File name:

Fud Crypter.rar

Full analysis: https://app.any.run/tasks/405348b5-f87e-4175-bab2-ebbc3ae8c59c
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: October 03, 2018, 10:23:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

802F5927EBC3159455320DD8D9033F18

SHA1:

FCE14A2FBDB652533438C775FEF72C5E3B92C4B2

SHA256:

AA7F23114421EACBE9002815CBF55AED60085756C8BBCEC1CEAB22E5563A0F54

SSDEEP:

98304:y6Kz2cSPRLLChMclEAhAokPc2IlYm3Qw5vJVipNYPhkr5g1byFHWEdxspf6GX:mzePlhclE4uwhJVi3wki14fKfjX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Fud Crypter.exe (PID: 2480)
      • e5b67245745g7.exe (PID: 116)
      • Protected.exe (PID: 1672)
      • svchost.exe (PID: 3304)
      • micro.exe (PID: 3600)
      • MR1.exe (PID: 3208)
      • micro.exe (PID: 2604)

    • Uses Task Scheduler to run other applications

      • e5b67245745g7.exe (PID: 116)
      • micro.exe (PID: 3600)
      • MR1.exe (PID: 3208)
      • micro.exe (PID: 2604)

    • Known privilege escalation attack

      • e5b67245745g7.exe (PID: 116)
      • micro.exe (PID: 3600)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3096)
      • schtasks.exe (PID: 2052)
      • schtasks.exe (PID: 3684)
      • schtasks.exe (PID: 3904)

    • Application was dropped or rewritten from another process

      • Fud Crypter.exe (PID: 2480)
      • e5b67245745g7.exe (PID: 116)
      • Fud Crypter.exe (PID: 4080)
      • MR1.sfx.exe (PID: 956)
      • Protected.exe (PID: 1672)
      • MR1.exe (PID: 3208)
      • svchost.exe (PID: 3304)
      • micro.exe (PID: 3600)
      • micro.exe (PID: 2604)
      • micro.exe (PID: 1152)
      • QVYUYKMBT.exe (PID: 2572)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 3824)
      • SystemProcess.exe (PID: 3376)
      • fjnytwzajsyp.exe (PID: 2364)
      • efcqtcwxqcnu.exe (PID: 628)
      • Stub.exe (PID: 272)

    • MINER was detected

      • QVYUYKMBT.exe (PID: 2572)

    • Connects to CnC server

      • QVYUYKMBT.exe (PID: 2572)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2848)
      • e5b67245745g7.exe (PID: 116)
      • MR1.sfx.exe (PID: 956)
      • Fud Crypter.exe (PID: 2480)
      • Protected.exe (PID: 1672)
      • svchost.exe (PID: 3304)
      • micro.exe (PID: 3600)
      • MR1.exe (PID: 3208)

    • Creates executable files which already exist in Windows

      • Fud Crypter.exe (PID: 2480)

    • Creates files in the user directory

      • e5b67245745g7.exe (PID: 116)
      • Protected.exe (PID: 1672)
      • svchost.exe (PID: 3304)
      • svchost.exe (PID: 3824)

    • Modifies the open verb of a shell class

      • e5b67245745g7.exe (PID: 116)
      • micro.exe (PID: 3600)

    • Connects to unusual port

      • QVYUYKMBT.exe (PID: 2572)
      • RegAsm.exe (PID: 3856)

    • Application launched itself

      • svchost.exe (PID: 3304)
      • svchost.exe (PID: 1768)

    • Uses NETSH.EXE for network configuration

      • RegAsm.exe (PID: 3856)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
76
Monitored processes
31
Malicious processes
7
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe fud crypter.exe e5b67245745g7.exe mr1.sfx.exe protected.exe svchost.exe micro.exe schtasks.exe no specs fud crypter.exe no specs eventvwr.exe no specs mr1.exe schtasks.exe no specs eventvwr.exe no specs schtasks.exe no specs #MINER qvyuykmbt.exe eventvwr.exe eventvwr.exe micro.exe no specs micro.exe schtasks.exe no specs regasm.exe regsvcs.exe no specs svchost.exe no specs regasm.exe no specs svchost.exe no specs netsh.exe no specs regasm.exe no specs systemprocess.exe no specs fjnytwzajsyp.exe no specs efcqtcwxqcnu.exe no specs stub.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Users\admin\AppData\Local\Temp\e5b67245745g7.exe" C:\Users\admin\AppData\Local\Temp\e5b67245745g7.exe
Fud Crypter.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\e5b67245745g7.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
184"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
e5b67245745g7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\eventvwr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
272"C:\Users\admin\Desktop\Stub.exe" C:\Users\admin\Desktop\Stub.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
364netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLEC:\Windows\system32\netsh.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
544"C:\Windows\System32\eventvwr.exe" C:\Windows\System32\eventvwr.exe
micro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\eventvwr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
628C:\Users\admin\AppData\Roaming\altywgkwcyds\efcqtcwxqcnu.exe C:\Users\admin\AppData\Roaming\altywgkwcyds\efcqtcwxqcnu.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
648"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exemicro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
956"C:\Users\admin\AppData\Local\Temp\MR1.sfx.exe" C:\Users\admin\AppData\Local\Temp\MR1.sfx.exe
Fud Crypter.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\mr1.sfx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1152"C:\Users\admin\AppData\Local\Temp\micro.exe" C:\Users\admin\AppData\Local\Temp\micro.exeeventvwr.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\micro.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
1672"C:\Users\admin\AppData\Local\Temp\Protected.exe" C:\Users\admin\AppData\Local\Temp\Protected.exe
Fud Crypter.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\protected.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
Total events
2 347
Read events
2 277
Write events
70
Delete events
0

Modification events

(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2848) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Fud Crypter.rar
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2848) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
16
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\e5b67245745g7.exeexecutable
MD5:
SHA256:
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\MR1.sfx.exeexecutable
MD5:
SHA256:
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\qrolwcqwmirl\shecqvqdatxd.exeexecutable
MD5:AFC3DF9298AD5EBC0BB2F859756DC820
SHA256:F6ED70139F90E52944CF1B8B7408156A3F7D04DDFBD9B94454CE48B853B21F8A
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\Protected.exeexecutable
MD5:
SHA256:
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:
SHA256:
956MR1.sfx.exeC:\Users\admin\AppData\Local\Temp\MR1.exeexecutable
MD5:
SHA256:
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\micro.exeexecutable
MD5:
SHA256:
116e5b67245745g7.exeC:\Users\admin\AppData\Roaming\altywgkwcyds\efcqtcwxqcnu.exeexecutable
MD5:
SHA256:
2480Fud Crypter.exeC:\Users\admin\AppData\Local\Temp\Fud Crypter.exeexecutable
MD5:
SHA256:
3304svchost.exeC:\Users\admin\AppData\Roaming\nrnfwqlfhblf\kqxyjtttdesb.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
4

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3856
RegAsm.exe
88.13.144.181:5553
prueba0.hopto.org
Telefonica De Espana
ES
malicious
2572
QVYUYKMBT.exe
94.130.12.27:3333
pool.supportxmr.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
pool.supportxmr.com
  • 94.130.12.27
  • 94.130.12.30
  • 178.63.100.197
suspicious
prueba0.hopto.org
  • 88.13.144.181
malicious

Threats

PID
Process
Class
Message
2572
QVYUYKMBT.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2572
QVYUYKMBT.exe
Misc activity
SUSPICIOUS [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
2572
QVYUYKMBT.exe
Misc activity
SUSPICIOUS [PTsecurity] Riskware/CoinMiner JSON_RPC Response
2572
QVYUYKMBT.exe
Misc activity
SUSPICIOUS [PTsecurity] Risktool.W32.coinminer!c
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Fud Crypter.rar