analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

tor.rar

Full analysis: https://app.any.run/tasks/59279dd7-bb75-4a1a-b3a4-1ebe0fbd9ea6
Verdict: Malicious activity
Analysis date: January 15, 2022, 02:27:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

070385BC969AFBB94A70ABD717782194

SHA1:

2A103C19C0B2D7395C32CEDD330FCF111C69F578

SHA256:

C0A4F14DD9BF4AB5DE11048F3FF002AF917EA54FDE960B26B8A121E24F56366F

SSDEEP:

98304:PevrdOcAJKKBWXxercfN5NPwSJipVEIoVIzibkCWnzlM8gzOzTiVYCy+kDGVmcc4:PMrq7yHx8VyIzifWzsULCy+kDGVfP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Explorer.EXE (PID: 1656)
      • SearchProtocolHost.exe (PID: 2844)
      • tor.exe (PID: 1424)
    • Application was dropped or rewritten from another process

      • tor.exe (PID: 1424)
    • Drops executable file immediately after starts

      • Explorer.EXE (PID: 1656)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 2420)
      • tor.exe (PID: 1424)
    • Reads the computer name

      • WinRAR.exe (PID: 2420)
      • tor.exe (PID: 1424)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2420)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2420)
      • Explorer.EXE (PID: 1656)
    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2420)
      • Explorer.EXE (PID: 1656)
    • Creates files in the user directory

      • tor.exe (PID: 1424)
  • INFO

    • Dropped object may contain TOR URL's

      • WinRAR.exe (PID: 2420)
      • Explorer.EXE (PID: 1656)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2420)
      • Explorer.EXE (PID: 1656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe searchprotocolhost.exe no specs explorer.exe no specs tor.exe

Process information

PID
CMD
Path
Indicators
Parent process
2420"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\tor.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2844"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1656C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1424"C:\Users\admin\Desktop\tor\tor.exe" C:\Users\admin\Desktop\tor\tor.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Total events
4 343
Read events
4 233
Write events
110
Delete events
0

Modification events

(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2420) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\tor.rar
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2420) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
20
Suspicious files
4
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\data\cached-microdescs.new
MD5:
SHA256:
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\html\hs_ed25519_secret_keybinary
MD5:857EA091A1727526E532DBA43EA19C3A
SHA256:D43076B5BECB194A399E6AB1029FC67D089A05E7092EF621CCD60D0C6CD38494
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\data\cached-certstext
MD5:D73EAEE3ADD64235600D515848FA3AA9
SHA256:8A88A55DEAF5060F3AB39484DA2671234A265C5E9C5C95372B5E4E45917E7CC2
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\data\cached-microdesc-consensustext
MD5:2718A4E34C701D07267AEF3F7D3C4E1C
SHA256:5C79456A511767CC9BB315D2D258F2136E4604C59C0A915C00D3A383E0A6AE93
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\data\unverified-microdesc-consensustext
MD5:8F5DF11BF9E822817A2D8D7DEEE63B4F
SHA256:FCF308DCDF074837A742B8E2906A78BECAF8733C6F16617061C598D5B37C5D9D
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\torrc-srvtext
MD5:A6230593BF73DC6E378A84C06D52E51C
SHA256:FBE600D0582E0D92E3F0021AFFF3ED5C386AE9A93517127ADC016C2BA6987525
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\html\hs_ed25519_public_keybinary
MD5:787D50494F55932DE68F318EFA08BB3A
SHA256:2455075894A6EE8647F573213BB5E1786A4513CBDD464B224C738CF99A84F3D2
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\html\hostnametext
MD5:4BBF59B099BFAD020B4653BBA4088F2A
SHA256:2FF04EA947F678DAD70DA531B6B6A92E4B1FB28D3B54E00CDCFD48F6D006C3BF
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\data\statetext
MD5:0DE13A2570DFE2CC572C9853403D8DE3
SHA256:71AE97C70F00292C8D2FC308101AE9C3B77C0B9628327392C010DFEA9CF68C7D
2420WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2420.34442\tor\libgcc_s_sjlj-1.dllexecutable
MD5:C6A0C7ECA293848A58046C85309B20FB
SHA256:90B54EB822C63772AA72153DCB2D3EBCA30604B6B495564983160264595A636B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info