File name:

OqMineBot (1).zip

Full analysis: https://app.any.run/tasks/9d3f8a63-cf9f-4b02-a8a6-4f4a05f7f097
Verdict: Malicious activity
Analysis date: January 09, 2024, 10:12:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3D4686AACB24DC781E4E17D1437B1BCB

SHA1:

7F79670780A520DDCECDB1170EA581D69DCF28E1

SHA256:

A86DB50C3C8FA525D417BC43E3FD0C88D414536DA77B469603DFA66FE8F5E051

SSDEEP:

98304:QJMrTWxgO8i4T49qYcYWDiLV3W9yJn9MUjGYRWOy74tmBdrQcSaNyzIjug/F04ba:FHOvM5poH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads settings of System Certificates

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads the Internet Settings

      • OQ.MineBot.GUI.exe (PID: 572)

  • INFO

    • Manual execution by a user

      • OQ.MineBot.GUI.exe (PID: 572)

    • Checks supported languages

      • OQ.MineBot.GUI.exe (PID: 572)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2040)

    • Reads the machine GUID from the registry

      • OQ.MineBot.GUI.exe (PID: 572)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2040)

    • Reads the computer name

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads product name

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads Environment values

      • OQ.MineBot.GUI.exe (PID: 572)

    • Create files in a temporary directory

      • OQ.MineBot.GUI.exe (PID: 572)

    • Connects to unusual port

      • OQ.MineBot.GUI.exe (PID: 572)

    • Creates files or folders in the user directory

      • OQ.MineBot.GUI.exe (PID: 572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:06 23:45:56
ZipCRC: 0x46a327ea
ZipCompressedSize: 43817
ZipUncompressedSize: 103424
ZipFileName: Antlr3.Runtime.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs oq.minebot.gui.exe

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Users\admin\Desktop\minebot\OQ.MineBot.GUI.exe" C:\Users\admin\Desktop\minebot\OQ.MineBot.GUI.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OQ.MineBot
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\minebot\oq.minebot.gui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2040"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OqMineBot (1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
5 838
Read events
5 779
Write events
59
Delete events
0

Modification events

(PID) Process:(2040) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
Executable files
34
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040WinRAR.exeC:\Users\admin\Desktop\Microsoft.Expression.Effects.dllexecutable
MD5:18DB3E02D95A16FD502C7C091C0361D9
SHA256:34843CFEA24B713B1B5FD9A93C61D7C6D3FA320DBB84DF60D9D48C5560C79452
2040WinRAR.exeC:\Users\admin\Desktop\DotNetZip.dllexecutable
MD5:2AC40DA17C4AC9DF4A8701FAF3913A52
SHA256:46BF5F182875F53994B6BEE810570F85B2B39643C27EBBEE77CE554B1E3B6ED4
2040WinRAR.exeC:\Users\admin\Desktop\Antlr3.Runtime.dllexecutable
MD5:5ACB491598310E1B9CB515EAC15221F9
SHA256:AA0624C73874768AF59260568B91BA8EB7C9EA5BB4BDB3F3E7767B61C8D0FEEE
2040WinRAR.exeC:\Users\admin\Desktop\Newtonsoft.Json.dllexecutable
MD5:A94583EE47F673118B0BF822BF8E425D
SHA256:030E739CBA60C3B4604EE1574497AEBC892B7CEB0CE44DD39FD1EF7767A2F134
2040WinRAR.exeC:\Users\admin\Desktop\MahApps.Metro.dllexecutable
MD5:81A8F81E7745275B6A95358CA8F23CB6
SHA256:2321D559FC2BB4BE2B7D8A12425836D357FFA36B4B1F171F978B52C6EEBD9B1C
2040WinRAR.exeC:\Users\admin\Desktop\NCalc.dllexecutable
MD5:8FE3C9B031FB8F581014046C1ABEEFDA
SHA256:7F48487D0FEDBFD70C00293C6C1559BD17CEFC0CBE6F08AE8F089096BA8847CE
2040WinRAR.exeC:\Users\admin\Desktop\ControlzEx.dllexecutable
MD5:5CF2837021516334344629CB679D40B5
SHA256:55CAE0AF8517AC2D787B210AC6F79C9AAC7F58035B69FAAF620A90F33E2676FC
2040WinRAR.exeC:\Users\admin\Desktop\OQ.MineBot.GUI.exeexecutable
MD5:FC604EE513BF176D423990884623FC4C
SHA256:7ED3769A3683561B43F0EFD798C74952F585FA5CBF956AB1C1F20D43033ED130
2040WinRAR.exeC:\Users\admin\Desktop\Heijden.Dns.dllexecutable
MD5:578C3CB949BC8FC0CCAB2318A7163B47
SHA256:577707E4B92DD0ECCB8DD8E40A48C78BBD7737E1BC1D8291BDF1433DA5824F51
2040WinRAR.exeC:\Users\admin\Desktop\Microsoft.Expression.Drawing.dllexecutable
MD5:5BD39A82AACF1AA423E6EEEEDA696EEA
SHA256:1D69EAF538008E0FE1A7EB2CE0124A49B95C491797749640C8351ED4643F5C97
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
572
OQ.MineBot.GUI.exe
GET
200
23.53.40.32:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?517f005e14f6813f
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
572
OQ.MineBot.GUI.exe
144.217.162.188:49248
app.host.minecraftbot.com
OVH SAS
CA
unknown
572
OQ.MineBot.GUI.exe
23.53.40.32:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
app.host.minecraftbot.com
  • 144.217.162.188
unknown
ctldl.windowsupdate.com
  • 23.53.40.32
  • 23.53.40.73
  • 23.53.40.49
  • 23.53.40.41
  • 23.53.40.19
  • 23.53.40.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OqMineBot (1).zip