File name: | YeetRet Obfuscator (Leak).rar |
Full analysis: | https://app.any.run/tasks/73bdd473-e453-4df8-92c0-b2e2782ca4bb |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 20:40:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | A82BD1EEF7F8C9727FC12ED39ACECD88 |
SHA1: | FCEB9BC782CF1C1DC3E7D2839EA8D617F0E00F8D |
SHA256: | 98D79AF4C136785F2B0ED229F06EFC82837DE885643FF1E363B4217D81C520E9 |
SSDEEP: | 98304:4mpb9sXng1jkXVhvgL5mmCo11BYA4vgnkIk2X:4mpCXg1jknv+uCeLvgnkIdX |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3328 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\YeetRet Obfuscator (Leak).rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3824 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) |
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\YeetRet Obfuscator (Leak).rar | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3328) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.CLI.pdb | binary | |
MD5:FD628EDD3A2C7AEFEABBC0CB301C94D0 | SHA256:0292657B6867A5EDB5862DDD1CFD9E76C2DAAAA784DDB3FDCDE54E4553E9E766 | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Renamer.dll | executable | |
MD5:68C8B02D1EB82B243F5F9102C1617942 | SHA256:F2D78073595523D57A06BD03B0CB8B48D3F691D77C9857AC776077AD4677B094 | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Protections.dll | executable | |
MD5:A796EBFC24D2F3B6E0284F3F2079057B | SHA256:0E51BCF333B5AF7C804639783511C65BDBB8E9D362EE9A041301D46E3B155DBA | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Renamer.pdb | binary | |
MD5:59DB0C8B1A71653A3A06AC9395477706 | SHA256:35FCFE4CB3043FC5443F14C6911626717E8F4F94F8928A5402697010C94678E5 | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\config.elite | text | |
MD5:9138CBC03D8C3ED2AA1DE05ACC50B842 | SHA256:3ADB3069764D247C6A026DB74419DDF76AB3D34E94CBF40DAEF3B9BD3E01A18C | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Core.dll | executable | |
MD5:DEA85985166C10D78B32869A16953D06 | SHA256:7AB5304786B44E30CB5D64EFD1317C72389C3E4B1838EE72AC212EBC18B29DE8 | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.DynCipher.pdb | binary | |
MD5:02D40430D6E10764A4390D81C58797AD | SHA256:9734E4671CA4FB9B9FE0F918A69D815C24B2C021483B18D8259F39BBD69098C0 | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.DynCipher.dll | executable | |
MD5:A26ABABDA9741F74DE7EA9FFEB53D66D | SHA256:D6655D3CECA5FF82D33390E82B8D40BCD96E1BBC49CF9741661EB08A3A3E9B5E | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\memory.dll | executable | |
MD5:8C7A3DB56C91E79D73D229836EF3D2D8 | SHA256:89F07A0440959C3B9D99C30539AA16F5FADEF4D60E75C81F7C18A7104F2D91CB | |||
3328 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3328.48578\YeetRet Obfuscator (Leak)\Confuser.Runtime.pdb | binary | |
MD5:ED737FF05DBB3AC878CA2D9E137F4208 | SHA256:B08E687FF35E3669E5C4CD7AB7C95F18FD959D08DC98B8EBF17A69826115B054 |