Malware analysis archive.zip Malicious activity | ANY.RUN

Add for printing

File name:	archive.zip
Full analysis:	https://app.any.run/tasks/d555d89a-f047-4687-aac1-d728a3ceb182
Verdict:	Malicious activity
Threats:	PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware. RedLine Stealer is a malicious program that collects users’ confidential data from browsers, systems, and installed software. It also infects operating systems with other malware. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018. Malware Trends Tracker >>>
Analysis date:	July 24, 2024, 12:39:27
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion stealer privateloader netreactor redline vidar
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	1C4D4C0E6F6A93464E453FF974082DEE
SHA1:	B03EB716EE3FA8CD6FD13D801C53FFFAEE6DD615
SHA256:	A04DD35B68FE732930D0D22D08020374FF6AF450A91231EB7DE4BAAFA3F4E00E
SSDEEP:	98304:/sm68/oADb9YruubYbyGSs81bG/ZS9wmDQPkIAyubijWojdeKq0oYOQBveJ6fVz0:3EwbG8MgJb7r4oUpfpX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 6932)
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 1800)
- Changes the Windows auto-update feature
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- Actions looks like stealing of personal data
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- Connects to the CnC server
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- PRIVATELOADER has been detected (YARA)
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- PRIVATELOADER has been detected (SURICATA)
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- VIDAR has been detected (YARA)
  - MSBuild.exe (PID: 1800)
- REDLINE has been detected (YARA)
  - RegAsm.exe (PID: 4184)
SUSPICIOUS
- The process drops C-runtime libraries
  - WinRAR.exe (PID: 6932)
  - MSBuild.exe (PID: 1800)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6932)
  - MSBuild.exe (PID: 1800)
- Checks for external IP
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- Connects to the server without a host name
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- Checks Windows Trust Settings
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 6040)
- Reads security settings of Internet Explorer
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 6040)
- Executable content was dropped or overwritten
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 1800)
- Potential Corporate Privacy Violation
  - File.exe (PID: 1816)
- Connects to unusual port
  - RegAsm.exe (PID: 4184)
- The process drops Mozilla's DLL files
  - MSBuild.exe (PID: 1800)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6932)
- Checks supported languages
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
  - jrDUrAHNKxBLsDh8ZbyZBkJt.exe (PID: 1164)
  - xx2AzW_Ts45egK6bAQwnwcLq.exe (PID: 3840)
  - ujrii7zinag1hPKKtZGVkukS.exe (PID: 3048)
  - QlOCbkYUHcZrZiQOrSV5kgHj.exe (PID: 3396)
  - 7ZIdSYLeOQihMpdJXT5wk0zn.exe (PID: 4500)
  - RegAsm.exe (PID: 4184)
  - RegAsm.exe (PID: 4780)
  - MSBuild.exe (PID: 6040)
  - MSBuild.exe (PID: 1800)
- Manual execution by a user
  - File.exe (PID: 6560)
  - File.exe (PID: 6352)
  - File.exe (PID: 1008)
  - File.exe (PID: 1816)
- Reads the software policy settings
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 6040)
- Reads the computer name
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
  - jrDUrAHNKxBLsDh8ZbyZBkJt.exe (PID: 1164)
  - ujrii7zinag1hPKKtZGVkukS.exe (PID: 3048)
  - QlOCbkYUHcZrZiQOrSV5kgHj.exe (PID: 3396)
  - RegAsm.exe (PID: 4780)
  - RegAsm.exe (PID: 4184)
  - MSBuild.exe (PID: 6040)
  - MSBuild.exe (PID: 1800)
- Process checks computer location settings
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
- Reads the machine GUID from the registry
  - File.exe (PID: 6352)
  - File.exe (PID: 1816)
  - ujrii7zinag1hPKKtZGVkukS.exe (PID: 3048)
  - RegAsm.exe (PID: 4184)
  - RegAsm.exe (PID: 4780)
  - QlOCbkYUHcZrZiQOrSV5kgHj.exe (PID: 3396)
  - MSBuild.exe (PID: 6040)
- Checks proxy server information
  - slui.exe (PID: 1568)
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 6040)
- Creates files or folders in the user directory
  - File.exe (PID: 1816)
  - MSBuild.exe (PID: 6040)
- .NET Reactor protector has been detected
  - RegAsm.exe (PID: 4780)
- Creates files in the program directory
  - MSBuild.exe (PID: 6040)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RedLine

