File name:

BLTools-v2.2-Cracked-by-Injuan.zip

Full analysis: https://app.any.run/tasks/8a2f3df9-c15c-405f-b100-decbcf4b74ae
Verdict: Malicious activity
Analysis date: April 07, 2024, 10:40:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

8D6202389667A76423185269621CA656

SHA1:

74148B88B1718D8A0DE80962013B4ACD4B95A413

SHA256:

96E8B2689A28A6D055856F259070AA634CF94CD54FEA14A2A287742130907BCA

SSDEEP:

98304:b9zXIolBvAs0ibfeeyhCUOOLceIXOYLP8v+LeJl5q46kvslDy5gNzeIAoRhh3FPP:Re3xcYDiFN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1696)
      • BLTools-v2.2.exe (PID: 3964)

    • Create files in the Startup directory

      • BLTools-v2.2.exe (PID: 3964)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1696)

    • Reads settings of System Certificates

      • winst.exe (PID: 2292)

    • The process creates files with name similar to system file names

      • BLTools-v2.2.exe (PID: 3964)

  • INFO

    • Checks supported languages

      • BLTools-v2.2.exe (PID: 3964)
      • vshost.exe (PID: 4044)
      • winst.exe (PID: 2292)

    • Reads the computer name

      • BLTools-v2.2.exe (PID: 3964)
      • winst.exe (PID: 2292)

    • Reads the software policy settings

      • winst.exe (PID: 2292)

    • Reads the machine GUID from the registry

      • winst.exe (PID: 2292)

    • Creates files or folders in the user directory

      • BLTools-v2.2.exe (PID: 3964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:08:18 11:39:52
ZipCRC: 0xb1b27091
ZipCompressedSize: 367676
ZipUncompressedSize: 367616
ZipFileName: AlphaFS.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs bltools-v2.2.exe vshost.exe no specs winst.exe

Process information

PID
CMD
Path
Indicators
Parent process
1696"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BLTools-v2.2-Cracked-by-Injuan.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2292C:\Users\admin\AppData\Local\\winst\\winst.exe 1C3ud2YbU9jKYWXq4yx9CgER4E09VBAIQQSIfNMTPrNpo9BA49N6TL9OcA8jNEYHC:\Users\admin\AppData\Local\winst\winst.exe
BLTools-v2.2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
winst
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\winst\winst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\webio.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3964"C:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\BLTools-v2.2.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\BLTools-v2.2.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa1696.41578\bltools-v2.2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
4044C:\Users\admin\AppData\Local\\vshost\\vshost.exe ,.C:\Users\admin\AppData\Local\vshost\vshost.exeBLTools-v2.2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
vshost
Version:
17.0.33926.201 (WinBuild.170101.0800)
Modules
Images
c:\users\admin\appdata\local\vshost\vshost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
Total events
8 031
Read events
7 998
Write events
33
Delete events
0

Modification events

(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BLTools-v2.2-Cracked-by-Injuan.zip
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
12
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\AlphaFS.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\BLTools-v2.2.exeexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\BouncyCastle.Crypto.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\core32.cfgexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\Extreme.Net.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\mip_core.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\Newtonsoft.Json.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\Ookii.Dialogs.Wpf.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\RandomUserAgent.dllexecutable
MD5:
SHA256:
1696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1696.41578\Settings.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
4
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2292
winst.exe
GET
302
162.216.242.206:80
http://stlaip74566.ddnsgeek.com/
US
html
163 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2292
winst.exe
162.216.242.206:80
stlaip74566.ddnsgeek.com
DYNU
US
unknown
2292
winst.exe
185.247.224.98:443
stlaep34621.ddnsgeek.com
Flokinet Ltd
SC
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
stlaip74566.ddnsgeek.com
  • 162.216.242.206
unknown
stlaep34621.ddnsgeek.com
  • 185.247.224.98
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ddnsgeek .com Domain
2292
winst.exe
Possibly Unwanted Program Detected
ET ADWARE_PUP User-Agent (Mozilla) - Possible Spyware Related
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.ddnsgeek .com Domain
2292
winst.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ddnsgeek .com Domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BLTools-v2.2-Cracked-by-Injuan.zip