analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8.rar

Full analysis: https://app.any.run/tasks/d1cdfbc0-7c56-4440-8567-68550c33eead
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: May 15, 2019, 17:30:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

C750567D8F8B8F91FD02598FA04202A9

SHA1:

7EB5CE41C2604C50B4143DFF16846EA3C36546AE

SHA256:

98FE09110984AED10A62C5B953ED0702B8D98744DCEF44A2F000801249156ECA

SSDEEP:

3072:PzOIpS8H/Qv37OAx7HWBbwPO2W8uMDEZrxIzUmHAk7NJRMHIuJ5KPG6MKhYsnztr:7OI8QQPZTWBbKuMwozO3sG6FzlxLLB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2920)
    • Application was dropped or rewritten from another process

      • TDbank.exe (PID: 920)
    • Actions looks like stealing of personal data

      • TDbank.exe (PID: 920)
    • Stealing of credential data

      • TDbank.exe (PID: 920)
  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • TDbank.exe (PID: 920)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs searchprotocolhost.exe no specs tdbank.exe

Process information

PID
CMD
Path
Indicators
Parent process
3516"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\8.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2920"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
920"C:\Users\admin\Desktop\TDbank.exe" C:\Users\admin\Desktop\TDbank.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
WindowsFormsApp1
Version:
1.0.0.0
Total events
435
Read events
427
Write events
8
Delete events
0

Modification events

(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3516) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\8.rar
(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3516) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
0
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3516WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3516.45627\TDbank.exe
MD5:
SHA256:
3516WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3516.45627\xNet.dll
MD5:
SHA256:
3516WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3516.45627\Json.Net.dll
MD5:
SHA256:
920TDbank.exeC:\Users\admin\AppData\Local\Temp\C4BA3647\Directory\Browsers\Passwords.txttext
MD5:6D6DE4505061590C191CD04E08D46919
SHA256:0B899045992D40CDE77768A1EA565A00E83607A6EF98C13CFF0DD2D60273E274
920TDbank.exeC:\Users\admin\AppData\Local\Temp\hqhj2kjskhc.fvsqlite
MD5:DD9640AF5F03807CF2E3921CBA16AF0D
SHA256:ECF72C454FEF08C5948A565464839A554567E499F995483D6C8B54B32EA2C5F0
920TDbank.exeC:\Users\admin\AppData\Local\Temp\k32k003gw1x.fvsqlite
MD5:7ED7E7FFE1DC4EAAEE2EDAFDD4815A47
SHA256:BD7D82BAB01903699A91783F35D7E1EBF2BA8AEDC1023F09C0E6934B1B0651C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info