(PID) Process(4184) RegAsm.exe

C2 (1)77.105.135.107:3445

BotnetLogsDiller Cloud (TG: @logsdillabot)

Options

ErrorMessage

Keys

XorTaxying

Vidar

(PID) Process(1800) MSBuild.exe

C2https://t.me/armad2a

URLhttps://steamcommunity.com/profiles/76561199747278259

Strings (310)INSERT_KEY_HERE

GetEnvironmentVariableA

shlwapi.dll

InternetConnectA

FALSE

%d/%d/%d %d:%d:%d

Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\

DialogConfig.vdf

GetProcAddress

LoadLibrary

lstrcatA

OpenEventA

CreateEventA

CloseHandle

Sleep

GetUserDefaultLangID

VirtualAllocExNuma

VirtualFree

GetSystemInfo

VirtualAlloc

HeapAlloc

GetComputerNameA

lstrcpyA

GetProcessHeap

GetCurrentProcess

lstrlenA

ExitProcess

GlobalMemoryStatusEx

GetSystemTime

SystemTimeToFileTime

advapi32.dll

gdi32.dll

user32.dll

crypt32.dll

ntdll.dll

GetUserNameA

CreateDCA

GetDeviceCaps

CryptStringToBinaryA

sscanf

NtQueryInformationProcess

VMwareVMware

HAL9TH

JohnDoe

DISPLAY

%hu/%hu/%hu

GetFileAttributesA

GlobalLock

HeapFree

GetFileSize

GlobalSize

CreateToolhelp32Snapshot

IsWow64Process

Process32Next

GetLocalTime

FreeLibrary

GetTimeZoneInformation

GetSystemPowerStatus

GetVolumeInformationA

GetWindowsDirectoryA

Process32First

GetLocaleInfoA

GetUserDefaultLocaleName

GetModuleFileNameA

DeleteFileA

FindNextFileA

LocalFree

FindClose

SetEnvironmentVariableA

LocalAlloc

GetFileSizeEx

ReadFile

SetFilePointer

WriteFile

CreateFileA

FindFirstFileA

VirtualProtect

GetLogicalProcessorInformationEx

GetLastError

lstrcpynA

MultiByteToWideChar

GlobalFree

WideCharToMultiByte

GlobalAlloc

OpenProcess

TerminateProcess

GetCurrentProcessId

gdiplus.dll

ole32.dll

bcrypt.dll

wininet.dll

shell32.dll

psapi.dll

rstrtmgr.dll

CreateCompatibleBitmap

SelectObject

BitBlt

DeleteObject

CreateCompatibleDC

GdipGetImageEncodersSize

GdipGetImageEncoders

GdipCreateBitmapFromHBITMA

GdiplusStartup

GdiplusShutdown

GdipSaveImageToStream

GdipDisposeImage

GdipFree

GetHGlobalFromStream

CreateStreamOnHGlobal

CoUninitialize

CoInitialize

CoCreateInstance

BCryptGenerateSymmetricKey

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptSetProperty

BCryptDestroyKey

BCryptOpenAlgorithmProvider

GetWindowRect

GetDesktopWindow

GetDC

wsprintfA

EnumDisplayDevicesA

GetKeyboardLayoutList

CharToOemW

wsprintfW

RegQueryValueExA

RegEnumKeyExA

RegOpenKeyExA

RegCloseKey

RegEnumValueA

CryptBinaryToStringA

CryptUnprotectData

SHGetFolderPathA

ShellExecuteExA

InternetOpenUrlA

InternetCloseHandle

InternetOpenA

HttpSendRequestA

HttpOpenRequestA

InternetReadFile

InternetCrackUrlA

StrCmpCA

StrStrA

StrCmpCW

PathMatchSpecA

GetModuleFileNameExA

RmStartSession

RmRegisterResources

RmGetList

RmEndSession

sqlite3_open

sqlite3_prepare_v2

sqlite3_step

sqlite3_column_text

sqlite3_finalize

sqlite3_close

sqlite3_column_bytes

sqlite3_column_blob

encrypted_key

PATH

C:\ProgramData\nss3.dll

NSS_Init

NSS_Shutdown

PK11_GetInternalKeySlot

PK11_FreeSlot

PK11SDR_Decrypt

C:\ProgramData\

SELECT origin_url, username_value, password_value FROM logins

Soft:

profile:

Host:

Password:

Opera

OperaGX

Network

.txt

SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies

TRUE

Autofill

SELECT name, value FROM autofill

History

SELECT url FROM urls LIMIT 1000

SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards

Name:

Month:

Year:

Card:

Web Data

History

logins.json

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

guid

SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies

SELECT fieldname, value FROM moz_formhistory

SELECT url FROM moz_places LIMIT 1000

cookies.sqlite

formhistory.sqlite

places.sqlite

Plugins

Local Extension Settings

Sync Extension Settings

IndexedDB

Opera GX Stable

CURRENT

chrome-extension_

_0.indexeddb.leveldb

Local State

profiles.ini

chrome

opera

firefox

Wallets

%08lX%04lX%lu

SOFTWARE\Microsoft\Windows NT\CurrentVersion

ProductName

x32

x64

HARDWARE\DESCRIPTION\System\CentralProcessor\0

ProcessorNameString

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

DisplayName

DisplayVersion

freebl3.dll

mozglue.dll

msvcp140.dll

nss3.dll

softokn3.dll

vcruntime140.dll

\Temp\

.exe

runas

open

/c start

%DESKTOP%

%APPDATA%

%LOCALAPPDATA%

%USERPROFILE%

%DOCUMENTS%

%PROGRAMFILES%

%PROGRAMFILES_86%

%RECENT%

*.lnk

Files

\discord\

\Local Storage\leveldb\CURRENT

\Local Storage\leveldb

\Telegram Desktop\

D877F783D5D3EF8C*

map*

A7FDF864FBC10B77*

A92DAA6EA6F891F2*

F8806DD0C461824F*

Tox

*.tox

*.ini

Password

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375

Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office .0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

00000001

00000002

00000003

00000004

\Outlook\accounts.txt

Pidgin

\.purple\

accounts.xml

dQw4w9WgXcQ

token:

Software\Valve\Steam

SteamPath

\config\

ssfn*

config.vdf

DialogConfigOverlay*.vdf

libraryfolders.vdf

loginusers.vdf

\Steam\

sqlite3.dll

browsers

done

Soft

\Discord\tokens.txt

/c timeout /t 5 & del /f /q "

" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\system32\cmd.exe

https

Content-Type: multipart/form-data; boundary=----

HTTP/1.1

Content-Disposition: form-data; name="

hwid

build

token

file_name

file

message

ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

screenshot.jpg

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (99.9)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:07:24 14:31:52
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	archive/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

