File name: | SQLi Dumper v.8.0.rar |
Full analysis: | https://app.any.run/tasks/c6e243e0-8dab-491d-b297-4ca8298f0bdd |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 02:32:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v4, os: Win32 |
MD5: | A248BED1A043BE09D6A39C2429DEEDD4 |
SHA1: | 41F83A7D85D1BDC1E5A42B9F50D6D1D309D86CD1 |
SHA256: | 97A35FE7953EC05C1AE408F6F3CE19286987D9887FFCE114A8E33AEB82471ED6 |
SSDEEP: | 98304:/uYeOJic6BUfmfZaRqv1Eod8+N6jqnrmjyJH7vIdYWSJG:/uJK6BQmagEP+NmWXxs |
.rar | | | RAR compressed archive (v-4.x) (58.3) |
---|---|---|
.rar | | | RAR compressed archive (gen) (41.6) |
ArchivedFileName: | SQLi Dumper v.8.0.exe |
---|---|
PackingMethod: | Normal |
ModifyDate: | 2015:04:18 00:08:19 |
OperatingSystem: | Win32 |
UncompressedSize: | 4200448 |
CompressedSize: | 1875715 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3024 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SQLi Dumper v.8.0.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 Modules
| |||||||||||||||
1628 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe | — | WinRAR.exe | |||||||||||
User: admin Company: SQLi Dumper v.8.0 Integrity Level: MEDIUM Description: SQLi Dumper v.8.0 Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
3156 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe | WinRAR.exe | ||||||||||||
User: admin Company: SQLi Dumper v.8.0 Integrity Level: HIGH Description: SQLi Dumper v.8.0 Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
3804 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\SQLi ask v.8.0.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\SQLi ask v.8.0.exe | SQLi Dumper v.8.0.exe | ||||||||||||
Modules
|
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SQLi Dumper v.8.0.rar | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3024) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3156 | SQLi Dumper v.8.0.exe | C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.lnk | lnk | |
MD5:8F799D1F778F73D0800828C41D9D1C60 | SHA256:2ABE97BF9D478EB55DCBE32A0FA88B72F1A19D84504808A14F2CBDF0511F7B50 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\Settings | xml | |
MD5:1B17DE3CE85D92D0DE568556A87227F8 | SHA256:88AB60C265A2966766B7D914A2E57D36023877EB24EA86DEB1EB4600D9AE4FE7 | |||
3156 | SQLi Dumper v.8.0.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\ErrLog.txt | text | |
MD5:F9103C4A4C8B9D1207558867E5E02426 | SHA256:22506505FB138E35B712A7DB37D8342BEDD87E6D568A576399294CD79144B5E4 | |||
3156 | SQLi Dumper v.8.0.exe | C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.lnk | lnk | |
MD5:5ACEDCBC1559513BD85DF3D108302605 | SHA256:F42DF2B0199D1FAC003AD23B02D92E04ACD49EE3FDBF2A917AC835ABC6990D5C | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi Dumper v.8.0.exe | executable | |
MD5:925FBFF2922B4C3DB86D74081DA16042 | SHA256:ADA3F7924E51055E0D27EF17BC78D8AC7898A89487C29ACB25985F1B3E975E47 | |||
3156 | SQLi Dumper v.8.0.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\Settings | xml | |
MD5:1B17DE3CE85D92D0DE568556A87227F8 | SHA256:88AB60C265A2966766B7D914A2E57D36023877EB24EA86DEB1EB4600D9AE4FE7 | |||
3156 | SQLi Dumper v.8.0.exe | C:\Program Files\Google\Chrome\Application\Ask Toolbar Chrome.exe | executable | |
MD5:64E1AFA6FB8E0223CBA7E91BBE98900C | SHA256:E4536059749871614ABC0970FFC4910483AECE65563E37EA3F6E2EF91F74E8B5 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\Settings.xml | xml | |
