analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

VKLumit crack [MacrosL].rar

Full analysis: https://app.any.run/tasks/6c75e189-ce88-4911-b581-9d4a7e4bc846
Verdict: Malicious activity
Analysis date: March 22, 2019, 13:08:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

855DDB76DA165C92343F816E53ED727F

SHA1:

6AD55C2BA219880989664D3EC286FC594F8D2D97

SHA256:

BEF165B30EFEB99EDD848EBAE3D042765418A3CDDA3A45794980884345278DC4

SSDEEP:

196608:/UNFsM28o3VlbWakW+cnvA6ROH2upzNpi9ftiD4TTBa4C:/6sD86lbpkW+h6tSuU24

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Loader.exe (PID: 880)
      • VK Lumit.exe (PID: 2760)
      • build.exe (PID: 3076)
      • start.exe (PID: 2964)
      • start.exe (PID: 3488)
      • VK Lumit.exe (PID: 3368)
      • build.exe (PID: 4044)
      • start.exe (PID: 2692)
      • start.exe (PID: 2300)
    • Loads dropped or rewritten executable

      • start.exe (PID: 3488)
      • start.exe (PID: 2300)
  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 3708)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3604)
      • VK Lumit.exe (PID: 2760)
      • build.exe (PID: 3076)
      • VK Lumit.exe (PID: 3368)
      • build.exe (PID: 4044)
    • Executes JAVA applets

      • Loader.exe (PID: 880)
    • Starts CMD.EXE for commands execution

      • start.exe (PID: 2964)
      • javaw.exe (PID: 3708)
      • start.exe (PID: 2692)
    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 3312)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 4072)
      • cmd.exe (PID: 3484)
      • cmd.exe (PID: 3280)
      • cmd.exe (PID: 3052)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 4004)
      • cmd.exe (PID: 3312)
      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 3052)
      • cmd.exe (PID: 3280)
      • cmd.exe (PID: 3484)
      • cmd.exe (PID: 4072)
      • cmd.exe (PID: 1700)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
81
Monitored processes
40
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start winrar.exe loader.exe no specs javaw.exe no specs vk lumit.exe start.exe no specs cmd.exe no specs build.exe start.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs cmd.exe no specs chcp.com no specs tasklist.exe no specs vk lumit.exe start.exe no specs cmd.exe no specs build.exe start.exe

Process information

PID
CMD
Path
Indicators
Parent process
3604"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VKLumit crack [MacrosL].rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
880"C:\Users\admin\AppData\Local\Temp\Rar$EXa3604.11084\Loader.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3604.11084\Loader.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3708"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\admin\AppData\Local\Temp\Rar$EXa3604.11084\Loader.exe" org.develnext.jphp.ext.javafx.FXLauncherC:\Program Files\Java\jre1.8.0_92\bin\javaw.exeLoader.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2760"VK Lumit.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa3604.11084\VK Lumit.exe
javaw.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2000
2964"C:\Users\admin\AppData\Local\Temp\RarSFX0\start.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\start.exeVK Lumit.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1000
1524"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\1\37EA.tmp.bat C:\Users\admin\AppData\Local\Temp\RarSFX0\start.exe"C:\Windows\system32\cmd.exestart.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1000
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3076build.exe -paleshaC:\Users\admin\AppData\Local\Temp\RarSFX0\build.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1000
3488"C:\Users\admin\AppData\Local\Temp\RarSFX1\start.exe" C:\Users\admin\AppData\Local\Temp\RarSFX1\start.exebuild.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4004cmd.exe /c "chcp 65001 | tasklist /V /FO CSV /NH /FI "IMAGENAME eq start.exe""C:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2772chcp 65001 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 140
Read events
2 088
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
0
Text files
60
Unknown types
1

Dropped files

PID
Process
Filename
Type
3708javaw.exeC:\Users\admin\AppData\Local\Temp\{XF-CO-17-TR-I-AL}.SYStext
MD5:683EE249FC7E5DB296CBDF965B09EE81
SHA256:85D5E77BE91D5501371C89428EC19E6A0131BB76A3E01FF15DFD90BE1B2E2326
3708javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:C5BCF9042636B53970A24672B35EBC17
SHA256:6D0E388B16EBD3D1A11CCF7596437F68ED9AF17357D66786112B45BA17265710
3604WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3604.11084\Loader.exeexecutable
MD5:DEA3E9B2A675819B2991D88025481E5A
SHA256:B16496B69352A6B474531CBA9BE47E5B7833CCE5540F28A0B15566CBB2B037FD
3076build.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\ext\php_curl.dllexecutable
MD5:E8977AB00A9C709195A931E264F71720
SHA256:4223CD949379213C38561399E99C62067B0B0D5A4B59EC4877C8F3F97C364723
3076build.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\data\blur\4.pngimage
MD5:152C0A26BBF5D79F63CDDA6CE8DDDFAF
SHA256:D40D80BA989A4363F2454771583F4FA6424BDDB2036D39AC41A51B7B8CCCF5BF
2964start.exeC:\Users\admin\AppData\Local\Temp\1\37EA.tmp.battext
MD5:2F9CF8105581F86325966332E10AC006
SHA256:4A4E2B4C3A97D6FC07DAB4F59CF93EE5D3F9B14A6BAC14385B9B56B41EF62445
3076build.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\data\blur\5.pngimage
MD5:5FDDEAD1A4279F057D86F2ABF6609B13
SHA256:A875DECCAED4A9875E28CEA497FC038640C3494B95277D878E1E545074505D68
3076build.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\data\blur\10.pngimage
MD5:DC878A01BCD72400963A93FF93B98D5B
SHA256:AEA8BDF7C4BE976B2ED12CDB3CD74849C6C7842050383AF1068F7BABD013E925
2760VK Lumit.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\start.exeexecutable
MD5:056CD7A8E817E99EA412088C41B10F04
SHA256:1632DAF850DA269784AA8BA75D5C86AD9455A48478C42F46A423027BC95F2F46
3076build.exeC:\Users\admin\AppData\Local\Temp\RarSFX1\ShadowForm.dllexecutable
MD5:059DADA01FCBDEF087BBECF5CBF0AE22
SHA256:C8E84431A7E5B3FED3D838082A8D2EC46189B9A1419ED0044E92545C6B49227C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2300
start.exe
87.240.129.135:443
oauth.vk.com
VKontakte Ltd
RU
suspicious

DNS requests

Domain
IP
Reputation
oauth.vk.com
  • 87.240.129.135
  • 87.240.129.181
whitelisted

Threats

No threats detected
No debug info