File name:

warzone hack.rar

Full analysis: https://app.any.run/tasks/02c7a98b-465d-4b9a-9f1b-1e6d754a409c
Verdict: Malicious activity
Threats:

RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware.

Malware Trends Tracker     >>>
Analysis date: October 18, 2023, 13:22:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
redline
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

33A32E82F674B5AD687F48496C8EEF30

SHA1:

610E773B64600790391161403AF79326B313B1CA

SHA256:

95F8DD2B16AD7A747AA99EDF39DF5C929D5EB13FBD996AF5E32B3A8E03FA547E

SSDEEP:

98304:5+QHjtJw3tMD9n5x53KuPe+oIipH1BQBE18teaBhMYo6rZmV+YN1jVSSYW9YmHOz:AVph0gxupJxh8F+kHg9V/GPwT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • warzone hack.exe (PID: 120)

    • Steals credentials from Web Browsers

      • warzone hack.exe (PID: 120)

    • REDLINE was detected

      • warzone hack.exe (PID: 120)

    • Connects to the CnC server

      • warzone hack.exe (PID: 120)

    • Actions looks like stealing of personal data

      • warzone hack.exe (PID: 120)

  • SUSPICIOUS

    • Reads browser cookies

      • warzone hack.exe (PID: 120)

    • Connects to unusual port

      • warzone hack.exe (PID: 120)

    • Searches for installed software

      • warzone hack.exe (PID: 120)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2752)

    • Manual execution by a user

      • warzone hack.exe (PID: 120)

    • Checks supported languages

      • warzone hack.exe (PID: 120)

    • Reads the computer name

      • warzone hack.exe (PID: 120)

    • Reads the machine GUID from the registry

      • warzone hack.exe (PID: 120)

    • Reads Environment values

      • warzone hack.exe (PID: 120)

    • Reads product name

      • warzone hack.exe (PID: 120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs #REDLINE warzone hack.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\Users\admin\Desktop\warzone hack.exe" C:\Users\admin\Desktop\warzone hack.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\warzone hack.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
2056"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\warzone hack.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
3 106
Read events
3 082
Write events
24
Delete events
0

Modification events

(PID) Process:(2752) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2752) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
2
Suspicious files
15
Text files
435
Unknown types
0

Dropped files

PID
Process
Filename
Type
2752WinRAR.exeC:\Users\admin\Desktop\resource\license.keytext
MD5:47C843DAF66FAB1990544A441D430E98
SHA256:B96A19F8B0A68F67282A2FBF06F1B35EB745B1A4CDCC0D70A1FCA9BED0EE7947
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\command.cpptext
MD5:42198E1DAC04A824203BAF1CD6F9ACD6
SHA256:66842410E10B9B2A00C245E98FEBF9D34D8987C74B015E3ABACB3906A8E01024
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\entities.cpptext
MD5:C9ECB47F9A7773B24A62052B38A47B7C
SHA256:9307F9052AB145C12568C162B9065DF14AA3302A48A77AB82A732756C9622BD4
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\command.hpptext
MD5:A61E6D15FA5E0D6F559F46B880B6C90A
SHA256:D8254A35D34A8DD24AAF4AE5FF1728D792B6619E94A9E5232ADA0E2016837091
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\global_table.hpptext
MD5:8A7FC06D1FACEA6ED7B84F5D35F56CA8
SHA256:42CF6F57E525521547D50ED573D72B404355A8FE0586557A47CA5076166F526A
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\gui\base_text_element.cpptext
MD5:6C02598EB8BF67044F32C9FD0F574A4B
SHA256:C7A2BCDC16724E5B90DFB6B247F1BB6C455F7399705509CED3516F2DD2EEDD9F
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\gui\checkbox.cpptext
MD5:0DEB2EDD1A39FFFDF28677A235D69201
SHA256:5F9E27071229E218C5AD1ED9A947C189D147FFEB5F983B6A6FE6F7D6C20E711D
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\gui\button.cpptext
MD5:14268E9BD9D8206FF170A9FA1CE087B7
SHA256:56AAE2E652BABF38F419265F838674929FDAA77DD8328F19177EFD0A77300825
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\gui\button.hpptext
MD5:300108DF716D37BC5C34C320DE116870
SHA256:599A665058C85146DD2A965163F12AF6A5CE2FFDEC233752305E6C213BF99F78
2752WinRAR.exeC:\Users\admin\Desktop\resource\lua\bindings\gui\checkbox.hpptext
MD5:2CAEA469DC15805EEC05B3210C22D5C2
SHA256:D1BEA574120ED10A4A7FB25F2D9478C09CBE0CA854FEB0201FC87D86AEA11083
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
8

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
120
warzone hack.exe
91.103.252.3:23000
Hostglobal.plus Ltd
GB
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
120
warzone hack.exe
Potentially Bad Traffic
ET INFO Microsoft net.tcp Connection Initialization Activity
120
warzone hack.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
120
warzone hack.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
120
warzone hack.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
120
warzone hack.exe
A Network Trojan was detected
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
120
warzone hack.exe
A Network Trojan was detected
ET MALWARE Redline Stealer Activity (Response)
120
warzone hack.exe
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
120
warzone hack.exe
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
warzone hack.rar