD5:B819B6263CCBAE3B61DE7AB091B5543E | SHA256:5BC3ED72A93168302CC1CCDD561246DDC5683777DCBD7148B807316AAAFD056F | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\Setup.txt | text | |
MD5:7E2753C58378C7E65C8AF4F273EF6F12 | SHA256:D404E865791284ADD1B396E378F59D4952F0E2D85A2371F57D7BD3DE64230BF4 | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\00000#Arizona | binary | |
MD5:E56A39DD39B62B2FB505A912E4FCD238 | SHA256:587D809EFA565F3258956947ECF81A615EE001C95E0AB037C543E048F3B52213 | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\00002#Lots | text | |
MD5:3E5ACF7F0C2513B08AAB147CC97707C8 | SHA256:895327D005805B26BE18E88F37CE42D3F0E207B64FBD294B4D1A4D269FEC928C | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\00003#Mia | binary | |
MD5:F972EDF0122352A88D362CC3CF7D6270 | SHA256:BD54FF52D73149DE9A0959D492927AE4DA6463CD96EF3D36183C25D488797969 | |||
| 2644 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb2644.26747\Ableton live 11\README.txt | text | |
MD5:7B12BCBF007A3A2CB6F0A2EFB3AB2DB2 | SHA256:E6FBB94332095995B6C7DB57AD0DAF81305BD3B9E9ABC7F64121BE85A6D9CB75 | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\00001#Helping | binary | |
MD5:B8BFD29EC06CC0C304F12B09FD9C4288 | SHA256:D42AAB41630848881F83C05CDE64921AAF5871CDA4AB14A930F9A35F5D605831 | |||
| 3896 | installer.exe | C:\Users\admin\AppData\Local\Temp\SETUP_18999\00005#Peru | binary | |
MD5:CF391868590027CE11764EE6194D5C4A | SHA256:547AE6C70D76640A4822550EF0F34113C63188611E926DEF5AFC3F958DAA064A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2840 | jsc.exe | 83.217.11.28:30827 | — | Okay-Telecom Ltd. | RU | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
FBpYoIGZrSsNrRJ.FBpYoIGZrSsNrRJ |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE RedLine Stealer TCP CnC net.tcp Init |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC - Id1Response |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
2840 | jsc.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |