analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

raid_tool - alphascript.zip

Full analysis: https://app.any.run/tasks/1a817280-298e-438a-b9e3-22507075d7a2
Verdict: Malicious activity
Analysis date: October 19, 2020, 23:44:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

3E061CDB0DEA5EE253DBBDBAB76F4423

SHA1:

3871E331356B869F1F1ADD16F02B977EA97D9CB1

SHA256:

BA4563BF28A50601E88C1F412D359B94F407E8A49E23CEB651D81445E9C56320

SSDEEP:

196608:egzE5VUziCh92ESzIYsbO1m8v26jrkNDRHcthJZ409aXKNdSF88C0YwAfcjrZIVS:dz/0nzIfi1m8u6QHcthbtE2V0Y9kxjGY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • raid_tool.exe (PID: 3360)
      • raid_tool.exe (PID: 3196)

    • Loads dropped or rewritten executable

      • raid_tool.exe (PID: 3196)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • raid_tool.exe (PID: 3360)

    • Application launched itself

      • raid_tool.exe (PID: 3360)

    • Loads Python modules

      • raid_tool.exe (PID: 3196)

  • INFO

    • Manual execution by user

      • NOTEPAD.EXE (PID: 3592)
      • NOTEPAD.EXE (PID: 3656)
      • NOTEPAD.EXE (PID: 3728)
      • NOTEPAD.EXE (PID: 3052)
      • NOTEPAD.EXE (PID: 1880)
      • NOTEPAD.EXE (PID: 3808)
      • raid_tool.exe (PID: 3360)
      • NOTEPAD.EXE (PID: 2092)
      • NOTEPAD.EXE (PID: 3744)

    • Reads settings of System Certificates

      • raid_tool.exe (PID: 3196)

    • Dropped object may contain Bitcoin addresses

      • raid_tool.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: raid_tool.exe
ZipUncompressedSize: 12028416
ZipCompressedSize: 11572330
ZipCRC: 0x3365e02f
ZipModifyDate: 2020:07:22 17:41:08
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs raid_tool.exe raid_tool.exe

Process information

PID
CMD
Path
Indicators
Parent process
2656"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\raid_tool - alphascript.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3728"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3656"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\tokens.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\tokens.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3592"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1880"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3808"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2092"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\ok.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3744"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\tokens.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3360"C:\Users\admin\Desktop\raid_tool.exe" C:\Users\admin\Desktop\raid_tool.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
1 078
Read events
1 058
Write events
0
Delete events
0

Modification events

No data
Executable files
34
Suspicious files
3
Text files
928
Unknown types
2

Dropped files

PID
Process
Filename
Type
2656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2656.44676\raid_tool.exe
MD5:
SHA256:
2656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2656.44676\README.txt
MD5:
SHA256:
2656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2656.44676\tokens.txt
MD5:
SHA256:
2656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2656.44676\ok.txt
MD5:
SHA256:
3744NOTEPAD.EXEC:\Users\admin\Desktop\tokens.txttext
MD5:770672EE46BD0459097F43A36085B1CB
SHA256:DAF4A07360A51955AEE214F253B7845E57266C389F5E312B5B7A4C3C47B50334
3360raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI33602\_ssl.pydexecutable
MD5:B9ECF769FC63A542A113CA1552DC7A7B
SHA256:E0BDB16CFFC7B5A19C5AF22D8A33D3C999D55A3117F2DA07ED3171CA9487927E
3360raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI33602\_elementtree.pydexecutable
MD5:29928F61AAC2E9989BB097620B52A289
SHA256:EB8DE455AE9EF9B5223DA2EAA2A74121EB2FE5371CB07E803E8E6E5C3CB5FB44
3360raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI33602\VCRUNTIME140.dllexecutable
MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
SHA256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
3360raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI33602\_lzma.pydexecutable
MD5:54F12E2385A77D825AE4D41A4AC515FE
SHA256:08DE18FBA635822F3BB89C9429F175E3680B7261546430BA9E2ED09BB31F5218
3360raid_tool.exeC:\Users\admin\AppData\Local\Temp\_MEI33602\cryptography\hazmat\bindings\_openssl.cp38-win32.pydexecutable
MD5:93261A7BE7A2C2571C5857F5C56F7A92
SHA256:798CB051834CC8B41163F8D076A2F8EDD69930A6E77481B9CAA0B90A231B1808
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
34
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3196
raid_tool.exe
162.159.134.233:443
discordapp.com
Cloudflare Inc
shared
3196
raid_tool.exe
162.159.135.234:443
gateway.discord.gg
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
discordapp.com
  • 162.159.134.233
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.135.233
  • 162.159.130.233
whitelisted
gateway.discord.gg
  • 162.159.135.234
  • 162.159.134.234
  • 162.159.133.234
  • 162.159.130.234
  • 162.159.136.234
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
raid_tool - alphascript.zip