File name:

Twitch_Bots-1.rar

Full analysis: https://app.any.run/tasks/2c0bb48d-bdaf-4a43-b9f6-82691d186652
Verdict: Malicious activity
Analysis date: November 29, 2020, 20:40:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FCE7F6708727C612E65AAFE80D34425A

SHA1:

74CF0FB3C2876A46A9DDC450E7CFF4F53DB3687C

SHA256:

C22E594C012DC7BC7E2A6EB6AF328808AA3ECFE0E1760F1CD670E07A2A36117B

SSDEEP:

49152:KpKMdViPqw3TbcEGfyuty2C9sCrWd4O4Z2DiIpGUKgNAMoEA2vxCUXtusZ53aMVU:MQqHE/j2C9RW6dAkUKrM4AxLFRmN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dottwitch.exe (PID: 2416)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2672)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2672)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2672)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe dottwitch.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2416"C:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\dottwitch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\dottwitch.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
dotTwitch
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2672.28925\twitch bots\twitch follow bot\dottwitch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Twitch_Bots-1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
444
Read events
431
Write events
13
Delete events
0

Modification events

(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Twitch_Bots-1.rar
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
11
Suspicious files
0
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Chat Bot\ATWITCHBC.pdbpdb
MD5:A2C8093CA7B1D937234A259203D20C78
SHA256:D8507596F0E02A0817A0F38282DA7487EF0156D25966A38CE8D7D9CE629450DC
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\Colorful.Console.dllexecutable
MD5:5F3D2CFBC21591B8FEEF1EFA3E59A4D0
SHA256:F31D4FD7E729FC6CF4ECAB972B6B1EE897918A325B1CA572030966F831E768FB
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\msg.txttext
MD5:BBC7D61E0E526A3A198EFB96F5499713
SHA256:46179AC2FCFB395845D7103BF76E7744ADBDD515E081EB3550C8C322FD275683
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Chat Bot\ATWITCHBC.exe.configxml
MD5:EF0181DE18EF3951806C0AD63B897BA4
SHA256:E8DECC96235B5494880083EB79C22C84C6D9EF312828BAF9490BEE7782C350EC
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Chat Bot\WebSocket4Net.dllexecutable
MD5:A9347266E1679E90C5DA2B3C1E5A45EE
SHA256:AD2E17F110CDE9BC5609589CD89B4BF3A1D0249E3075597862B8A358D7E15EB2
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\dottwitch.exeexecutable
MD5:7E06F89C370AE02A6E88EB5DCAEC7CAB
SHA256:5338757B851CE35E52A6ADFC46087249A8DDFD53947E6FFC7CA5F271BDE6DC00
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\Figgle.dllexecutable
MD5:ED1AEDEA86660974B02CB8DFDFB80DCB
SHA256:AC1A8E26E4369D4CCB8BAC78B4F3D69C48EDC7B3761984DDE834C3B4A99C5C95
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\follow.txttext
MD5:2C10EDD71749D6AABB64C7CA8A1D1AFE
SHA256:7D24113CC3D4756DDA9FAFEA3A983A2108B3E015924895C1591D43E86C20BB79
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Follow Bot\KoiVM.Runtime.dllexecutable
MD5:F70CEAAA1AC1509C76C6635C92E6B5C2
SHA256:EBBF490E21B1E64F5EF63EB777766055D94DB1382D3877ED40EAD8EBDF8CA82E
2672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2672.28925\Twitch Bots\Twitch Chat Bot\Newtonsoft.Json.dllexecutable
MD5:F33CBE589B769956284868104686CC2D
SHA256:973FD70CE48E5AC433A101B42871680C51E2FEBA2AEEC3D400DEA4115AF3A278
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Twitch_Bots-1.rar