165

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1008	"C:\Users\admin\Desktop\archive\File.exe"	C:\Users\admin\Desktop\archive\File.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 3221226540
1164	C:\Users\admin\Documents\piratemamm\jrDUrAHNKxBLsDh8ZbyZBkJt.exe	C:\Users\admin\Documents\piratemamm\jrDUrAHNKxBLsDh8ZbyZBkJt.exe	—	File.exe
User: admin Company: Integrity Level: HIGH Description: Mobile Media Converter Setup Exit code: 1 Version:
1568	C:\WINDOWS\System32\slui.exe -Embedding	C:\Windows\System32\slui.exe		svchost.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
1800	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe		QlOCbkYUHcZrZiQOrSV5kgHj.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: MSBuild.exe Version: 4.8.9037.0 built by: NET481REL1 Vidar (PID) Process(1800) MSBuild.exe C2https://t.me/armad2a URLhttps://steamcommunity.com/profiles/76561199747278259 Strings (310)INSERT_KEY_HERE GetEnvironmentVariableA shlwapi.dll InternetConnectA FALSE %d/%d/%d %d:%d:%d Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\ DialogConfig.vdf GetProcAddress LoadLibrary lstrcatA OpenEventA CreateEventA CloseHandle Sleep GetUserDefaultLangID VirtualAllocExNuma VirtualFree GetSystemInfo VirtualAlloc HeapAlloc GetComputerNameA lstrcpyA GetProcessHeap GetCurrentProcess lstrlenA ExitProcess GlobalMemoryStatusEx GetSystemTime SystemTimeToFileTime advapi32.dll gdi32.dll user32.dll crypt32.dll ntdll.dll GetUserNameA CreateDCA GetDeviceCaps CryptStringToBinaryA sscanf NtQueryInformationProcess VMwareVMware HAL9TH JohnDoe DISPLAY %hu/%hu/%hu GetFileAttributesA GlobalLock HeapFree GetFileSize GlobalSize CreateToolhelp32Snapshot IsWow64Process Process32Next GetLocalTime FreeLibrary GetTimeZoneInformation GetSystemPowerStatus GetVolumeInformationA GetWindowsDirectoryA Process32First GetLocaleInfoA GetUserDefaultLocaleName GetModuleFileNameA DeleteFileA FindNextFileA LocalFree FindClose SetEnvironmentVariableA LocalAlloc GetFileSizeEx ReadFile SetFilePointer WriteFile CreateFileA FindFirstFileA VirtualProtect GetLogicalProcessorInformationEx GetLastError lstrcpynA MultiByteToWideChar GlobalFree WideCharToMultiByte GlobalAlloc OpenProcess TerminateProcess GetCurrentProcessId gdiplus.dll ole32.dll bcrypt.dll wininet.dll shell32.dll psapi.dll rstrtmgr.dll CreateCompatibleBitmap SelectObject BitBlt DeleteObject CreateCompatibleDC GdipGetImageEncodersSize GdipGetImageEncoders GdipCreateBitmapFromHBITMA GdiplusStartup GdiplusShutdown GdipSaveImageToStream GdipDisposeImage GdipFree GetHGlobalFromStream CreateStreamOnHGlobal CoUninitialize CoInitialize CoCreateInstance BCryptGenerateSymmetricKey BCryptCloseAlgorithmProvider BCryptDecrypt BCryptSetProperty BCryptDestroyKey BCryptOpenAlgorithmProvider GetWindowRect GetDesktopWindow GetDC wsprintfA EnumDisplayDevicesA GetKeyboardLayoutList CharToOemW wsprintfW RegQueryValueExA RegEnumKeyExA RegOpenKeyExA RegCloseKey RegEnumValueA CryptBinaryToStringA CryptUnprotectData SHGetFolderPathA ShellExecuteExA InternetOpenUrlA InternetCloseHandle InternetOpenA HttpSendRequestA HttpOpenRequestA InternetReadFile InternetCrackUrlA StrCmpCA StrStrA StrCmpCW PathMatchSpecA GetModuleFileNameExA RmStartSession RmRegisterResources RmGetList RmEndSession sqlite3_open sqlite3_prepare_v2 sqlite3_step sqlite3_column_text sqlite3_finalize sqlite3_close sqlite3_column_bytes sqlite3_column_blob encrypted_key PATH C:\ProgramData\nss3.dll NSS_Init NSS_Shutdown PK11_GetInternalKeySlot PK11_FreeSlot PK11SDR_Decrypt C:\ProgramData\ SELECT