| File name: | BOFAMET_v2.rar |
| Full analysis: | https://app.any.run/tasks/8eb4f8da-7628-4da3-8448-c11de4546a3e |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | May 16, 2025, 20:13:59 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | B22B4D0AE47D3C1B7056D117BA2F7223 |
| SHA1: | CD1D7C8DD9A5656CFA66DA68DFB14848925BA463 |
| SHA256: | 96BED336ECEE555B1754AEDBA18728CAED70B08ADCABCEC27476BFB4236246E8 |
| SSDEEP: | 196608:z12TU+ZVm55oxFbTjlhcMEKcAAnYRjzu1Z7fFe8/pd/4zyJWYDV5EYhgaVCtlX:E3s5oxFSpAtj6nLF4dYB5LIz |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 7740)
TROX has been detected
- openpy.exe (PID: 7920)
SUSPICIOUS
Executable content was dropped or overwritten
- openpy.exe (PID: 7920)
Process drops legitimate windows executable
- openpy.exe (PID: 7920)
Process drops python dynamic module
- openpy.exe (PID: 7920)
The process drops C-runtime libraries
- openpy.exe (PID: 7920)
Reads security settings of Internet Explorer
- openpy.exe (PID: 7996)
- openpy.exe (PID: 7920)
- WinRAR.exe (PID: 7740)
Loads Python modules
- openpy.exe (PID: 7996)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 7740)
Starts CMD.EXE for commands execution
- WinRAR.exe (PID: 7740)
INFO
Checks supported languages
- openpy.exe (PID: 7920)
- openpy.exe (PID: 7996)
- MpCmdRun.exe (PID: 1348)
Manual execution by a user
- openpy.exe (PID: 7920)
Create files in a temporary directory
- openpy.exe (PID: 7920)
- MpCmdRun.exe (PID: 1348)
Checks proxy server information
- openpy.exe (PID: 7996)
- slui.exe (PID: 4200)
Reads the machine GUID from the registry
- openpy.exe (PID: 7996)
Reads the computer name
- openpy.exe (PID: 7996)
- openpy.exe (PID: 7920)
- MpCmdRun.exe (PID: 1348)
The sample compiled with english language support
- openpy.exe (PID: 7920)
Creates files or folders in the user directory
- openpy.exe (PID: 7996)
Reads the software policy settings
- openpy.exe (PID: 7996)
- slui.exe (PID: 4200)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 7740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
EXIF
ZIP
| FileVersion: | RAR v5 |
|---|---|
| CompressedSize: | 24668108 |
| UncompressedSize: | 25176617 |
| OperatingSystem: | Win32 |
| ArchivedFileName: | dist/BOFAMET.exe |
Total processes
131
Monitored processes
8
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1348 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR7740.37838" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4200 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4224 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR7740.37838\Rar$Scan114518.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6032 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7740 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\BOFAMET_v2.rar | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 7920 | "C:\Users\admin\Desktop\openpy.exe" | C:\Users\admin\Desktop\openpy.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7928 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | openpy.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7996 | C:\Users\admin\Desktop\openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\openpy.exe | openpy.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
8 892
Read events
8 879
Write events
13
Delete events
0
Modification events
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\BOFAMET_v2.rar | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7740) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (7996) openpy.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7996) openpy.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
Executable files
26
Suspicious files
1
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\libcrypto-3.dll | executable | |
MD5:123AD0908C76CCBA4789C084F7A6B8D0 | SHA256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_elementtree.pyd | executable | |
MD5:31DB8F46221E06E997C0FA3ECC07D206 | SHA256:FE2BCFFA16218207B12353805A3A0FA2CDF1C3759D23D032F947A68496782091 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\openpy.exe | executable | |
MD5:C87448C4ADDC4106386E9E7E866F6E0D | SHA256:EDC248EF4ADB2973981A6A0C5C16DB183F32BC9421CC939445964912E8C66F09 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_decimal.pyd | executable | |
MD5:5D54C76A09515D513AAB1DD43C401418 | SHA256:E8861C23B443F846CF25F06B6F49BA20CFDD0C383C890F9F60C7A0AC376AC22E | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_socket.pyd | executable | |
MD5:20631CD0C1477F9B0D3897FA61EF749D | SHA256:A4302A78958AE7F4FB2E1B4A4B2187434D39F972D7F3AA5D1E58759326B539C7 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_wmi.pyd | executable | |
MD5:39FCA3CD9A98B14C4E47225EE28063D3 | SHA256:9E65EE7978BFE5B5A392B6DF8279D2F97ED8B0F36F8F89DA4AD28C7866B92432 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\libffi-8.dll | executable | |
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21 | SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\openpy.dll | executable | |
MD5:24FBF73800386DED2DD7AA13D16326EA | SHA256:778A130FB3FAF2A7760B93D883976257FE6B6343BEC771412F7778CCE06D8469 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\pyexpat.pyd | executable | |
MD5:B7BE486C2C69BD320F05B24A33366874 | SHA256:23D942C64D808D92F2C43F26B1BEEA0B941B3358EB8CBB725833F019963AD6D0 | |||
| 7920 | openpy.exe | C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\python3.dll | executable | |
MD5:3887ABD76341942ACEF5EAF8999FD3D1 | SHA256:BAF0054AA490AEBA30AEE3F06ED06339478511006172B86917C02F450ED7E5E4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
49
DNS requests
21
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7300 | SIHClient.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
7300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
7300 | SIHClient.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
7300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
7300 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2104 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
2104 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2104 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6544 | svchost.exe | 40.126.31.129:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7996 | openpy.exe | 104.22.69.199:443 | pastebin.com | CLOUDFLARENET | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
pastebin.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Online Pastebin Text Storage |