Malware analysis bl tool newest version.zip Malicious activity

Add for printing

File name:	bl tool newest version.zip
Full analysis:	https://app.any.run/tasks/000c1dce-57f5-4493-bbb3-61493489d556
Verdict:	Malicious activity
Analysis date:	July 04, 2025, 18:39:59
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec ims-api generic menorah
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	FE5286AEA79EA746E697934BD0E346B7
SHA1:	7A76BB374F3CB2D24B395764BCFBF4853475BB20
SHA256:	C965DAAC5B4B9CA94638C69413B3A0D9E94B441D072D8BCBDAD5A5F8E1AE9E2D
SSDEEP:	98304:BadcE1Bf2NjskpIZ0zYbJXDXIygmaKAmyDfqco6jIJ+Qvsh9fKc3v5p3V1bqoDCr:oCOZIBF+hkzy03vDqNCwKk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 4788)
- MENORAH has been detected (YARA)
  - BLTools Craked by Console.exe (PID: 3580)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 4788)
- Reads security settings of Internet Explorer
  - BLTools Craked by Console.exe (PID: 3580)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - BLTools Craked by Console.exe (PID: 3580)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4788)
- Manual execution by a user
  - BLTools Craked by Console.exe (PID: 3580)
- Reads the machine GUID from the registry
  - BLTools Craked by Console.exe (PID: 3580)
- Reads the computer name
  - BLTools Craked by Console.exe (PID: 3580)
- Checks supported languages
  - BLTools Craked by Console.exe (PID: 3580)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

ims-api

(PID) Process(3580) BLTools Craked by Console.exe

Telegram-Tokens (1)7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw

Telegram-Info-Links

7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw

Get info about bothttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/getMe

Get incoming updateshttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/getUpdates

Get webhookhttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw

End-PointsendMessage

Args

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2018:08:18 14:39:52
ZipCRC:	0xb1b27091
ZipCompressedSize:	131485
ZipUncompressedSize:	367616
ZipFileName:	AlphaFS.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3580

"C:\Users\admin\Desktop\BLTools Craked by Console.exe"

C:\Users\admin\Desktop\BLTools Craked by Console.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

BLTools Cookies Checker

Version:

3.0.0.0

Modules

Images
c:\users\admin\desktop\bltools craked by console.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

ims-api

(PID) Process(3580) BLTools Craked by Console.exe

Telegram-Tokens (1)7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw

Telegram-Info-Links

7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw

Get info about bothttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/getMe

Get incoming updateshttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/getUpdates

Get webhookhttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7589107523:AAHjgoOQ-Tv6OqP2ePaJLVrEa-vvJBzVqCw

End-PointsendMessage

Args

4788

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\bl tool newest version.zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

2 595

Read events

2 577

Write events

Delete events

Modification events


(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\bl tool newest version.zip
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(4788) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\hwid get.exe		executable
		MD5:85FC3A24C14C5A6CD749324AC3D1BB5D	SHA256:740BA322AF13AA80D65244DED6549DAFBA1000E739FCE5B8EB917ABD8E4F5E7D
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\MaterialDesignColors.dll		executable
		MD5:5C108C4DA6D03F0FA2C3B4DC7890CB52	SHA256:B5EC30C93B1D2B4631EE2B178750EC92E302E2E331090EC9783981B9572354F8
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\Ookii.Dialogs.Wpf.dll		executable
		MD5:932EBB3F9E7113071C6A17818342B7CC	SHA256:285AA8225732DDBCF211B1158BD6CFF8BF3ACBEEAB69617F4BE85862B7105AB5
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\Extreme.Net.dll		executable
		MD5:F79F0E3A0361CAC000E2D3553753CD68	SHA256:8A6518AB7419FBEC3AC9875BAA3AFB410AD1398C7AA622A09CD9084EC6CADFCD
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\MaterialDesignThemes.Wpf.dll		executable
		MD5:824CBF63999F954AA1747F79586A4D3C	SHA256:344E2CEE979E979932F504DC76BD75E97AE1FF46CAA3FE2795ADFE0A866347F7
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\AlphaFS.dll		executable
		MD5:F2F6F6798D306D6D7DF4267434B5C5F9	SHA256:837F2CEAB6BBD9BC4BF076F1CB90B3158191888C3055DD2B78A1E23F1C3AAFDD
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\DS.exe		executable
		MD5:5D2EB5FC2BB466DB007D43EDC80717DF	SHA256:9088DEF78EBE1F8877A4EDF5055FFD58A8045E5540E63FF53DD90960B36500D4
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\BLTools Craked by Console.exe		executable
		MD5:BC4D8607F0182E448E2E2D245005F329	SHA256:AF3185E2C98D967B9DA51862CB01DA1E36BFA01F6381A9C880043CAD4972B5B7
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\License.dll		text
		MD5:789E7D538511D721FBC21797D18CAAB0	SHA256:3063B6CC9CF007AC714D951EA6D2FA45B35EF7BFB3D0428475BAB97DBDA5BED7
4788	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4788.22568\Microsoft.Xaml.Behaviors.dll		executable
		MD5:95F46F34C099421D917D5FEADBB33EDB	SHA256:8E77A1DD5E2DF4D4AF801376CC3428B082EB49FCB6E647B933967FAE12AD9D5D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	DE	binary	814 b	whitelisted
2288	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
1036	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	DE	binary	420 b	whitelisted
1036	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	408 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7132	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.48.23.173:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2288	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2288	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
crl.microsoft.com	23.48.23.173 23.48.23.166 23.48.23.143 23.48.23.169 23.48.23.158 23.48.23.159	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	40.126.32.138 20.190.160.131 40.126.32.140 40.126.32.74 40.126.32.72 20.190.160.66 40.126.32.76 20.190.160.3	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

bl tool newest version.zip

FE5286AEA79EA746E697934BD0E346B7

7A76BB374F3CB2D24B395764BCFBF4853475BB20

C965DAAC5B4B9CA94638C69413B3A0D9E94B441D072D8BCBDAD5A5F8E1AE9E2D

98304:BadcE1Bf2NjskpIZ0zYbJXDXIygmaKAmyDfqco6jIJ+Qvsh9fKc3v5p3V1bqoDCr:oCOZIBF+hkzy03vDqNCwKk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

MENORAH has been detected (YARA)

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Executable content was dropped or overwritten

Manual execution by a user

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Malware configuration

ims-api

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

ims-api

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings