File name:

OqMineBot (1).zip

Full analysis: https://app.any.run/tasks/9d3f8a63-cf9f-4b02-a8a6-4f4a05f7f097
Verdict: Malicious activity
Analysis date: January 09, 2024, 10:12:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3D4686AACB24DC781E4E17D1437B1BCB

SHA1:

7F79670780A520DDCECDB1170EA581D69DCF28E1

SHA256:

A86DB50C3C8FA525D417BC43E3FD0C88D414536DA77B469603DFA66FE8F5E051

SSDEEP:

98304:QJMrTWxgO8i4T49qYcYWDiLV3W9yJn9MUjGYRWOy74tmBdrQcSaNyzIjug/F04ba:FHOvM5poH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads settings of System Certificates

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads the Internet Settings

      • OQ.MineBot.GUI.exe (PID: 572)

  • INFO

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2040)

    • Manual execution by a user

      • OQ.MineBot.GUI.exe (PID: 572)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2040)

    • Checks supported languages

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads the computer name

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads Environment values

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads the machine GUID from the registry

      • OQ.MineBot.GUI.exe (PID: 572)

    • Reads product name

      • OQ.MineBot.GUI.exe (PID: 572)

    • Create files in a temporary directory

      • OQ.MineBot.GUI.exe (PID: 572)

    • Connects to unusual port

      • OQ.MineBot.GUI.exe (PID: 572)

    • Creates files or folders in the user directory

      • OQ.MineBot.GUI.exe (PID: 572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:06 23:45:56
ZipCRC: 0x46a327ea
ZipCompressedSize: 43817
ZipUncompressedSize: 103424
ZipFileName: Antlr3.Runtime.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs oq.minebot.gui.exe

Process information

PID
CMD
Path
Indicators
Parent process
572"C:\Users\admin\Desktop\minebot\OQ.MineBot.GUI.exe" C:\Users\admin\Desktop\minebot\OQ.MineBot.GUI.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OQ.MineBot
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\minebot\oq.minebot.gui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2040"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OqMineBot (1).zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
5 838
Read events
5 779
Write events
59
Delete events
0

Modification events

(PID) Process:(2040) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
Executable files
34
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040WinRAR.exeC:\Users\admin\Desktop\ControlzEx.dllexecutable
MD5:5CF2837021516334344629CB679D40B5
SHA256:55CAE0AF8517AC2D787B210AC6F79C9AAC7F58035B69FAAF620A90F33E2676FC
2040WinRAR.exeC:\Users\admin\Desktop\MahApps.Metro.dllexecutable
MD5:81A8F81E7745275B6A95358CA8F23CB6
SHA256:2321D559FC2BB4BE2B7D8A12425836D357FFA36B4B1F171F978B52C6EEBD9B1C
2040WinRAR.exeC:\Users\admin\Desktop\Microsoft.Expression.Drawing.dllexecutable
MD5:5BD39A82AACF1AA423E6EEEEDA696EEA
SHA256:1D69EAF538008E0FE1A7EB2CE0124A49B95C491797749640C8351ED4643F5C97
2040WinRAR.exeC:\Users\admin\Desktop\OQ.MineBot.GUI.exeexecutable
MD5:FC604EE513BF176D423990884623FC4C
SHA256:7ED3769A3683561B43F0EFD798C74952F585FA5CBF956AB1C1F20D43033ED130
2040WinRAR.exeC:\Users\admin\Desktop\Newtonsoft.Json.dllexecutable
MD5:A94583EE47F673118B0BF822BF8E425D
SHA256:030E739CBA60C3B4604EE1574497AEBC892B7CEB0CE44DD39FD1EF7767A2F134
2040WinRAR.exeC:\Users\admin\Desktop\Microsoft.Expression.Interactions.dllexecutable
MD5:3034CC0D5CF3731ED90153AA616F3F59
SHA256:63CD5E8A60D77D1007352538A4285C60C0C3EFB9C771035589105A284E4F63A9
2040WinRAR.exeC:\Users\admin\Desktop\NCalc.dllexecutable
MD5:8FE3C9B031FB8F581014046C1ABEEFDA
SHA256:7F48487D0FEDBFD70C00293C6C1559BD17CEFC0CBE6F08AE8F089096BA8847CE
2040WinRAR.exeC:\Users\admin\Desktop\DotNetZip.dllexecutable
MD5:2AC40DA17C4AC9DF4A8701FAF3913A52
SHA256:46BF5F182875F53994B6BEE810570F85B2B39643C27EBBEE77CE554B1E3B6ED4
2040WinRAR.exeC:\Users\admin\Desktop\BouncyCastle.Crypto.dllexecutable
MD5:30ACE632FCDBC1756F18C8209C166166
SHA256:6E948EC95AD1CB07DB92853794FEA8C022FCD632E81D4F4B33EB6708A5E6AC31
2040WinRAR.exeC:\Users\admin\Desktop\MinecraftIds.exeexecutable
MD5:8D99FCB73A9452FCC1B2EA473E0FC251
SHA256:CB7B0A8467C9963712942D96D854D14A8DDB52DE3692AF1EA749121C02BD8229
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
572
OQ.MineBot.GUI.exe
GET
200
23.53.40.32:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?517f005e14f6813f
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
572
OQ.MineBot.GUI.exe
144.217.162.188:49248
app.host.minecraftbot.com
OVH SAS
CA
unknown
572
OQ.MineBot.GUI.exe
23.53.40.32:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
app.host.minecraftbot.com
  • 144.217.162.188
unknown
ctldl.windowsupdate.com
  • 23.53.40.32
  • 23.53.40.73
  • 23.53.40.49
  • 23.53.40.41
  • 23.53.40.19
  • 23.53.40.58
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OqMineBot (1).zip