origin_url, username_value, password_value FROM logins Soft: profile: Host: Login: Password: Opera OperaGX Network Cookies .txt SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies TRUE Autofill SELECT name, value FROM autofill History SELECT url FROM urls LIMIT 1000 CC SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards Name: Month: Year: Card: Cookies Login Data Web Data History logins.json formSubmitURL usernameField encryptedUsername encryptedPassword guid SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies SELECT fieldname, value FROM moz_formhistory SELECT url FROM moz_places LIMIT 1000 cookies.sqlite formhistory.sqlite places.sqlite Plugins Local Extension Settings Sync Extension Settings IndexedDB Opera GX Stable CURRENT chrome-extension_ _0.indexeddb.leveldb Local State profiles.ini chrome opera firefox Wallets %08lX%04lX%lu SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName x32 x64 HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessorNameString SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName DisplayVersion freebl3.dll mozglue.dll msvcp140.dll nss3.dll softokn3.dll vcruntime140.dll \Temp\ .exe runas open /c start %DESKTOP% %APPDATA% %LOCALAPPDATA% %USERPROFILE% %DOCUMENTS% %PROGRAMFILES% %PROGRAMFILES_86% %RECENT% .lnk Files \discord\ \Local Storage\leveldb\CURRENT \Local Storage\leveldb \Telegram Desktop\ D877F783D5D3EF8C map* A7FDF864FBC10B77* A92DAA6EA6F891F2* F8806DD0C461824F* Telegram Tox .tox .ini Password Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375 Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office .0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\ 00000001 00000002 00000003 00000004 \Outlook\accounts.txt Pidgin \.purple\ accounts.xml dQw4w9WgXcQ token: Software\Valve\Steam SteamPath \config\ ssfn* config.vdf DialogConfigOverlay.vdf libraryfolders.vdf loginusers.vdf \Steam\ sqlite3.dll browsers done Soft \Discord\tokens.txt /c timeout /t 5 & del /f /q " " & del "C:\ProgramData\.dll"" & exit C:\Windows\system32\cmd.exe https Content-Type: multipart/form-data; boundary=---- HTTP/1.1 Content-Disposition: form-data; name=" hwid build token file_name file message ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 screenshot.jpg
1816	"C:\Users\admin\Desktop\archive\File.exe"	C:\Users\admin\Desktop\archive\File.exe		explorer.exe
User: admin Integrity Level: HIGH Exit code: 0
3048	C:\Users\admin\Documents\piratemamm\ujrii7zinag1hPKKtZGVkukS.exe	C:\Users\admin\Documents\piratemamm\ujrii7zinag1hPKKtZGVkukS.exe	—	File.exe
User: admin Company: Radmin VPN Integrity Level: HIGH Description: motosoft Exit code: 0 Version: 1.4.462.100
3396	C:\Users\admin\Documents\piratemamm\QlOCbkYUHcZrZiQOrSV5kgHj.exe	C:\Users\admin\Documents\piratemamm\QlOCbkYUHcZrZiQOrSV5kgHj.exe	—	File.exe
User: admin Company: Radmin VPN Integrity Level: HIGH Description: fastsoft Exit code: 0 Version: 1.4.462.100
3840	C:\Users\admin\Documents\piratemamm\xx2AzW_Ts45egK6bAQwnwcLq.exe	C:\Users\admin\Documents\piratemamm\xx2AzW_Ts45egK6bAQwnwcLq.exe	—	File.exe
User: admin Integrity Level: HIGH Exit code: 0
3936	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	7ZIdSYLeOQihMpdJXT5wk0zn.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
4184	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe		7ZIdSYLeOQihMpdJXT5wk0zn.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Version: 4.8.9037.0 built by: NET481REL1 RedLine (PID) Process(4184) RegAsm.exe C2 (1)77.105.135.107:3445 BotnetLogsDiller Cloud (TG: @logsdillabot) Options ErrorMessage Keys XorTaxying

