Malware analysis Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip.zip Malicious activity

Add for printing

File name:	Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip.zip
Full analysis:	https://app.any.run/tasks/f8a1063b-b7e5-42cf-951a-566e402cff9a
Verdict:	Malicious activity
Analysis date:	June 18, 2019, 22:04:39
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	EB864353493275C76AA887A8AA8AAB55
SHA1:	F4DE46D9486EDA5F92262ABBCF37EA82F3AAF12C
SHA256:	925DB90A254A4DA03FA99DB11F72397CCBC1C7ADC8B9F6C79A55FC649ECE84EE
SSDEEP:	196608:8zWXYeqEujwf9KVFU2M8VBdNjHlGSrDKiUtsJYhp2pQ:DpujAMVC2MSPZHL/KiJgP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3132)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 1740)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3156)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 2952)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3360)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 1088)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 1696)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3484)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 1000)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3660)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 344)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3624)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 2676)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 3164)
  - Twitch God 2018 v1.1 (Vip Pro Edition).exe (PID: 2560)
SUSPICIOUS
- Application launched itself
  - WinRAR.exe (PID: 3608)
  - WinRAR.exe (PID: 3440)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2956)
INFO
- Dropped object may contain Bitcoin addresses
  - WinRAR.exe (PID: 2956)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip
ZipUncompressedSize:	9291882
ZipCompressedSize:	9291882
ZipCRC:	0x2e61c63d
ZipModifyDate:	2019:06:18 23:16:16
ZipCompression:	None
ZipBitFlag:	0x0001
ZipRequiredVersion:	788

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3608	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
3440	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3608.1162\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	WinRAR.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
2956	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3440.2990\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar"	C:\Program Files\WinRAR\WinRAR.exe		WinRAR.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
1740	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.3567\Twitch God 2018 v1.1 (Vip Pro Edition).exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.3567\Twitch God 2018 v1.1 (Vip Pro Edition).exe		WinRAR.exe
User: admin Company: Pooria Sharaffodin www.BabaTools.com Integrity Level: MEDIUM Description: Twitch God 2018 v1.1 (Vip Pro Edition) Exit code: 4294967295 Version: 1.1.0.0
296	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.4279\settings.txt	C:\Windows\system32\NOTEPAD.EXE	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3360	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7715\Twitch God 2018 v1.1 (Vip Pro Edition).exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7715\Twitch God 2018 v1.1 (Vip Pro Edition).exe	—	WinRAR.exe
User: admin Company: Pooria Sharaffodin www.BabaTools.com Integrity Level: MEDIUM Description: Twitch God 2018 v1.1 (Vip Pro Edition) Exit code: 4294967295 Version: 1.1.0.0
3156	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7829\Twitch God 2018 v1.1 (Vip Pro Edition).exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7829\Twitch God 2018 v1.1 (Vip Pro Edition).exe	—	WinRAR.exe
User: admin Company: Pooria Sharaffodin www.BabaTools.com Integrity Level: MEDIUM Description: Twitch God 2018 v1.1 (Vip Pro Edition) Exit code: 4294967295 Version: 1.1.0.0
2952	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7875\Twitch God 2018 v1.1 (Vip Pro Edition).exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7875\Twitch God 2018 v1.1 (Vip Pro Edition).exe	—	WinRAR.exe
User: admin Company: Pooria Sharaffodin www.BabaTools.com Integrity Level: MEDIUM Description: Twitch God 2018 v1.1 (Vip Pro Edition) Exit code: 4294967295 Version: 1.1.0.0
3132	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7912\Twitch God 2018 v1.1 (Vip Pro Edition).exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7912\Twitch God 2018 v1.1 (Vip Pro Edition).exe	—	WinRAR.exe
User: admin Company: Pooria Sharaffodin www.BabaTools.com Integrity Level: MEDIUM Description: Twitch God 2018 v1.1 (Vip Pro Edition) Exit code: 4294967295 Version: 1.1.0.0
1088	"C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7950\Twitch God 2018 v1.1 (Vip Pro Edition).exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.7950\Twitch God 2018 v1.1 (Vip Pro Edition).exe	—	WinRAR.exe
User: admin Company: Pooria Sharaffodin www.BabaTools.com Integrity Level: MEDIUM Description: Twitch God 2018 v1.1 (Vip Pro Edition) Exit code: 4294967295 Version: 1.1.0.0

Add for printing

Total events

5 291

Read events

5 188

Write events

Delete events

Modification events

No data

Add for printing

Executable files

182

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3440	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3440.2990\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar		—
		MD5:—	SHA256:—
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3440.2990\__rar_2956.7208		—
		MD5:—	SHA256:—
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3440.2990\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.bak2956.7211		—
		MD5:—	SHA256:—
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3440.2990\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar		—
		MD5:—	SHA256:—
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.3567\settings.txt		text
		MD5:930940734DDB28327CF707AAFC15BF92	SHA256:4020C2B8D11A7F19C695FB16863542BE218F4953C32D38FC636E9C6D88BC10D4
3608	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb3608.1162\Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip		compressed
		MD5:CE0EF1D6B0F5D8536630988B8485A029	SHA256:D1919BB7DA770F0726F019EA935085EFEA1DDF000B4314149A4554BD8D04C956
296	NOTEPAD.EXE	C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.4279\settings.txt		text
		MD5:55FDC18F67D48B0C6CE6B8E22F7FBD3C	SHA256:7B6614EAFD25000B4CBCBDF31ECCDCE8957676003D440A76B27EF084800886E2
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIa2956.4279\settings.txt		text
		MD5:930940734DDB28327CF707AAFC15BF92	SHA256:4020C2B8D11A7F19C695FB16863542BE218F4953C32D38FC636E9C6D88BC10D4
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.3567\Licence-English.txt		text
		MD5:B550164F724F1FF24D10D79B8DF4945E	SHA256:F5E6016BD08EC116F6A62B4AA0739E1541B3A80CFEA56A60E12EE84194F7E708
2956	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa2956.3567\Lizenz-Deutsch.txt		text
		MD5:4A916074230757545A519A59E19106D0	SHA256:F6192E1CF939F09F340F6923E78450416C92861CA7987B5AE07E4A75915BD909

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1696	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
2560	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
1740	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
2676	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
3660	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
1000	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
3164	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
3624	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious
344	Twitch God 2018 v1.1 (Vip Pro Edition).exe	GET	200	173.254.28.147:80	http://www.babatools.com/pool.txt	US	text	4 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1740	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
2560	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
3624	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
1000	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
344	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
3164	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
2676	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
3660	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious
1696	Twitch God 2018 v1.1 (Vip Pro Edition).exe	173.254.28.147:80	www.babatools.com	Unified Layer	US	malicious

DNS requests

Domain	IP	Reputation
www.babatools.com	173.254.28.147	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

Twitch God 2018 v1.2 (Vip Pro Edition) - Nulled.to - isssrrrraaaa.rar.zip.zip

EB864353493275C76AA887A8AA8AAB55

F4DE46D9486EDA5F92262ABBCF37EA82F3AAF12C

925DB90A254A4DA03FA99DB11F72397CCBC1C7ADC8B9F6C79A55FC649ECE84EE

196608:8zWXYeqEujwf9KVFU2M8VBdNjHlGSrDKiUtsJYhp2pQ:DpujAMVC2MSPZHL/KiJgP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Application launched itself

Executable content was dropped or overwritten

INFO

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings