analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Loader.rar |
| Full analysis: | https://app.any.run/tasks/c009331b-1bd8-414a-95b2-1b66e9c2aee4 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | April 01, 2023, 07:24:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | 8AF9853E0873FE2FE64B8F52A6E109A4 |
| SHA1: | 050B6E12CA1B130FCD80ADE2E73AE9D68124C18B |
| SHA256: | AAB8B8B86154F7BDA5D61A60C6CF430489B5C897C1B5EE126DC87F009E465DBE |
| SSDEEP: | 12288:6aFW5Uvta4t148qjRUg5MyQsZI4C9gBjgPoj:6aU5Yc8x6MyJnmy |
MALICIOUS
Steals credentials from Web Browsers
- AppLaunch.exe (PID: 4036)
Connects to the CnC server
- AppLaunch.exe (PID: 4036)
VIDAR was detected
- AppLaunch.exe (PID: 4036)
Actions looks like stealing of personal data
- AppLaunch.exe (PID: 4036)
SUSPICIOUS
Reads the Internet Settings
- AppLaunch.exe (PID: 4036)
Reads settings of System Certificates
- AppLaunch.exe (PID: 4036)
Reads security settings of Internet Explorer
- AppLaunch.exe (PID: 4036)
Checks Windows Trust Settings
- AppLaunch.exe (PID: 4036)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- AppLaunch.exe (PID: 4036)
Executable content was dropped or overwritten
- AppLaunch.exe (PID: 4036)
Reads browser cookies
- AppLaunch.exe (PID: 4036)
Connects to the server without a host name
- AppLaunch.exe (PID: 4036)
Searches for installed software
- AppLaunch.exe (PID: 4036)
INFO
Reads the computer name
- AppLaunch.exe (PID: 4036)
Checks supported languages
- AppLaunch.exe (PID: 4036)
- Loader.exe (PID: 3660)
Reads the machine GUID from the registry
- AppLaunch.exe (PID: 4036)
Checks proxy server information
- AppLaunch.exe (PID: 4036)
The process checks LSA protection
- AppLaunch.exe (PID: 4036)
Reads Environment values
- AppLaunch.exe (PID: 4036)
Creates files or folders in the user directory
- AppLaunch.exe (PID: 4036)
Creates files in the program directory
- AppLaunch.exe (PID: 4036)
Reads product name
- AppLaunch.exe (PID: 4036)
Reads CPU info
- AppLaunch.exe (PID: 4036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
43
Monitored processes
3
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2368 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Loader.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 3660 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2368.33745\Loader.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2368.33745\Loader.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 4036 | "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Loader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
Total events
13 472
Read events
13 388
Write events
84
Delete events
0
Modification events
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2368) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
16
Suspicious files
16
Text files
4
Unknown types
24
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2368 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2368.33745\Loader.exe | — | |
MD5:— | SHA256:— | |||
| 4036 | AppLaunch.exe | C:\ProgramData\07970882986416969764273147 | — | |
MD5:— | SHA256:— | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | binary | |
MD5:4812507E6A5A7DA56124A0DA9E6EE1C2 | SHA256:836FF3BB09A5B6194BE7ED5BB0DB5CCD31807EF9265B59D80B059027496A5AF4 | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30 | binary | |
MD5:5239BCFAB61DE0DE1B5AAD219CF36A3F | SHA256:D03801974E904A337B11E7B6A38AA92F748C7676782FB32DA9F25EB78E4399EC | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:DCB0578559097E228F34F86C10114846 | SHA256:267B19FA4EAF67B39C5D0756C5D51317EAD3B8291C90F5C71F2B049D1C443F5F | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30 | der | |
MD5:49AC34D9D44A16272D96D21C38D5E72C | SHA256:7D0067221DF7D222B3E44A3F4481AC075219B3DD23AF63EE9556D1E226326A07 | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\DMG11964.txt | text | |
MD5:B00391082B79BB9ABE94543461308087 | SHA256:9EDE93974B1527E0929B6B442E5E84D455538836115160E5F8959C82ED80BF4A | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:0BDD643805FD5AACBA443AFF6A311409 | SHA256:98EB63BCA180E31225D80DF3DF566FB66B641EFDA855AEB60A61CEBEBFD8E873 | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | der | |
MD5:9BF77CE85A5A981D86A0F7A4672BA22B | SHA256:44ED3A7243FE9995A4439683D11971670EB00101C3832AD30DB5242560B2B354 | |||
| 4036 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | der | |
MD5:0CC22A011CCAAEBC8D6E46EBB016A84E | SHA256:308735064FF38C7FD32D09FA073F491B50D25B2DCF542A66D59B5ADF5E64944D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
6
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4036 | AppLaunch.exe | GET | 200 | 192.124.249.36:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
4036 | AppLaunch.exe | GET | 200 | 192.124.249.36:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
4036 | AppLaunch.exe | GET | 200 | 192.124.249.36:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCxJlJbiuuimg%3D%3D | US | der | 1.74 Kb | whitelisted |
4036 | AppLaunch.exe | GET | 200 | 78.47.168.170:80 | http://78.47.168.170/ | DE | text | 182 b | malicious |
4036 | AppLaunch.exe | GET | 200 | 178.79.242.11:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c1c447dbddf645e2 | DE | compressed | 4.70 Kb | whitelisted |
4036 | AppLaunch.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
4036 | AppLaunch.exe | POST | 200 | 78.47.168.170:80 | http://78.47.168.170/ | DE | text | 98 b | malicious |
4036 | AppLaunch.exe | GET | 200 | 78.47.168.170:80 | http://78.47.168.170/steam.zip | DE | compressed | 2.56 Mb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4036 | AppLaunch.exe | 178.79.242.11:80 | ctldl.windowsupdate.com | LLNW | DE | suspicious |
4036 | AppLaunch.exe | 192.124.249.36:80 | ocsp.godaddy.com | SUCURI-SEC | US | suspicious |
4036 | AppLaunch.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4036 | AppLaunch.exe | 162.159.134.233:443 | cdn.discordapp.com | CLOUDFLARENET | — | shared |
4036 | AppLaunch.exe | 78.47.168.170:80 | — | Hetzner Online GmbH | DE | malicious |
4036 | AppLaunch.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
t.me |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
cdn.discordapp.com |
| shared |
ocsp.digicert.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4036 | AppLaunch.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |
4036 | AppLaunch.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host ZIP Request |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) |
4036 | AppLaunch.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
2 ETPRO signatures available at the full report