analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

ok.zip

Full analysis: https://app.any.run/tasks/1cde242f-7b1b-4207-aea9-1c23837d85a4
Verdict: Malicious activity
Analysis date: August 18, 2019, 01:13:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

83B726C3188D20B28774197929A161FD

SHA1:

64510EA9ED03AFA42E9D634ECE385BBAA4CDA7D6

SHA256:

BA4BA50EC6BC128B161C7BE07D49689BF35D39BEEE7ACB3806BB9DDD5A5556A1

SSDEEP:

196608:C+jNw6k8d4CeDU/GjoGMxncknRqyOcNJj1Ma+/egUG8SIRceNGYlcK:CINhLl1GUcknzNHd+WzG8mzYl9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DTG.exe (PID: 3452)
      • DTG.exe (PID: 3248)
      • DTG.exe (PID: 2580)
      • DTG.exe (PID: 3616)
      • DTG.exe (PID: 3548)
      • DTG.exe (PID: 3360)
      • DTG.exe (PID: 3488)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3656)

  • INFO

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 3656)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3656)

    • Manual execution by user

      • DTG.exe (PID: 3360)
      • DTG.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:08:17 23:57:08
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: ok/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start start winrar.exe dtg.exe no specs dtg.exe no specs dtg.exe no specs dtg.exe no specs dtg.exe no specs dtg.exe no specs dtg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3656"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ok.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3616"C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.33949\ok\DTG.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.33949\ok\DTG.exeWinRAR.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
3452"C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34383\ok\DTG.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34383\ok\DTG.exeWinRAR.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
3248"C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34603\ok\DTG.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34603\ok\DTG.exeWinRAR.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
3548"C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34853\ok\DTG.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34853\ok\DTG.exeWinRAR.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
2580"C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.35142\ok\DTG.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3656.35142\ok\DTG.exeWinRAR.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
3360"C:\Users\admin\Desktop\DTG.exe" C:\Users\admin\Desktop\DTG.exeexplorer.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
3488"C:\Users\admin\Desktop\DTG.exe" C:\Users\admin\Desktop\DTG.exeexplorer.exe
User:
admin
Company:
DTG - Discord is a meme
Integrity Level:
MEDIUM
Description:
DTG: Fastest legit token generator.
Exit code:
1
Version:
8
Total events
511
Read events
487
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
0
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.35142\ok\proxies.txttext
MD5:E457FF4179013E1EB254A1C75C91BC99
SHA256:19CCBCF0B968DD0401086E91004D3E9D285EA217C5A58A104D63A8FBA90B3CAD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34603\ok\proxies.txttext
MD5:E457FF4179013E1EB254A1C75C91BC99
SHA256:19CCBCF0B968DD0401086E91004D3E9D285EA217C5A58A104D63A8FBA90B3CAD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.33949\ok\proxies.txttext
MD5:E457FF4179013E1EB254A1C75C91BC99
SHA256:19CCBCF0B968DD0401086E91004D3E9D285EA217C5A58A104D63A8FBA90B3CAD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34383\ok\nicks.txttext
MD5:322E0EC8BC2941F9C94E970A3D9A030D
SHA256:CC05B0EC4D0C92E2A2633A5C39CFE169A66EA5CCBD3A719616E34E3A9F100BBD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.33949\ok\nicks.txttext
MD5:322E0EC8BC2941F9C94E970A3D9A030D
SHA256:CC05B0EC4D0C92E2A2633A5C39CFE169A66EA5CCBD3A719616E34E3A9F100BBD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34603\ok\nicks.txttext
MD5:322E0EC8BC2941F9C94E970A3D9A030D
SHA256:CC05B0EC4D0C92E2A2633A5C39CFE169A66EA5CCBD3A719616E34E3A9F100BBD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34383\ok\proxies.txttext
MD5:E457FF4179013E1EB254A1C75C91BC99
SHA256:19CCBCF0B968DD0401086E91004D3E9D285EA217C5A58A104D63A8FBA90B3CAD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34853\ok\nicks.txttext
MD5:322E0EC8BC2941F9C94E970A3D9A030D
SHA256:CC05B0EC4D0C92E2A2633A5C39CFE169A66EA5CCBD3A719616E34E3A9F100BBD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.34853\ok\proxies.txttext
MD5:E457FF4179013E1EB254A1C75C91BC99
SHA256:19CCBCF0B968DD0401086E91004D3E9D285EA217C5A58A104D63A8FBA90B3CAD
3656WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3656.35142\ok\nicks.txttext
MD5:322E0EC8BC2941F9C94E970A3D9A030D
SHA256:CC05B0EC4D0C92E2A2633A5C39CFE169A66EA5CCBD3A719616E34E3A9F100BBD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ok.zip