File name:

Twitch_Bots-1.rar

Full analysis: https://app.any.run/tasks/a361cdba-2dcd-4f6b-b06f-49f0cf173dc7
Verdict: Malicious activity
Analysis date: November 29, 2020, 20:38:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FCE7F6708727C612E65AAFE80D34425A

SHA1:

74CF0FB3C2876A46A9DDC450E7CFF4F53DB3687C

SHA256:

C22E594C012DC7BC7E2A6EB6AF328808AA3ECFE0E1760F1CD670E07A2A36117B

SSDEEP:

49152:KpKMdViPqw3TbcEGfyuty2C9sCrWd4O4Z2DiIpGUKgNAMoEA2vxCUXtusZ53aMVU:MQqHE/j2C9RW6dAkUKrM4AxLFRmN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • dottwitch.exe (PID: 1492)

    • Application was dropped or rewritten from another process

      • dottwitch.exe (PID: 1492)

  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2744)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2744)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2744)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe dottwitch.exe

Process information

PID
CMD
Path
Indicators
Parent process
1492"C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Follow Bot\dottwitch.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Follow Bot\dottwitch.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
dotTwitch
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2744.15492\twitch bots\twitch follow bot\dottwitch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2744"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Twitch_Bots-1.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
453
Read events
440
Write events
13
Delete events
0

Modification events

(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2744) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Twitch_Bots-1.rar
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2744) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
11
Suspicious files
0
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Chat Bot\WebSocket4Net.dllexecutable
MD5:A9347266E1679E90C5DA2B3C1E5A45EE
SHA256:AD2E17F110CDE9BC5609589CD89B4BF3A1D0249E3075597862B8A358D7E15EB2
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Chat Bot\SuperSocket.ClientEngine.dllexecutable
MD5:BCA39F02EA86AB13E44B17A2028CDAF0
SHA256:30C619D93D05612253901F829977196D803AB68C04B19EC87358ADC2C572E683
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Chat Bot\Newtonsoft.Json.dllexecutable
MD5:F33CBE589B769956284868104686CC2D
SHA256:973FD70CE48E5AC433A101B42871680C51E2FEBA2AEEC3D400DEA4115AF3A278
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Follow Bot\follow.txttext
MD5:2C10EDD71749D6AABB64C7CA8A1D1AFE
SHA256:7D24113CC3D4756DDA9FAFEA3A983A2108B3E015924895C1591D43E86C20BB79
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Follow Bot\KoiVM.Runtime.dllexecutable
MD5:F70CEAAA1AC1509C76C6635C92E6B5C2
SHA256:EBBF490E21B1E64F5EF63EB777766055D94DB1382D3877ED40EAD8EBDF8CA82E
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Follow Bot\Colorful.Console.dllexecutable
MD5:5F3D2CFBC21591B8FEEF1EFA3E59A4D0
SHA256:F31D4FD7E729FC6CF4ECAB972B6B1EE897918A325B1CA572030966F831E768FB
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Chat Bot\ATWITCHBC.exeexecutable
MD5:E723EE7C3A84C44FA4646111A3B2FB82
SHA256:9962E85530591CE5AF72F705F810F5C8F4D825F908056AC060BF812E662610B9
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Follow Bot\dottwitch.exeexecutable
MD5:7E06F89C370AE02A6E88EB5DCAEC7CAB
SHA256:5338757B851CE35E52A6ADFC46087249A8DDFD53947E6FFC7CA5F271BDE6DC00
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\Twitch Chat Bot\ATWITCHBC.exe.configxml
MD5:EF0181DE18EF3951806C0AD63B897BA4
SHA256:E8DECC96235B5494880083EB79C22C84C6D9EF312828BAF9490BEE7782C350EC
2744WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2744.15492\Twitch Bots\msg.txttext
MD5:BBC7D61E0E526A3A198EFB96F5499713
SHA256:46179AC2FCFB395845D7103BF76E7744ADBDD515E081EB3550C8C322FD275683
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Twitch_Bots-1.rar