MD5:B7497045CF6DE20131B3CB512A310480 | SHA256:27F668F0265A280657A47D3FBFAB80BA6B13C0BDB0CBCEDD65E8B43B9F8A5B10 | |||
3024 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3024.8675\SQLi ask v.8.0\ErrLog.txt | text | |
MD5:F9103C4A4C8B9D1207558867E5E02426 | SHA256:22506505FB138E35B712A7DB37D8342BEDD87E6D568A576399294CD79144B5E4 | |||
3156 | SQLi Dumper v.8.0.exe | C:\Program Files\Mozilla Firefox\Ask Toolbar Firefox.exe | executable | |
MD5:64E1AFA6FB8E0223CBA7E91BBE98900C | SHA256:E4536059749871614ABC0970FFC4910483AECE65563E37EA3F6E2EF91F74E8B5 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3804 | SQLi ask v.8.0.exe | GET | 301 | 151.101.2.114:80 | http://www.ask.com/web?q=%3fitem_id%3d | US | — | — | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 504 | 52.17.173.115:80 | http://www.webcrawler.com/search/web?q=%3fitem_id%3d | IE | — | — | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 302 | 2.18.232.251:80 | http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?searchfor=%3fitem_id%3d | unknown | — | — | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 200 | 213.13.145.10:80 | http://pesquisa.sapo.pt/?q=%3fitem_id%3d | PT | xml | 17.8 Kb | malicious |
3804 | SQLi ask v.8.0.exe | GET | — | 151.101.2.114:80 | http://www.ask.com/web?q=%3fitem_id%3d | US | — | — | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 200 | 2.18.232.251:80 | http://search.mywebsearch.com/assets/accessdenied/default.htm | unknown | html | 550 b | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 200 | 213.180.204.62:80 | http://www.yandex.com/showcaptcha?cc=1&retpath=http%3A//www.yandex.com/yandsearch%3Ftext%3Darticle%2B%253fid%253d_bafab230d87f794ce18359f6665d2099&t=0/1555295622/fa08dbcebc25147c4138abb5512556de&s=51d07f4fe65eaf24a8ae155a388466d6 | RU | html | 14.6 Kb | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/search?q=%3fitem_id%3d&first=50&count=50 | US | html | 110 Kb | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/search?q=%3fitem_id%3d&count=50 | US | html | 110 Kb | whitelisted |
3804 | SQLi ask v.8.0.exe | GET | 301 | 212.82.100.137:80 | http://www.wow.com/search?q=%3fitem_id%3d | CH | text | 25 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3804 | SQLi ask v.8.0.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3804 | SQLi ask v.8.0.exe | 212.82.100.137:80 | www.wow.com | Yahoo! UK Services Limited | CH | shared |
3804 | SQLi ask v.8.0.exe | 151.101.2.114:80 | www.ask.com | Fastly | US | suspicious |
3804 | SQLi ask v.8.0.exe | 2.18.232.251:80 | search.mywebsearch.com | Akamai International B.V. | — | whitelisted |
3804 | SQLi ask v.8.0.exe | 216.58.205.228:443 | www.google.com | Google Inc. | US | whitelisted |
3804 | SQLi ask v.8.0.exe | 213.180.204.62:80 | www.yandex.com | YANDEX LLC | RU | whitelisted |
3804 | SQLi ask v.8.0.exe | 213.13.145.10:80 | pesquisa.sapo.pt | Servicos De Comunicacoes E Multimedia S.A. | PT | malicious |
3804 | SQLi ask v.8.0.exe | 52.17.173.115:80 | www.webcrawler.com | Amazon.com, Inc. | IE | unknown |
— | — | 151.101.2.114:443 | www.ask.com | Fastly | US | suspicious |
3804 | SQLi ask v.8.0.exe | 151.101.2.114:443 | www.ask.com | Fastly | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
search.mywebsearch.com |
| whitelisted |
www.google.com |
| whitelisted |
www.yandex.com |
| whitelisted |
www.wow.com |
| whitelisted |
pesquisa.sapo.pt |
| malicious |
search.aol.com |
| whitelisted |
www.webcrawler.com |
| whitelisted |
www.ask.com |
| whitelisted |
search.yahoo.com |
| whitelisted |