analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Eziriz%20.NET%20Reactor%206.8.0.rar

Full analysis: https://app.any.run/tasks/cf0f834e-8b20-4ef5-9276-ced298adcadf
Verdict: Malicious activity
Analysis date: May 21, 2022, 07:24:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

5A60B830657E94AF29DC192940B07F50

SHA1:

3BE35B1F66DB91F9773ADBB3200A50F04E1EFEA8

SHA256:

A3AE0AD73C9ACF359D76999B5082D33F599BAEB1A39EB69ADCD4EA43BAFE4E94

SSDEEP:

393216:eJYk7hditOx6YYPmCKyUTFXBVR1GR8/bJNrz:eYk7icQ9mCKFBXxbDz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3388)

    • Application was dropped or rewritten from another process

      • dotNET_Reactor.exe (PID: 3540)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3604)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3388)
      • dotNET_Reactor.exe (PID: 3540)

    • Checks supported languages

      • WinRAR.exe (PID: 3388)
      • dotNET_Reactor.exe (PID: 3540)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3388)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3388)

    • Creates files in the user directory

      • dotNET_Reactor.exe (PID: 3540)

  • INFO

    • Manual execution by user

      • dotNET_Reactor.exe (PID: 3540)

    • Reads the computer name

      • WISPTIS.EXE (PID: 3352)

    • Checks supported languages

      • WISPTIS.EXE (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe dotnet_reactor.exe no specs searchprotocolhost.exe no specs wisptis.exe no specs wisptis.exe

Process information

PID
CMD
Path
Indicators
Parent process
3388"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\666fa86e-d88b-4c56-b35a-6cdb7d15cd30.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3540"C:\Users\admin\Desktop\Eziriz .NET Reactor 6.8.0\dotNET_Reactor.exe" C:\Users\admin\Desktop\Eziriz .NET Reactor 6.8.0\dotNET_Reactor.exeExplorer.EXE
User:
admin
Company:
EZIRIZ
Integrity Level:
MEDIUM
Description:
.NET Reactor
Version:
6.8.0.0
3604"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
900"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXEdotNET_Reactor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3352"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXE
dotNET_Reactor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 793
Read events
2 703
Write events
0
Delete events
0

Modification events

No data
Executable files
78
Suspicious files
29
Text files
188
Unknown types
2

Dropped files

PID
Process
Filename
Type
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\dotNET_Reactor.Console.exeexecutable
MD5:84D5568047C37A9CB014A2589F627FBE
SHA256:851B8036BEB2FE21C0BAD3BFC4F1B25F61CA3C89ED2CBAB086EA3DF2F73A3586
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\SDK\Binaries\StackTraceDeobfuscator.dll.txttext
MD5:E579A9E8D642D6E554EAD4D722F90A58
SHA256:03CCE62E4FFD3907FF6522A2B0863C4934B76EE06FA8F165DF25DE00657F6C01
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\SDK\Binaries\License.dll.txttext
MD5:FBC41C51D8E3124A1A5E431A57E7A9DF
SHA256:2A861D2C203453EECA9F4D3C16C7FB3CF7711A71A230F330CFF79C5A7291FD0E
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\.NET Reactor SDK Test Apps\License Examination Windows Forms\VB.NET\SDK_TestApp\bin\Release\LicenseExamination_Secure\LicenseExamination.exeexecutable
MD5:D09FE35EAF7FD817B743CE6046C2A172
SHA256:E908D8EE45D2DEA6B0B0BE106262C74C5051E217C5DB8EFC45B1710411B0C4D8
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\.NET Reactor SDK Test Apps\License Examination .NET Core Console\C#\LicenseExamination\bin\Release\netcoreapp3.0\LicenseExamination.exeexecutable
MD5:50E4CC3A51066FCC856F06B7C55E95F0
SHA256:60EDB81934B6A5995FE96979184716FDC57243307FBE43AFB7A6601B2926CF86
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\VSPackage\17\[Content_Types].xmlxml
MD5:6D509405F78992D7B6549E82A58D978A
SHA256:2103094BE12ABA4C2A3E3CC234A1E40A967983636F67CC539D68520A7A4D3742
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\.NET Reactor SDK Test Apps\License Examination Windows Forms\VB.NET\SDK_TestApp\bin\Release\LicenseExamination.exeexecutable
MD5:58AC86B2CE7B6C33F47F795B0EDBA8CA
SHA256:7EEFF2D7498313C89254A0B0A804B223B7F0DD94F1724C82404FD3F291057703
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\.NET Reactor SDK Test Apps\Customizeable MessageBox Windows Forms\VB.NET\VS2012\bin\MyMessageBox.exeexecutable
MD5:6B4D9AFAA4B54206F7268CB10095B7A9
SHA256:BE0FBECF07D1A86B853D192C912EDF1748ACB650A00BD6F0DD9E3D43362BFE1A
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\VSPackage\16\[Content_Types].xmlxml
MD5:EB2A6F6183149485432478C6BBFE8D82
SHA256:80E58A3FCE2F285C9B3DB607A4EB57F79FEE2B800E20738E02320ABFBD075245
3388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3388.2565\Eziriz .NET Reactor 6.8.0\.NET Reactor SDK Test Apps\License Examination Windows Forms\C#\SDK_TestApp\bin\Release\LicenseExamination_Secure\LicenseExamination.exeexecutable
MD5:3F09D2B76FAD3A2C441298A234C4E3BD
SHA256:1AC098A76FF7BE36F40BD4FD71B736577834A073047CA290FD875BD83911BCF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Eziriz%20.NET%20Reactor%206.8.0.rar