analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RedLine unpacked by Grizzly.rar

Full analysis: https://app.any.run/tasks/d9d01ed3-0e9f-4bf8-a4d2-5c0e38925960
Verdict: Malicious activity
Analysis date: January 24, 2022, 19:11:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

7DD77B4F4763579B7E4089F84150129B

SHA1:

733F9F4418F493EDF8BCB95845A00A039826DC34

SHA256:

9F76F8E662F2AF134584487443D79AD02D668D9EE9F1AAA3143C17E874F00423

SSDEEP:

24576:fD6QtITfzjCBsyRDG7L1xgLRKuXfsGycg3KGRKBOpdHfqxlcSl3z:fD/G/CBsys9+sL56GQOPfSzl3z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3604)
    • Application was dropped or rewritten from another process

      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 120)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 408)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 3520)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 1260)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3564)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 120)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 3520)
    • Reads the computer name

      • WinRAR.exe (PID: 3564)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 120)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 3520)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3564)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3564)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3564)
    • Reads Environment values

      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 120)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 3520)
  • INFO

    • Manual execution by user

      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 408)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 120)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 1260)
      • RedLine.MainPanel_unpack_by_grizzly.exe (PID: 3520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs redline.mainpanel_unpack_by_grizzly.exe no specs redline.mainpanel_unpack_by_grizzly.exe redline.mainpanel_unpack_by_grizzly.exe no specs redline.mainpanel_unpack_by_grizzly.exe

Process information

PID
CMD
Path
Indicators
Parent process
3564"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RedLine unpacked by Grizzly.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3604"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
408"C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exe" C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
RedLinePanel
Exit code:
3221226540
Version:
1.0.0.0
120"C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exe" C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
RedLinePanel
Exit code:
0
Version:
1.0.0.0
1260"C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exe" C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
RedLinePanel
Exit code:
3221226540
Version:
1.0.0.0
3520"C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exe" C:\Users\admin\Desktop\RedLine.MainPanel_unpack_by_grizzly.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Description:
RedLinePanel
Exit code:
0
Version:
1.0.0.0
Total events
1 179
Read events
1 156
Write events
23
Delete events
0

Modification events

(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3564) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RedLine unpacked by Grizzly.rar
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3564) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
11
Suspicious files
1
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\RedLine.MainPanel_unpack_by_grizzly.exeexecutable
MD5:B17B6C4102557727A1939DFBBB3F3F53
SHA256:290F38FB4BF0A44E0AEAF7A4F7FA8ABCF5F599D94F9D01743463ADB90BADF79A
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\RedLine.SharedModels.dllexecutable
MD5:AE877D9B64C6907D4591463CB52CA9FA
SHA256:E7339D9B25849A1B61D2C186B11D9CDB53352B65C7EE4603A1B6D2A5BB733C0D
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\Pluralsight.Crypto.dllexecutable
MD5:6D0FAB9DF4408F42C339109D4AD80D5A
SHA256:5018C1B21264B1FA8BE9904647FC2732D2514F01F3F8AF70702931F0234D0D94
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\RedLine.MainPanel.exe.configxml
MD5:E0B9F161A4F5595C87FF6F2490AC3EF5
SHA256:9CDEEEC22B816EAE2A98D13FDA178768CA0BCCCB2C2B6A984CCFB3AF95D2C7D6
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\Telegram.Bot.dllexecutable
MD5:B2C03E251DE45AD9A8206AC20A5E0E8F
SHA256:6CC510863C1FD54BE384041E928A151501CFFD5AB3881E22ACA2119C82F7EBC7
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\Newtonsoft.Json.dllexecutable
MD5:6815034209687816D8CF401877EC8133
SHA256:7F912B28A07C226E0BE3ACFB2F57F050538ABA0100FA1F0BF2C39F1A1F1DA814
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\protobuf-net.dllexecutable
MD5:D16FFFEB71891071C1C5D9096BA03971
SHA256:141B235AF8EBF25D5841EDEE29E2DCF6297B8292A869B3966C282DA960CBD14D
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\MetroSet UI.dll.configxml
MD5:9A25AE6E4FBE956CC33A232AC97D3B16
SHA256:A407B110C78C0077B651FCBD05CCE073541B61E3E8B4747608069AC5CE686A8C
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\serviceSettings.jsonbinary
MD5:A2ECA06223DFB21BD7C815EC354FA87D
SHA256:7158D6194A4EB9B47F17B174E180F34835561A230CF37309FD7DDA55B7016EB3
3564WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3564.15447\MetroSet UI.dllodttf
MD5:5AEEA45913EB8475077A9547D7D3F2F3
SHA256:EF2A67849FBE0F1C99263BF0ACFDDF15A1B3668E49FD9D35868E147D8A4C8C73
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info