analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TransformiceClient.rar

Full analysis: https://app.any.run/tasks/80a11a0b-da3c-49f2-ba8d-9319b6eef324
Verdict: Malicious activity
Analysis date: July 11, 2019, 20:13:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

591B852995418A6100A965A7E98A0737

SHA1:

C809DFFCD912237400EE36F6233FC04DEF90D61D

SHA256:

BCE00529092236DADE7F702C5E16868B3C6C4EF6202F4A3CA5AFF38ED26FB4EA

SSDEEP:

49152:cFKPQBtqHZJ1ZUzcSYw7vrHpskyBbZNJyQDyF3tSVH8Q:GKPQBtqHFy4StvjKk87DugVH8Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Transformice Client.exe (PID: 4076)
      • abcexport.exe (PID: 3040)
      • abcexport.exe (PID: 2444)
      • SearchProtocolHost.exe (PID: 856)
      • abcreplace.exe (PID: 3068)

    • Application was dropped or rewritten from another process

      • Transformice Client.exe (PID: 4076)
      • abcexport.exe (PID: 3040)
      • rabcdasm.exe (PID: 3872)
      • abcexport.exe (PID: 2444)
      • swfdecript.exe (PID: 2672)
      • swfdump.exe (PID: 3616)
      • rabcdasm.exe (PID: 3512)
      • rabcasm.exe (PID: 840)
      • abcreplace.exe (PID: 3068)

  • SUSPICIOUS

    • Reads internet explorer settings

      • Transformice Client.exe (PID: 4076)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3144)

    • Creates files in the user directory

      • Transformice Client.exe (PID: 4076)
      • abcexport.exe (PID: 3040)
      • abcexport.exe (PID: 2444)
      • rabcdasm.exe (PID: 3872)
      • rabcasm.exe (PID: 840)
      • rabcdasm.exe (PID: 3512)

    • Reads Internet Cache Settings

      • Transformice Client.exe (PID: 4076)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3144)

    • Reads settings of System Certificates

      • Transformice Client.exe (PID: 4076)

    • Manual execution by user

      • taskmgr.exe (PID: 3392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe transformice client.exe abcexport.exe no specs rabcdasm.exe no specs swfdecript.exe no specs swfdump.exe no specs abcexport.exe no specs rabcdasm.exe no specs rabcasm.exe no specs abcreplace.exe no specs searchprotocolhost.exe no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3144"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\TransformiceClient.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
4076"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Transformice Client.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Transformice Client.exe
WinRAR.exe
User:
admin
Company:
iCooper™
Integrity Level:
MEDIUM
Description:
Transformice Client
Exit code:
0
Version:
1.0.0.1
3040"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe" Chargeur.swfC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3872"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe" Chargeur-0.abcC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2672"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdecript.exe" Transformice.swf Transformice.swfC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdecript.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
3616"swfdump.exe" -a "C:\Users\admin\AppData\Roaming\iCooper\Multi\Transformice.swf"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdump.exeswfdecript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2444"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exe" Transformice.swfC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3512"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exe" Transformice-0.abcC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcdasm.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
840"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcasm.exe" Chargeur-0/Chargeur-0.main.asasmC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcasm.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3068"C:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcreplace.exe" Chargeur.swf 0 Chargeur-0/Chargeur-0.main.abcC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcreplace.exeTransformice Client.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
1 269
Read events
1 218
Write events
51
Delete events
0

Modification events

(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3144) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\TransformiceClient.rar
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3144) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
12
Suspicious files
3
Text files
2 682
Unknown types
20

