analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | b51a1_Scan2457632.gz |
| Full analysis: | https://app.any.run/tasks/fdbcff53-65cd-48de-96ac-410850cd67e2 |
| Verdict: | Malicious activity |
| Analysis date: | March 31, 2020, 10:43:13 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | B51A1E837A6F06E886D1B2CDC1502E59 |
| SHA1: | C6BDEF77BA40CD87ACCBBD053DDF50224C7150B2 |
| SHA256: | B38099EF28D9C052813FBC403340FB1428D90428BDE89403CE41E0153A497AA7 |
| SSDEEP: | 6144:JGisGxO0138MUjqTlAmiIO3z8qJuQC3U6/l7muQgyVdUmI01vOYcXy:fs0hGMUAi98qEQs9mxg8Z2YH |
MALICIOUS
Application was dropped or rewritten from another process
- Scan2457632.exe (PID: 3776)
- Scan2457632.exe (PID: 1348)
- Scan2457632.exe (PID: 956)
Actions looks like stealing of personal data
- Scan2457632.exe (PID: 3776)
Changes settings of System certificates
- Scan2457632.exe (PID: 3776)
SUSPICIOUS
Application launched itself
- Scan2457632.exe (PID: 1348)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3512)
Adds / modifies Windows certificates
- Scan2457632.exe (PID: 3776)
INFO
Reads settings of System Certificates
- Scan2457632.exe (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3512 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\b51a1_Scan2457632.gz.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 1348 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe | — | WinRAR.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
| 3776 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe | Scan2457632.exe | |
User: admin Integrity Level: MEDIUM | ||||
| 956 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe" 2 3776 10914343 | C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe | — | Scan2457632.exe |
User: admin Integrity Level: MEDIUM Exit code: 4294967295 | ||||
Total events
4 039
Read events
483
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3512 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3512.24401\Scan2457632.exe | executable | |
MD5:37AFF34561D3663C04E104C4BA116BA7 | SHA256:98489349A1120F5719CA1EC3D9E10C4F35EDFC75944D15F050017C8C3FE2520E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3776 | Scan2457632.exe | 77.88.21.158:587 | smtp.yandex.com | YANDEX LLC | RU | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
smtp.yandex.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3776 | Scan2457632.exe | Generic Protocol Command Decode | SURICATA Applayer Detect protocol only one direction |