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\File.exe		—
		MD5:—	SHA256:—
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Cache_Data\data_3		—
		MD5:—	SHA256:—
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Cache_Data\resources.resource		—
		MD5:—	SHA256:—
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Cache_Data\sharedassets0.assets		—
		MD5:—	SHA256:—
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Shared Dictionary\history-cache — копия (2).dll		—
		MD5:—	SHA256:—
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Shared Dictionary\history-cache — копия (3).dll		—
		MD5:—	SHA256:—
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Cache_Data\data_1		binary
		MD5:121CEFE66D326E90BFD9B6997D194E77	SHA256:81F67418012A5602C72F7CFB2B84A29C4633FDB2549B6487388731D521B1BACD
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\Cache_Data\data_2		vxd
		MD5:0962291D6D367570BEE5454721C17E11	SHA256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\version.xml		xml
		MD5:C6E524037A2152D1963A2C29DBFA2966	SHA256:00E68D05801E95C3207DBEA1E8B448AC8960BE835634DF108F7286E56D0706F7
6932	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6932.9750\archive\updates\ILU.dll		executable
		MD5:AEE74E686DCF044042C150A75709E367	SHA256:1CF1841D43767FE2F28A4E2994FE77488D232EBEC3FC4CDE3DCEF106A5274BC8

