analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

YeetRet Obfuscator (Leak).rar

Full analysis: https://app.any.run/tasks/73bdd473-e453-4df8-92c0-b2e2782ca4bb
Verdict: Malicious activity
Analysis date: August 12, 2022, 20:40:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

A82BD1EEF7F8C9727FC12ED39ACECD88

SHA1:

FCEB9BC782CF1C1DC3E7D2839EA8D617F0E00F8D

SHA256:

98D79AF4C136785F2B0ED229F06EFC82837DE885643FF1E363B4217D81C520E9

SSDEEP:

98304:4mpb9sXng1jkXVhvgL5mmCo11BYA4vgnkIk2X:4mpCXg1jknv+uCeLvgnkIdX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3328)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3824)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3328)
    • Reads the computer name

      • WinRAR.exe (PID: 3328)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3328)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3328)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\YeetRet Obfuscator (Leak).rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3824"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Total events
1 774
Read events
1 751
Write events
23
Delete events
0

Modification events

(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3328) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\YeetRet Obfuscator (Leak).rar
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
21
Suspicious files
8
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.CLI.pdbbinary
MD5:FD628EDD3A2C7AEFEABBC0CB301C94D0
SHA256:0292657B6867A5EDB5862DDD1CFD9E76C2DAAAA784DDB3FDCDE54E4553E9E766
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Renamer.dllexecutable
MD5:68C8B02D1EB82B243F5F9102C1617942
SHA256:F2D78073595523D57A06BD03B0CB8B48D3F691D77C9857AC776077AD4677B094
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Protections.dllexecutable
MD5:A796EBFC24D2F3B6E0284F3F2079057B
SHA256:0E51BCF333B5AF7C804639783511C65BDBB8E9D362EE9A041301D46E3B155DBA
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Renamer.pdbbinary
MD5:59DB0C8B1A71653A3A06AC9395477706
SHA256:35FCFE4CB3043FC5443F14C6911626717E8F4F94F8928A5402697010C94678E5
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\config.elitetext
MD5:9138CBC03D8C3ED2AA1DE05ACC50B842
SHA256:3ADB3069764D247C6A026DB74419DDF76AB3D34E94CBF40DAEF3B9BD3E01A18C
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Core.dllexecutable
MD5:DEA85985166C10D78B32869A16953D06
SHA256:7AB5304786B44E30CB5D64EFD1317C72389C3E4B1838EE72AC212EBC18B29DE8
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.DynCipher.pdbbinary
MD5:02D40430D6E10764A4390D81C58797AD
SHA256:9734E4671CA4FB9B9FE0F918A69D815C24B2C021483B18D8259F39BBD69098C0
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.DynCipher.dllexecutable
MD5:A26ABABDA9741F74DE7EA9FFEB53D66D
SHA256:D6655D3CECA5FF82D33390E82B8D40BCD96E1BBC49CF9741661EB08A3A3E9B5E
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\memory.dllexecutable
MD5:8C7A3DB56C91E79D73D229836EF3D2D8
SHA256:89F07A0440959C3B9D99C30539AA16F5FADEF4D60E75C81F7C18A7104F2D91CB
3328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Runtime.pdbbinary
MD5:ED737FF05DBB3AC878CA2D9E137F4208
SHA256:B08E687FF35E3669E5C4CD7AB7C95F18FD959D08DC98B8EBF17A69826115B054
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info