analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

test3.zip

Full analysis: https://app.any.run/tasks/cffa2b82-c312-4630-ab6a-8614dea39e18
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: June 27, 2022, 13:19:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

4CC1C39BE8332CFE76F663BDB20E19CF

SHA1:

036887D07DF93A17C81FEA2DD8068F1768938570

SHA256:

BDA3BA2988CE6B7C017E466831F618272629C444EC1DE81CC9B21D4161150560

SSDEEP:

196608:wD1JATmK5KCCd5IECanMPLgdCPJX/0mMB7/79hx8DakSAPM/+YnuyQE1bEKkXzrQ:wBJummn6HnMPL0CPt/0mMBz79hx8+QPw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3972)
      • test3.exe (PID: 3512)
    • Stealing of credential data

      • test3.exe (PID: 404)
    • Loads dropped or rewritten executable

      • test3.exe (PID: 404)
    • Application was dropped or rewritten from another process

      • test3.exe (PID: 3512)
      • test3.exe (PID: 404)
    • Actions looks like stealing of personal data

      • test3.exe (PID: 404)
  • SUSPICIOUS

    • Checks supported languages

      • test3.exe (PID: 3512)
      • test3.exe (PID: 404)
      • WinRAR.exe (PID: 3972)
      • cmd.exe (PID: 1792)
    • Reads the computer name

      • WinRAR.exe (PID: 3972)
      • test3.exe (PID: 404)
      • test3.exe (PID: 3512)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3972)
      • test3.exe (PID: 3512)
    • Application launched itself

      • test3.exe (PID: 3512)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)
      • test3.exe (PID: 3512)
    • Loads Python modules

      • test3.exe (PID: 404)
    • Starts CMD.EXE for commands execution

      • test3.exe (PID: 404)
    • Reads the cookies of Google Chrome

      • test3.exe (PID: 404)
  • INFO

    • Reads settings of System Certificates

      • test3.exe (PID: 404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2022:06:27 09:36:07
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: test3/
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe test3.exe test3.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3972"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\test3.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
3512"C:\Users\admin\AppData\Local\Temp\Rar$EXb3972.17626\test3\test3.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3972.17626\test3\test3.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
404"C:\Users\admin\AppData\Local\Temp\Rar$EXb3972.17626\test3\test3.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3972.17626\test3\test3.exe
test3.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1792C:\Windows\system32\cmd.exe /c "ver"C:\Windows\system32\cmd.exetest3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
11 380
Read events
11 361
Write events
19
Delete events
0

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\test3.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
70
Suspicious files
4
Text files
29
Unknown types
5

Dropped files

PID
Process
Filename
Type
3972WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3972.17626\test3\test3.exeexecutable
MD5:CF00AC6331BB5F5A3E968D1B82B09613
SHA256:DFB37E0579A47848CF80161DA4697A0CE8135BB4ABD69E68D8DCF3E7921706A2
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_Salsa20.pydexecutable
MD5:4EED72D58F1D7352FB9BE1A2002426E7
SHA256:1E5E636E4EADFF5BA9305DB001FE208C5E58E64AA0F2DF3239782B44A9F3C68B
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_raw_ocb.pydexecutable
MD5:639BD924F7D3A10900AE5ACE6A40D09C
SHA256:D3F8C3DD0810FA229C778A01963382545C6BE1019CE7A25498785CEF2E091E61
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_raw_aes.pydexecutable
MD5:A42ADEBFA6DCD49C530483F9D0E2351B
SHA256:B288A7638D62B58C57791FFDB355E724D5FE933D31D006E50BA67B24793189E5
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_chacha20.pydexecutable
MD5:954FFB5C956123996064637CCAC1385D
SHA256:F60F282149916D193FC108EB161975CDB304D0373035D274C4B18CBABB6780E2
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_ARC4.pydexecutable
MD5:689471DB70AEAA631DA9F6930A8D79D7
SHA256:372CFB25808778C1DEEF0C08DADF23A978541C6ECEB755C851A2120A3A975579
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_raw_ecb.pydexecutable
MD5:63C6A3638326BF2B917DAB436AB7BF0B
SHA256:FEBF9FF2B3CFC04921E67B925F300B55B483BDCF5D193B1D368D11B3FB4052AB
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_raw_des3.pydexecutable
MD5:97FBAD05785912174F0FAE7EC48AE0A6
SHA256:35860E5B1DE8E61F814B319659358F1586D3D418677A745D9A3D0FA629C69726
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Cipher\_raw_arc2.pydexecutable
MD5:76F2CF0AF6C649849472DA927D598C7F
SHA256:BDE7E8C2FDEB3877DCC0BC37164246988F9A674F1A784C99DC76B963E72CF018
3512test3.exeC:\Users\admin\AppData\Local\Temp\_MEI35122\Crypto\Hash\_BLAKE2s.pydexecutable
MD5:487F044A542471F4781BC3244705B6A7
SHA256:33BD520C30D48A308107B23217DF40ACD88D2FEB038793BE0D9F55A9321AC192
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
404
test3.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger LLP
GB
malicious
3.220.57.224:443
api.ipify.org
US
malicious
404
test3.exe
54.91.59.199:443
api.ipify.org
Amazon.com, Inc.
US
malicious
404
test3.exe
3.232.242.170:443
api.ipify.org
US
malicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 3.232.242.170
  • 3.220.57.224
  • 54.91.59.199
  • 52.20.78.240
shared
dns.msftncsi.com
  • 131.107.255.255
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO Telegram API Domain in DNS Lookup
404
test3.exe
Misc activity
ET INFO Observed Telegram API Domain (api .telegram .org in TLS SNI)
404
test3.exe
Misc activity
ET INFO Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info