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

132

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6352	File.exe	POST	—	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown
6352	File.exe	GET	200	109.120.176.203:80	http://109.120.176.203/api/crazyfish.php	unknown	—	—	malicious
6352	File.exe	POST	—	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown
6352	File.exe	POST	—	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown
6352	File.exe	POST	—	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown
6352	File.exe	POST	—	109.120.176.203:80	http://109.120.176.203/api/twofish.php	unknown	—	—	unknown
1816	File.exe	GET	200	142.250.185.195:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
1816	File.exe	GET	200	104.18.21.226:80	http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D	unknown	—	—	whitelisted
1816	File.exe	GET	200	104.18.21.226:80	http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDHmsXXQgoaZQ4a3ukw%3D%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6200	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4288	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	184.86.251.16:443	—	Akamai International B.V.	DE	unknown
4204	svchost.exe	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4288	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4140	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	216.58.206.78	whitelisted
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
login.live.com	40.126.31.73 20.190.159.64 20.190.159.4 20.190.159.0 40.126.31.71 40.126.31.67 20.190.159.73 20.190.159.23	whitelisted
www.bing.com	2.23.209.136 2.23.209.133 2.23.209.189 2.23.209.182 2.23.209.192 2.23.209.135 2.23.209.186 2.23.209.185 2.23.209.183 2.23.209.175	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
fe3cr.delivery.mp.microsoft.com	20.166.126.56	whitelisted
arc.msn.com	20.103.156.88	whitelisted

Threats

PID	Process	Class	Message
6352	File.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
6352	File.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6352	File.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
2284	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6352	File.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6352	File.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6352	File.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6352	File.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
6352	File.exe	A Network Trojan was detected	LOADER [ANY.RUN] PrivateLoader Check-in
1816	File.exe	Device Retrieving External IP Address Detected	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)

Add for printing

No debug info

General Info

archive.zip

1C4D4C0E6F6A93464E453FF974082DEE

B03EB716EE3FA8CD6FD13D801C53FFFAEE6DD615

A04DD35B68FE732930D0D22D08020374FF6AF450A91231EB7DE4BAAFA3F4E00E

98304:/sm68/oADb9YruubYbyGSs81bG/ZS9wmDQPkIAyubijWojdeKq0oYOQBveJ6fVz0:3EwbG8MgJb7r4oUpfpX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the Windows auto-update feature

Actions looks like stealing of personal data

Connects to the CnC server

PRIVATELOADER has been detected (YARA)

PRIVATELOADER has been detected (SURICATA)

VIDAR has been detected (YARA)

REDLINE has been detected (YARA)

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Checks for external IP

Connects to the server without a host name

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

Connects to unusual port

The process drops Mozilla's DLL files

INFO

Executable content was dropped or overwritten

Checks supported languages

Manual execution by a user

Reads the software policy settings

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

Creates files or folders in the user directory

.NET Reactor protector has been detected

Creates files in the program directory

Malware configuration

RedLine

Vidar

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Malware configuration

Vidar

Information

Information

Information

Information

Information

Information

Malware configuration

RedLine

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings