File name:

Loader.rar

Full analysis: https://app.any.run/tasks/c009331b-1bd8-414a-95b2-1b66e9c2aee4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 07:24:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
vidar
trojan
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

8AF9853E0873FE2FE64B8F52A6E109A4

SHA1:

050B6E12CA1B130FCD80ADE2E73AE9D68124C18B

SHA256:

AAB8B8B86154F7BDA5D61A60C6CF430489B5C897C1B5EE126DC87F009E465DBE

SSDEEP:

12288:6aFW5Uvta4t148qjRUg5MyQsZI4C9gBjgPoj:6aU5Yc8x6MyJnmy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • AppLaunch.exe (PID: 4036)

    • VIDAR was detected

      • AppLaunch.exe (PID: 4036)

    • Connects to the CnC server

      • AppLaunch.exe (PID: 4036)

    • Actions looks like stealing of personal data

      • AppLaunch.exe (PID: 4036)

  • SUSPICIOUS

    • Reads the Internet Settings

      • AppLaunch.exe (PID: 4036)

    • Reads settings of System Certificates

      • AppLaunch.exe (PID: 4036)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • AppLaunch.exe (PID: 4036)

    • Executable content was dropped or overwritten

      • AppLaunch.exe (PID: 4036)

    • Checks Windows Trust Settings

      • AppLaunch.exe (PID: 4036)

    • Reads security settings of Internet Explorer

      • AppLaunch.exe (PID: 4036)

    • Searches for installed software

      • AppLaunch.exe (PID: 4036)

    • Connects to the server without a host name

      • AppLaunch.exe (PID: 4036)

    • Reads browser cookies

      • AppLaunch.exe (PID: 4036)

  • INFO

    • Checks supported languages

      • Loader.exe (PID: 3660)
      • AppLaunch.exe (PID: 4036)

    • Reads CPU info

      • AppLaunch.exe (PID: 4036)

    • Reads the computer name

      • AppLaunch.exe (PID: 4036)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 4036)

    • Checks proxy server information

      • AppLaunch.exe (PID: 4036)

    • The process checks LSA protection

      • AppLaunch.exe (PID: 4036)

    • Creates files or folders in the user directory

      • AppLaunch.exe (PID: 4036)

    • Creates files in the program directory

      • AppLaunch.exe (PID: 4036)

    • Reads Environment values

      • AppLaunch.exe (PID: 4036)

    • Reads product name

      • AppLaunch.exe (PID: 4036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs loader.exe #VIDAR applaunch.exe

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Loader.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
3660"C:\Users\admin\AppData\Local\Temp\Rar$EXa2368.33745\Loader.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2368.33745\Loader.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2368.33745\loader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
4036"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET ClickOnce Launch Utility
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\applaunch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
Total events
13 472
Read events
13 388
Write events
84
Delete events
0

Modification events

(PID) Process:(2368) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2368) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
16
Suspicious files
16
Text files
4
Unknown types
24

Dropped files

PID
Process
Filename
Type
2368WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2368.33745\Loader.exe
MD5:
SHA256:
4036AppLaunch.exeC:\ProgramData\07970882986416969764273147
MD5:
SHA256:
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:
SHA256:
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:
SHA256:
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771der
MD5:
SHA256:
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30der
MD5:
SHA256:
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30binary
MD5:
SHA256:
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:
SHA256:
4036AppLaunch.exeC:\ProgramData\vcruntime140.dllexecutable
MD5:A37EE36B536409056A86F50E67777DD7
SHA256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
4036AppLaunch.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
6
DNS requests
5
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4036
AppLaunch.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D
US
der
1.74 Kb
whitelisted
4036
AppLaunch.exe
POST
200
78.47.168.170:80
http://78.47.168.170/
DE
text
98 b
malicious
4036
AppLaunch.exe
GET
200
78.47.168.170:80
http://78.47.168.170/
DE
text
182 b
malicious
4036
AppLaunch.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
4036
AppLaunch.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
4036
AppLaunch.exe
GET
200
78.47.168.170:80
http://78.47.168.170/steam.zip
DE
compressed
2.56 Mb
malicious
4036
AppLaunch.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
4036
AppLaunch.exe
GET
200
178.79.242.11:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c1c447dbddf645e2
DE
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4036
AppLaunch.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
malicious
4036
AppLaunch.exe
178.79.242.11:80
ctldl.windowsupdate.com
LLNW
DE
suspicious
4036
AppLaunch.exe
192.124.249.36:80
ocsp.godaddy.com
SUCURI-SEC
US
suspicious
4036
AppLaunch.exe
78.47.168.170:80
Hetzner Online GmbH
DE
malicious
4036
AppLaunch.exe
162.159.134.233:443
cdn.discordapp.com
CLOUDFLARENET
shared
4036
AppLaunch.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.11
whitelisted
ocsp.godaddy.com
  • 192.124.249.36
  • 192.124.249.24
  • 192.124.249.22
  • 192.124.249.41
  • 192.124.249.23
whitelisted
cdn.discordapp.com
  • 162.159.134.233
  • 162.159.129.233
  • 162.159.135.233
  • 162.159.130.233
  • 162.159.133.233
shared
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
4036
AppLaunch.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
4036
AppLaunch.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4036
AppLaunch.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Loader.rar