File name:	BOFAMET_v2.rar
Full analysis:	https://app.any.run/tasks/8eb4f8da-7628-4da3-8448-c11de4546a3e
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 20:13:59
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec pastebin python trox stealer
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	B22B4D0AE47D3C1B7056D117BA2F7223
SHA1:	CD1D7C8DD9A5656CFA66DA68DFB14848925BA463
SHA256:	96BED336ECEE555B1754AEDBA18728CAED70B08ADCABCEC27476BFB4236246E8
SSDEEP:	196608:z12TU+ZVm55oxFbTjlhcMEKcAAnYRjzu1Z7fFe8/pd/4zyJWYDV5EYhgaVCtlX:E3s5oxFSpAtj6nLF4dYB5LIz

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

FileVersion:	RAR v5
CompressedSize:	24668108
UncompressedSize:	25176617
OperatingSystem:	Win32
ArchivedFileName:	dist/BOFAMET.exe


(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\BOFAMET_v2.rar
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7740) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7996) openpy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7996) openpy.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:

PID	Process	Filename		Type
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_bz2.pyd		executable
		MD5:8BD61EA798D1E3EF58548480ED8EE956	SHA256:D3214E53519B65A07211F44C2BF8C6464B6CD11308561FA48967C8D2E97C1CAC
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_decimal.pyd		executable
		MD5:5D54C76A09515D513AAB1DD43C401418	SHA256:E8861C23B443F846CF25F06B6F49BA20CFDD0C383C890F9F60C7A0AC376AC22E
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\openobf.dll		executable
		MD5:D11B6320FB3C80CD872CFF091073C8F3	SHA256:E27B0185A811E8BD6366DC5549C584A3340C07D413D96481F3EE442333AF5C18
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_elementtree.pyd		executable
		MD5:31DB8F46221E06E997C0FA3ECC07D206	SHA256:FE2BCFFA16218207B12353805A3A0FA2CDF1C3759D23D032F947A68496782091
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_ctypes.pyd		executable
		MD5:FC2DA679024ED27F02ECD1B05CF14CDA	SHA256:AB0A527BEDFD18E11B2FACC003407B6E565F114E010499F73DE35E1B01B6D340
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\openpy.exe		executable
		MD5:C87448C4ADDC4106386E9E7E866F6E0D	SHA256:EDC248EF4ADB2973981A6A0C5C16DB183F32BC9421CC939445964912E8C66F09
7996	openpy.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\FiAL5mhy[1].txt		text
		MD5:4BE7248EB24C471835D4DFE1EFEE23B5	SHA256:CC65076B99EDFF8585E15580DF89CD03ADC4E36DC79E0B6A5C8C229B72BD8B91
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\_socket.pyd		executable
		MD5:20631CD0C1477F9B0D3897FA61EF749D	SHA256:A4302A78958AE7F4FB2E1B4A4B2187434D39F972D7F3AA5D1E58759326B539C7
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\python312.dll		executable
		MD5:B0939B2F7EC83154E09EABF606179525	SHA256:B6227A506A9963E7C8182785A54E14A193AF51F7B277A61DDA04492B499F49AD
7920	openpy.exe	C:\Users\admin\AppData\Local\Temp\onefile_7920_133919000711676221\pyinjector\injector.pyd		executable
		MD5:692C8942A691C2C6BE13DAD73D2A3D94	SHA256:7DA8B7EF6DFF67622A1452D5F7B6D589059C70105A1796E705B9EF8B762D87D4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
7300	SIHClient.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
2104	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6544	svchost.exe	40.126.31.129:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7996	openpy.exe	104.22.69.199:443	pastebin.com	CLOUDFLARENET	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.185.110	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.166 23.48.23.159 23.48.23.169 23.48.23.174 23.48.23.168 23.48.23.157 23.48.23.161 23.48.23.158 2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	40.126.31.129 20.190.159.130 20.190.159.75 40.126.31.71 20.190.159.0 20.190.159.23 40.126.31.1 20.190.159.71	whitelisted
pastebin.com	104.22.69.199 104.22.68.199 172.67.25.94	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

BOFAMET_v2.rar

B22B4D0AE47D3C1B7056D117BA2F7223

CD1D7C8DD9A5656CFA66DA68DFB14848925BA463

96BED336ECEE555B1754AEDBA18728CAED70B08ADCABCEC27476BFB4236246E8

196608:z12TU+ZVm55oxFbTjlhcMEKcAAnYRjzu1Z7fFe8/pd/4zyJWYDV5EYhgaVCtlX:E3s5oxFSpAtj6nLF4dYB5LIz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

TROX has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Loads Python modules

Executing commands from a ".bat" file

The process drops C-runtime libraries

Process drops python dynamic module

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Reads the computer name

Manual execution by a user

Checks proxy server information

Create files in a temporary directory

The sample compiled with english language support

Reads the software policy settings

Reads the machine GUID from the registry

Creates files or folders in the user directory

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings