File name: | [@exp_0day]stillak.rar |
Full analysis: | https://app.any.run/tasks/83c5b4b1-9ba7-469b-8a82-765c84fbe5dc |
Verdict: | Malicious activity |
Threats: | Predator, the Thief, is an information stealer, meaning that malware steals data from infected systems. This virus can access the camera and spy on victims, steal passwords and login information, and retrieve payment data from cryptocurrency wallets. |
Analysis date: | August 18, 2019, 00:22:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 762B0F764AE12F7C2F1CF04DEA6CF4EF |
SHA1: | 9EDBB4DB136B2C3FA974542AF706E6AF9F829A4E |
SHA256: | 9F616BE465B62BDC9608E0D6F260AFF8CDCB806657525C38399918F6714FF0C1 |
SSDEEP: | 98304:zLUMd3z/SAKrvWB9fOlISH7GRpk1Q67a3m+KM:sMJWAKLokjHGkQp2nM |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3640 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\[@exp_0day]stillak.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2736 | "C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Predator The Thief Cracked [XakFor.Net].exe" | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Predator The Thief Cracked [XakFor.Net].exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3820 | "C:\Users\admin\Desktop\Predator The Thief Cracked [XakFor.Net].exe" | C:\Users\admin\Desktop\Predator The Thief Cracked [XakFor.Net].exe | — | Predator The Thief Cracked [XakFor.Net].exe |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Predator The Thief Cracked Version: 1.0.0.0 | ||||
2292 | "C:\Users\admin\Desktop\HSJgaCzDw.exe" | C:\Users\admin\Desktop\HSJgaCzDw.exe | Predator The Thief Cracked [XakFor.Net].exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 | ||||
2776 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\admin panel v4 (rus).rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3076 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\admin panel v4 (rus).rar" "C:\Users\admin\Desktop\admin panel v4 (rus)\" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 |
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\[@exp_0day]stillak.rar | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3640) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\[@exp_0day]stillak | |||
(PID) Process: | (2736) Predator The Thief Cracked [XakFor.Net].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_145944.png | image | |
MD5:8389E3ADF0F1C378632D0B9054B7CEF9 | SHA256:3DAD290E6DB73DEA64357463D369594493CA53EA28BB90711173A2956DEB4AC8 | |||
2292 | HSJgaCzDw.exe | C:\Users\admin\AppData\Roaming\pts2Y8S2X8Q0W2Y8S2X8Q0W\General\Mozilla_1511.sqlite | sqlite | |
MD5:7C426E0FC19063A433349CE713DA84A0 | SHA256:9925B2D80F8A85132EF4927979B25E0B9525E8317A71FFD844980B794B04234C | |||
2292 | HSJgaCzDw.exe | C:\Users\admin\AppData\Roaming\pts2Y8S2X8Q0W2Y8S2X8Q0W\Screenshot.bmp | image | |
MD5:EACA2F30CFBBFE4089DBDDA26A412872 | SHA256:CB776DCEC62DD679B8603BD3EC4681FBAFFC2209CA645DCB678E0B5269276701 | |||
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Screenshot.png | image | |
MD5:8DA1CB905E03300DB306E96E614C38BC | SHA256:90AB2973639BDCE9781685685E947AD31A1C7BB6B0DFE6FB4C672665F294B37B | |||
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_145923.png | image | |
MD5:A075BC22090A53766B2B4E361CD8A365 | SHA256:FF4C83AF41CD4A943B2AEE1824959DA5D9AB230F5C32FDA9A9AE7500AD6850FF | |||
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\admin panel v4 (rus).rar | compressed | |
MD5:EF9F706C8F55CBF0AFC1AE320DCED396 | SHA256:E030B8AE1FE349FD4F10AA8B7135267D3953DA21F45D88F84BD10A3DD299CBDB | |||
2736 | Predator The Thief Cracked [XakFor.Net].exe | C:\Users\admin\Desktop\HSJgaCzDw.exe | executable | |
MD5:6FD75CF0601714940F7C4C5A4FFD29FC | SHA256:60CD93038E337B8AC22CF297B8A22F4654EC8D2CDCDB32267CEF3D5DCA1522C1 | |||
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\Predator The Thief Cracked [XakFor.Net].exe | executable | |
MD5:1C8C6177EEDD8B1ABA89159C91953B47 | SHA256:7F86C94FE4AF0557A2DB7514BFD70BE3178C7CD0895591153673AC9F2B1B2EF4 | |||
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_150141.png | image | |
MD5:28ED31C119BF583544F8F3825C548A9C | SHA256:1260140CC94DD8207C100AD601CD9D36C76C57FCAA5CDDF88FA7AB772165DD14 | |||
3640 | WinRAR.exe | C:\Users\admin\Desktop\[@exp_0day]stillak\stillak\2018-08-06_145933.png | image | |
MD5:9BC20A492BE571BD434B0EDF94694413 | SHA256:B5728B66366436AD0F08BB134852DBBF3B15A5B27E47301EF8588972E680A4AD |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2292 | HSJgaCzDw.exe | 5.79.66.145:80 | stillak.kl.com.ua | LeaseWeb Netherlands B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
stillak.kl.com.ua |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2292 | HSJgaCzDw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Agent.PLQ (Predator Stealer) CnC Checkin |
2292 | HSJgaCzDw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Predator Stealer v2.3 |