analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Reziztz.rar

Full analysis: https://app.any.run/tasks/42f5846b-bb13-42ec-a768-c307f14f2fb9
Verdict: Malicious activity
Analysis date: August 08, 2020, 15:05:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

2637DEEF589971B4612EC3C51DEE60C4

SHA1:

760A4B7B169376A7430AC4E5931D193C52285DC2

SHA256:

ACC5C4FB8952C367C6E04435818E09E563943CE1A9EB4CA57609B14ED100210E

SSDEEP:

6144:mMBLRv0bk2Y0CsHtvgiiIryt2/8NkAoX/JtKZ:bLRvILYfs2H7N1s/Jc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Reziztz.exe (PID: 3952)
      • Reziztz.exe (PID: 2480)

  • SUSPICIOUS

    • Starts Internet Explorer

      • Reziztz.exe (PID: 3952)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1700)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 1700)
      • iexplore.exe (PID: 3352)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 3352)

    • Changes internet zones settings

      • iexplore.exe (PID: 3088)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3352)

    • Application launched itself

      • iexplore.exe (PID: 3088)

    • Creates files in the user directory

      • iexplore.exe (PID: 3352)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3352)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3352)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start winrar.exe reziztz.exe no specs reziztz.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1700"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Reziztz.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2480"C:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\Reziztz\Reziztz.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\Reziztz\Reziztz.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Reziztz
Exit code:
3221226540
Version:
1.0.0.0
3952"C:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\Reziztz\Reziztz.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\Reziztz\Reziztz.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
Reziztz
Exit code:
0
Version:
1.0.0.0
3088"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/mebV4ewC:\Program Files\Internet Explorer\iexplore.exe
Reziztz.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3352"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3088 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
982
Read events
877
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
22
Text files
15
Unknown types
14

Dropped files

PID
Process
Filename
Type
3352iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab823.tmp
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar824.tmp
MD5:
SHA256:
1700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\READ ME!.battext
MD5:274497767D5B83BC1C49F6ACFDAF26E8
SHA256:FEA5CC7198D5C490D2575A546A4E4E055D2CCF58AF64E1D5BEE5D1C257D91FCF
1700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\Invis_name.txttext
MD5:0A1D9B6847AF0F2370B5F9F7040FA265
SHA256:C2895770D49BCB0AC1A9CE6EAABA2BE9E1BA3D7207E916880163485C682A7037
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4der
MD5:689A3D86D85BFC8D6E624EDD115374A2
SHA256:23350DA55EF98583F37C260EB221681AE372D23AE7FB01201DD4163BDE514BFF
1700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\invis_text.txttext
MD5:F53E90D4FD13F2515CFFEE3AB9A59C1C
SHA256:04AE61A41969C3E9297FE177DC2021E20F05E25E21657944FAB13E0A4AE1CB8B
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6AF4EE75E3A4ABA658C0087EB9A0BB5B_A71343B9E0448D72FD8C4A424ADA33C2binary
MD5:A2170520F62E139596952E1BD3D2BCD1
SHA256:2490FC179504865502A8BEB14DFCEE328A03EC0778B5EE45907CB284DE39EA7E
1700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1700.1446\Reziztz\Reziztz\Reziztz.pdbpdb
MD5:80477606678D1201306670A7BD23E1D0
SHA256:D2C00C801F1D9C6DC50377DA0924D91F37909DD234ABBAF57915E66B0D40577F
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_979AB563CEB98F2581C14ED89B8957D4binary
MD5:1E01458AE163922469FB75CF59CA129D
SHA256:F32B922092DBA3DB8260E794CD04A0C963CDCF24DBEBFF78145A18207E6F9A45
3352iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MADQWLO1.txttext
MD5:A7FD3F61E588C58AC3901AEDE4EDDAF6
SHA256:37F8E0F391B60E98DC48E2A4ED385C1617BEC72D674F5F285B482AD0A8D2142A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
13
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEBblhnjgcJQ5S9%2FbTvymO98%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
314 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEDsJGKKiFxWJllawuNqPxXw%3D
US
der
279 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
314 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEBblhnjgcJQ5S9%2FbTvymO98%3D
US
der
471 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEDsJGKKiFxWJllawuNqPxXw%3D
US
der
279 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQCML6NXQdejdBJDG5j4aa9U
US
der
279 b
whitelisted
3352
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTOpjOEf6LG1z52jqAxwDlTxoaOCgQUQAlhZ%2FC8g3FP3hIILG%2FU1Ct2PZYCEQCML6NXQdejdBJDG5j4aa9U
US
der
279 b
whitelisted
3088
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3352
iexplore.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
3352
iexplore.exe
162.159.135.232:443
discord.com
Cloudflare Inc
malicious
3352
iexplore.exe
162.159.133.234:443
discord.gg
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
discord.gg
  • 162.159.133.234
  • 162.159.130.234
  • 162.159.134.234
  • 162.159.136.234
  • 162.159.135.234
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted
discord.com
  • 162.159.135.232
  • 162.159.128.233
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.137.232
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Reziztz.rar