analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

[@exp_0day]stillak.rar

Full analysis: https://app.any.run/tasks/83c5b4b1-9ba7-469b-8a82-765c84fbe5dc
Verdict: Malicious activity
Threats:

Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets.

Analysis date: August 18, 2019, 00:22:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
predator
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

762B0F764AE12F7C2F1CF04DEA6CF4EF

SHA1:

9EDBB4DB136B2C3FA974542AF706E6AF9F829A4E

SHA256:

9F616BE465B62BDC9608E0D6F260AFF8CDCB806657525C38399918F6714FF0C1

SSDEEP:

98304:zLUMd3z/SAKrvWB9fOlISH7GRpk1Q67a3m+KM:sMJWAKLokjHGkQp2nM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Predator The Thief Cracked [XakFor.Net].exe (PID: 3820)
      • HSJgaCzDw.exe (PID: 2292)
      • Predator The Thief Cracked [XakFor.Net].exe (PID: 2736)
    • Stealing of credential data

      • HSJgaCzDw.exe (PID: 2292)
    • Connects to CnC server

      • HSJgaCzDw.exe (PID: 2292)
    • PREDATOR was detected

      • HSJgaCzDw.exe (PID: 2292)
  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • HSJgaCzDw.exe (PID: 2292)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3640)
      • Predator The Thief Cracked [XakFor.Net].exe (PID: 2736)
    • Reads the cookies of Mozilla Firefox

      • HSJgaCzDw.exe (PID: 2292)
    • Creates files in the user directory

      • HSJgaCzDw.exe (PID: 2292)
  • INFO

    • Manual execution by user

      • Predator The Thief Cracked [XakFor.Net].exe (PID: 2736)
      • WinRAR.exe (PID: 2776)
      • WinRAR.exe (PID: 3076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe predator the thief cracked [xakfor.net].exe predator the thief cracked [xakfor.net].exe no specs #PREDATOR hsjgaczdw.exe winrar.exe no specs winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3640"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\[@exp_0day]stillak.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2736"C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Predator The Thief Cracked [XakFor.Net].exe" C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Predator The Thief Cracked [XakFor.Net].exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3820"C:\Users\admin\Desktop\Predator The Thief Cracked [XakFor.Net].exe" C:\Users\admin\Desktop\Predator The Thief Cracked [XakFor.Net].exePredator The Thief Cracked [XakFor.Net].exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Predator The Thief Cracked
Version:
1.0.0.0
2292"C:\Users\admin\Desktop\HSJgaCzDw.exe" C:\Users\admin\Desktop\HSJgaCzDw.exe
Predator The Thief Cracked [XakFor.Net].exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2776"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\admin panel v4 (rus).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3076"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\admin panel v4 (rus).rar" "C:\Users\admin\Desktop\admin panel v4 (rus)\"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Total events
863
Read events
813
Write events
50
Delete events
0

Modification events

(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3640) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\[@exp_0day]stillak.rar
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3640) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop\[@exp_0day]stillak
(PID) Process:(2736) Predator The Thief Cracked [XakFor.Net].exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
3
Suspicious files
2
Text files
61
Unknown types
9

Dropped files

PID
Process
Filename
Type
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_145944.pngimage
MD5:8389E3ADF0F1C378632D0B9054B7CEF9
SHA256:3DAD290E6DB73DEA64357463D369594493CA53EA28BB90711173A2956DEB4AC8
2292HSJgaCzDw.exeC:\Users\admin\AppData\Roaming\pts2Y8S2X8Q0W2Y8S2X8Q0W\General\Mozilla_1511.sqlitesqlite
MD5:7C426E0FC19063A433349CE713DA84A0
SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C
2292HSJgaCzDw.exeC:\Users\admin\AppData\Roaming\pts2Y8S2X8Q0W2Y8S2X8Q0W\Screenshot.bmpimage
MD5:EACA2F30CFBBFE4089DBDDA26A412872
SHA256:CB776DCEC62DD679B8603BD3EC4681FBAFFC2209CA645DCB678E0B5269276701
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Screenshot.pngimage
MD5:8DA1CB905E03300DB306E96E614C38BC
SHA256:90AB2973639BDCE9781685685E947AD31A1C7BB6B0DFE6FB4C672665F294B37B
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_145923.pngimage
MD5:A075BC22090A53766B2B4E361CD8A365
SHA256:FF4C83AF41CD4A943B2AEE1824959DA5D9AB230F5C32FDA9A9AE7500AD6850FF
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\admin panel v4 (rus).rarcompressed
MD5:EF9F706C8F55CBF0AFC1AE320DCED396
SHA256:E030B8AE1FE349FD4F10AA8B7135267D3953DA21F45D88F84BD10A3DD299CBDB
2736Predator The Thief Cracked [XakFor.Net].exeC:\Users\admin\Desktop\HSJgaCzDw.exeexecutable
MD5:6FD75CF0601714940F7C4C5A4FFD29FC
SHA256:60CD93038E337B8AC22CF297B8A22F4654EC8D2CDCDB32267CEF3D5DCA1522C1
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Predator The Thief Cracked [XakFor.Net].exeexecutable
MD5:1C8C6177EEDD8B1ABA89159C91953B47
SHA256:7F86C94FE4AF0557A2DB7514BFD70BE3178C7CD0895591153673AC9F2B1B2EF4
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_150141.pngimage
MD5:28ED31C119BF583544F8F3825C548A9C
SHA256:1260140CC94DD8207C100AD601CD9D36C76C57FCAA5CDDF88FA7AB772165DD14
3640WinRAR.exeC:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_145933.pngimage
MD5:9BC20A492BE571BD434B0EDF94694413
SHA256:B5728B66366436AD0F08BB134852DBBF3B15A5B27E47301EF8588972E680A4AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2292
HSJgaCzDw.exe
5.79.66.145:80
stillak.kl.com.ua
LeaseWeb Netherlands B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
stillak.kl.com.ua
  • 5.79.66.145
malicious

Threats

PID
Process
Class
Message
2292
HSJgaCzDw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin
2292
HSJgaCzDw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Predator Stealer v2.3
1 ETPRO signatures available at the full report
No debug info