analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Swift Copy.gz

Full analysis: https://app.any.run/tasks/6421ad80-f674-4f6f-b46a-99ca4f63cc83
Verdict: Malicious activity
Analysis date: April 15, 2019, 15:00:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

DFE1E69F97BEA0D3CA7140FAB2BFA553

SHA1:

EA59C0BC9D4C3441FDA2829F87957FB6F13C8917

SHA256:

A565A1C5748808FECF9F692B0EEF5F3EC47A37A8A973DCE43EF694769E4AD0F8

SSDEEP:

3072:RkAwMmEquxSKs8XWiO3/HMgzBrqLvX3pHsMs1LvEVVAFfliY:RkWFqhrHTzBGLnpM11AVVAFMY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Swift Copy.bat (PID: 2668)
      • Swift Copy.bat (PID: 2176)
      • Swift Copy.bat (PID: 3548)
  • SUSPICIOUS

    • Suspicious files were dropped or overwritten

      • WinRAR.exe (PID: 3864)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3864)
    • Starts application with an unusual extension

      • WinRAR.exe (PID: 3864)
      • Swift Copy.bat (PID: 2176)
    • Application launched itself

      • Swift Copy.bat (PID: 2176)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe swift copy.bat no specs swift copy.bat no specs swift copy.bat no specs

Process information

PID
CMD
Path
Indicators
Parent process
3864"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Swift Copy.gz.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2176"C:\Users\admin\AppData\Local\Temp\Rar$DIa3864.44531\Swift Copy.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3864.44531\Swift Copy.batWinRAR.exe
User:
admin
Company:
eggyhot
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.05.0001
2668"C:\Users\admin\AppData\Local\Temp\Rar$DIa3864.47043\Swift Copy.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3864.47043\Swift Copy.batWinRAR.exe
User:
admin
Company:
eggyhot
Integrity Level:
MEDIUM
Version:
1.05.0001
3548C:\Users\admin\AppData\Local\Temp\Rar$DIa3864.44531\Swift Copy.bat" C:\Users\admin\AppData\Local\Temp\Rar$DIa3864.44531\Swift Copy.batSwift Copy.bat
User:
admin
Company:
eggyhot
Integrity Level:
MEDIUM
Version:
1.05.0001
Total events
437
Read events
423
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3864.44531\Swift Copy.batexecutable
MD5:49E578B33B52E0FF0347340F360DC2F5
SHA256:A748982219910CA0B9ED9509EADB85098405B2DFF57D438403BCCB9F7868D2C4
3864WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa3864.47043\Swift Copy.batexecutable
MD5:49E578B33B52E0FF0347340F360DC2F5
SHA256:A748982219910CA0B9ED9509EADB85098405B2DFF57D438403BCCB9F7868D2C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info