download:

VortexSwap_v2.rar

Full analysis: https://app.any.run/tasks/afc40174-6d7b-417b-a82c-ed1009ef2948
Verdict: Malicious activity
Analysis date: October 05, 2022, 04:38:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

65FBEC1379998F5C7A62266BBE2A65F5

SHA1:

B878E2D90DA836B40483574799D9A27314ADD036

SHA256:

9D2FD12CB9BA456F0803C731C375AABFF40FC44750F2F0021D7D82058DED60BD

SSDEEP:

24576:K+gQYrBuUMfhNXAltGeirqW/F0VXV97mce/eIRvwCR1Fmn6cLVK:KXQY9DIfrHtCXrmce/zYCR1c6mc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • VortexSwap v2.exe (PID: 3504)
      • VortexSwap v2.exe (PID: 2640)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start winrar.exe no specs vortexswap v2.exe vortexswap v2.exe

Process information

PID
CMD
Path
Indicators
Parent process
2640"C:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\VortexSwap v2.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\VortexSwap v2.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
VortexSwap
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3484.42192\vortexswap v2\vortexswap v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3484"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\VortexSwap_v2.rar"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
3504"C:\Users\admin\Desktop\VortexSwap v2.exe" C:\Users\admin\Desktop\VortexSwap v2.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
VortexSwap
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\vortexswap v2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
7 276
Read events
7 217
Write events
59
Delete events
0

Modification events

(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3484) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\VortexSwap_v2.rar
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3484) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
5
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3504VortexSwap v2.exeC:\Users\admin\Desktop\info.txttext
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\VortexSwap v2.exeexecutable
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\BL_Extractor.exeexecutable
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3484.40137\VortexSwap v2\VortexSwap v2.exeexecutable
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\read.txttext
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\settings.txttext
MD5:
SHA256:
2640VortexSwap v2.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\info.txttext
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3484.43171\VortexSwap v2\BL_Extractor.exeexecutable
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\sessions.txttext
MD5:
SHA256:
3484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3484.42192\VortexSwap v2\RestSharp.dllexecutable
MD5:43C1ED4D9AABD6855DDA3AECB8C6BB19
SHA256:76DCE25D4A5AE6DE4CE4BACA0F8C59B0BF239DD856E1583439C3F49EBAC69C50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2640
VortexSwap v2.exe
104.20.67.143:443
pastebin.com
CLOUDFLARENET
malicious
3504
VortexSwap v2.exe
104.20.67.143:443
pastebin.com
CLOUDFLARENET
malicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.67.143
  • 104.20.68.143
  • 172.67.34.170
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VortexSwap_v2.rar