analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Express.rar

Full analysis: https://app.any.run/tasks/c6e8bcf2-b6de-4b8e-90e7-7534d7204949
Verdict: Malicious activity
Analysis date: January 18, 2019, 00:50:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

515EE0E75125301AE7B5B41604A82B53

SHA1:

78862E128CD1C971F01DBD4F99F12838EB85BC3D

SHA256:

959620DBF2D6D2E0EA9ED069046B3C50591A9E948C7FF198042719BA43DDA6B6

SSDEEP:

24576:ZDOrmvDlXdPb+bgboz5Cc1xDKfpVDug4oOft3vHVN2H64v3DrXj5iTZ1BFGtfBg:ZiEzKbgbg5Cc1OVDDcFdN2a03Dv50rB3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Express.exe (PID: 556)
      • Express.exe (PID: 3176)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2880)

    • Reads internet explorer settings

      • Express.exe (PID: 3176)

    • Changes IE settings (feature browser emulation)

      • Express.exe (PID: 3176)

    • Reads Internet Cache Settings

      • Express.exe (PID: 3176)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe express.exe no specs express.exe

Process information

PID
CMD
Path
Indicators
Parent process
2880"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Express.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
556"C:\Users\admin\Desktop\Express\Express.exe" C:\Users\admin\Desktop\Express\Express.exeexplorer.exe
User:
admin
Company:
SparePowered (Spare Squad)
Integrity Level:
MEDIUM
Description:
Illuminate
Exit code:
3221226540
Version:
1.5.0.0
3176"C:\Users\admin\Desktop\Express\Express.exe" C:\Users\admin\Desktop\Express\Express.exe
explorer.exe
User:
admin
Company:
SparePowered (Spare Squad)
Integrity Level:
HIGH
Description:
Illuminate
Exit code:
0
Version:
1.5.0.0
Total events
1 102
Read events
1 042
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
75
Unknown types
1

Dropped files

PID
Process
Filename
Type
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\Monaco.htmlhtml
MD5:D5D5328DD827B2EF761EB2336AB1C29D
SHA256:333F7050C4E03BBDFA056458A9C948ED1459F01A3A625129A5B674E7DB843152
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Express.exeexecutable
MD5:AA400A31F685C60C31564824BE655218
SHA256:D2B1E9F9B08856AC5FBE62E81E7614E9F017B8F31985B06B2495D12A010BC75F
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Express.dllexecutable
MD5:D0CE58AA491A00ED76A4C152641F4B68
SHA256:C699CDAB886F700B2A9AFFC358B6C12D0415C0F297D6D4003B9EBF9924D85E1C
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\basic-languages\lua\lua.jstext
MD5:346BF8B4B3A9C90539B4716B568D899E
SHA256:6362AB81C136C445F580F38DD6D542FC0D57C8B5F3750B7B963D7E89E5D27AD9
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\base\worker\workerMain.jstext
MD5:27EAD90C7702154755785E0E53398755
SHA256:BDF9433692A08851E13DD58504EEF19F51BD2EC7241923A68EDF5772E0E53AF5
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\basic-languages\go\go.jstext
MD5:5B4484C914CD97AFF4510B803F2517EF
SHA256:46D1757C3CD3DBC3C7B465A338880144922A1C34C30E36F06FF2DB8C2FF75B86
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\basic-languages\cpp\cpp.jstext
MD5:0A16509E6CD0155FB622E785CFE976C7
SHA256:A7C2BEA7CA3D9E203A3A286735945FE010C8F4F8D46620386EE8BEFC6A78B32B
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\basic-languages\java\java.jstext
MD5:826546E08F178D68E8AA2AB29194C03A
SHA256:44BE702CAE05D5844DC1C452F9BD94020007B9E543A765DB4E6649278607D218
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\basic-languages\css\css.jstext
MD5:49AD30F1151CFD7A74677FDC6DD13DA9
SHA256:BD331FD3BD2C37B0C3150035325F163AC9266BF6D942310764815E676D856D91
2880WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2880.15041\Express\Monaco\vs\basic-languages\bat\bat.jstext
MD5:4CB475399C4490EEA41982DCD6D9653E
SHA256:9BCA42394FE8922FEC24B768EEB8CE04692DE6FAD82F9052D5B7E70F5C6B0F40
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Express.rar