Dropped files

PID
Process
Filename
Type
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcreplace.exeexecutable
MD5:4DD89AF63CF75832ED61CB0FD5FD5650
SHA256:D20B874C050950A1D400694CC6D440B4BCB07E9DB21E65444E5B9F6C3072EC80
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdecript.exeexecutable
MD5:B2838DF135FE035279E47343492B0DB5
SHA256:FAEF2860350CCF11B3F4BA1A39C194B461F022044814B5CDF68BF2EC47C94F4D
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\rabcasm.exeexecutable
MD5:A71C93BB550C24DB1EDB27212783EE6F
SHA256:C02A62FA65831F0D165AAD63F9CF589BCB3800A9C1391050A076049014FCBDAC
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\AxInterop.ShockwaveFlashObjects.dllexecutable
MD5:63EE7B61BB397D3512C345A32A4596F1
SHA256:7B514ACA2A20F16B44C2B10DC7DA99033F7C1D18F2E1F60CFAE60FA70B6217DD
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\abcexport.exeexecutable
MD5:5FB748BE478DB6282BBDEBF7D5887849
SHA256:CD2957356F5AA384EC66F4A02BF0987A2665C406AD68B2D7E48DA1732806FBF7
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Interop.ShockwaveFlashObjects.dllexecutable
MD5:A2A2D58248CC3A58F6A9CCBC50DB0807
SHA256:466D3A71E5D313AC4C2BBAF107CBECB85970EB2D907B74AC578090F0AE4FE8C2
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\liblzma.dllexecutable
MD5:0E5D3BC6FF20B7F7C82824E1D5E3512C
SHA256:4F920F7AC2904171CB0F265239EE2225ACB19769D3D438566C0D43E857DEE8A9
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Farm Mice.exeexecutable
MD5:B793FC4B4BB364F980F30AFCD794D829
SHA256:95E33D59556F0DC758231CE336E180DC8D1E9BC25624571CEDFF58F134530CD1
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Transformice Client.exeexecutable
MD5:4E2E7935490B2E4A315A11746DE81667
SHA256:210E36C884C18613AD6BDEE33AC60AA9A693A3C5BB220615CE4B6C2A2A747431
3144WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3144.4637\Transformice Client\Tools\swfdump.exeexecutable
MD5:5BBFD38940063BB3ED78FC2137958B0A
SHA256:E803453FE8816CF26B62DBE77AB23EBBDED35C0871E0BF78D86631BF3A034522
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/x_bibliotheques/x_fourrures3.swf?d=528.94?d=528
FR
swf
236 Kb
suspicious
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/x_bibliotheques/x_fourrures.swf?d=528.94?d=528
FR
swf
153 Kb
suspicious
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/langues/tfz_fr?d=94
FR
pz
35.4 Kb
suspicious
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/x_transformice/x_aventure/x_banniere/x_21.jpg?d=94
FR
image
6.96 Kb
suspicious
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/x_bibliotheques/x_pictos_editeur.swf?d=528.94?d=528
FR
swf
218 Kb
suspicious
4076
Transformice Client.exe
GET
200
51.75.128.119:80
http://transformice.com/Transformice.swf
GB
swf
1.99 Mb
whitelisted
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/x_transformice/x_interface/3.png?d=94
FR
image
793 b
suspicious
4076
Transformice Client.exe
GET
200
195.154.124.74:80
http://195.154.124.74/outils/info.php
FR
text
146 b
suspicious
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/x_bibliotheques/x_meli_costumes.swf?d=528.94?d=528
FR
swf
398 Kb
suspicious
4076
Transformice Client.exe
GET
200
145.239.9.124:80
http://www.transformice.com/images/deesse.png?d=94
FR
image
47.8 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4076
Transformice Client.exe
172.217.23.174:443
docs.google.com
Google Inc.
US
whitelisted
4076
Transformice Client.exe
94.23.193.229:12801
OVH SAS
FR
unknown
4076
Transformice Client.exe
46.105.100.198:12801
OVH SAS
FR
unknown
4076
Transformice Client.exe
172.217.18.97:443
doc-04-08-docs.googleusercontent.com
Google Inc.
US
whitelisted
4076
Transformice Client.exe
188.165.220.57:13801
OVH SAS
FR
unknown
4076
Transformice Client.exe
195.154.124.74:80
Online S.a.s.
FR
unknown
4076
Transformice Client.exe
51.75.128.119:80
transformice.com
GB
suspicious
4076
Transformice Client.exe
145.239.9.124:80
transformice.com
OVH SAS
FR
suspicious

DNS requests

Domain
IP
Reputation
docs.google.com
  • 172.217.23.174
shared
doc-04-08-docs.googleusercontent.com
  • 172.217.18.97
shared
transformice.com
  • 51.75.128.119
  • 145.239.9.124
whitelisted
www.transformice.com
  • 145.239.9.124
  • 51.75.128.119
suspicious

Threats

PID
Process
Class
Message
4076
Transformice Client.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
4076
Transformice Client.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TransformiceClient.rar