File name:

IP_Hacker.zip

Full analysis: https://app.any.run/tasks/08298cf1-384e-4f1e-80bb-fe88c82892ea
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 24, 2023, 15:26:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

C7D4F11667513F19729781B526C7BE60

SHA1:

025F84F4CC647EC65E8EB29966D23C5C0705555E

SHA256:

9DB32840EA10654BCD90A4431818CAB5E727A22A6A54DD7E9893A029C870D1F5

SSDEEP:

12288:F1K+HPEro7aDOimgk2s6rRKv3UjtNYWLkIVm/:F1wro7wOijk2s6tKv3UzYWLkSm/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • IP_Hacker.exe (PID: 2652)

    • Actions looks like stealing of personal data

      • IP_Hacker.exe (PID: 2652)

    • Steals credentials

      • IP_Hacker.exe (PID: 2652)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • IP_Hacker.exe (PID: 2652)

    • Reads the Internet Settings

      • IP_Hacker.exe (PID: 2652)

  • INFO

    • Checks supported languages

      • IP_Hacker.exe (PID: 2652)
      • wmpnscfg.exe (PID: 2416)

    • Reads Environment values

      • IP_Hacker.exe (PID: 2652)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 564)

    • Reads the machine GUID from the registry

      • IP_Hacker.exe (PID: 2652)
      • wmpnscfg.exe (PID: 2416)

    • Manual execution by a user

      • IP_Hacker.exe (PID: 2652)
      • wmpnscfg.exe (PID: 2416)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2416)
      • IP_Hacker.exe (PID: 2652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: IP_Hacker/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2023:11:24 14:49:12
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs ip_hacker.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\IP_Hacker.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2652"C:\Users\admin\Desktop\IP_Hacker\IP_Hacker.exe" C:\Users\admin\Desktop\IP_Hacker\IP_Hacker.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
IP_Hacker
Exit code:
0
Version:
2.1.1.0
Modules
Images
c:\users\admin\desktop\ip_hacker\ip_hacker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2416"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
4 266
Read events
4 227
Write events
36
Delete events
3

Modification events

(PID) Process:(564) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
2
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2652IP_Hacker.exe\Device\Mup:\176.110.156.230\Attack\84.17.48.142_289266398_24-11-2023_15-26\Local State C
MD5:
SHA256:
2652IP_Hacker.exe\Device\Mup:\176.110.156.230\Attack\84.17.48.142_289266398_24-11-2023_15-26\Local State E
MD5:
SHA256:
564WinRAR.exeC:\Users\admin\Desktop\IP_Hacker\IP_Hacker.exeexecutable
MD5:07C0A6363CE0162A8BC550E027F0E888
SHA256:7DC16705CD30B208D11AB01341973EE697879BAB1472C9C37BF73559E63DEC50
564WinRAR.exeC:\Users\admin\Desktop\IP_Hacker\Newtonsoft.Json.dllexecutable
MD5:195FFB7167DB3219B217C4FD439EEDD6
SHA256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
564WinRAR.exeC:\Users\admin\Desktop\IP_Hacker\IP_Hacker.pdbbinary
MD5:4D25E94F3FB7156554961C78B6AB83A5
SHA256:08A66ED73909AAD587F34AA96AA0ABD3FDC6379D0B765C5DDEE6165963BEB728
564WinRAR.exeC:\Users\admin\Desktop\IP_Hacker\Newtonsoft.Json.xmlxml
MD5:D398FFE9FDAC6A53A8D8BB26F29BBB3C
SHA256:79EE87D4EDE8783461DE05B93379D576F6E8575D4AB49359F15897A854B643C4
2652IP_Hacker.exe\Device\Mup:\176.110.156.230\Attack\84.17.48.142_289266398_24-11-2023_15-26\Login Data Cbinary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
564WinRAR.exeC:\Users\admin\Desktop\IP_Hacker\Nowy dokument tekstowy.txttext
MD5:A565CA44540A72C8A0C73839570C5155
SHA256:A11625AE78FC37A5BE35462451AB916EA4F0E656D8E316FA2B5D3C2548962EE8
564WinRAR.exeC:\Users\admin\Desktop\IP_Hacker\IP_Hacker.exe.configxml
MD5:9DBAD5517B46F41DBB0D8780B20AB87E
SHA256:47E5A0F101AF4151D7F13D2D6BFA9B847D5B5E4A98D1F4674B7C015772746CDF
2652IP_Hacker.exe\Device\Mup:\176.110.156.230\Attack\84.17.48.142_289266398_24-11-2023_15-26\Login Data Ebinary
MD5:0F653EDF207BB943166A7EED331F14AD
SHA256:E4D518E335DF25562B0570F4F3FC6F39BF63F7D84805AECD485C5798671EA3D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
2588
svchost.exe
239.255.255.250:1900
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2652
IP_Hacker.exe
188.114.97.3:443
kontownia.online
CLOUDFLARENET
NL
unknown
4
System
176.110.156.230:445
OXYNET sp. z o.o.
PL
unknown

DNS requests

Domain
IP
Reputation
kontownia.online
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempt to connect to an external SMB server
Potential Corporate Privacy Violation
POLICY [ANY.RUN] NTLM Over SMB (NTLMSSP_NEGOTIATE)
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
Successful Credential Theft Detected
SUSPICIOUS [ANY.RUN] Clear Text Password Exfiltration Atempt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
IP_Hacker.zip